From 7553813376f94e3ae287de78efe413662cd8f967 Mon Sep 17 00:00:00 2001 From: Julian Hurst Date: Fri, 28 Mar 2025 16:48:55 +0100 Subject: Adds bcrypt for token hashing --- go.mod | 8 ++++++-- go.sum | 4 ++++ main.go | 24 +++++++++++++++--------- templates/index.html | 2 +- 4 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 go.sum diff --git a/go.mod b/go.mod index 3aba2c6..363e8e0 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,9 @@ module box -go 1.23 +go 1.23.0 -require github.com/google/uuid v1.6.0 // indirect +toolchain go1.24.1 + +require github.com/google/uuid v1.6.0 + +require golang.org/x/crypto v0.36.0 // indirect diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..8a06334 --- /dev/null +++ b/go.sum @@ -0,0 +1,4 @@ +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= +golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= diff --git a/main.go b/main.go index b9bf651..2223a4c 100644 --- a/main.go +++ b/main.go @@ -16,6 +16,7 @@ import ( "io/fs" "github.com/google/uuid" + "golang.org/x/crypto/bcrypt" ) //go:embed templates @@ -27,17 +28,17 @@ var favicon []byte type BoxHandler struct { filesPath string - token string + token []byte deleteEnabled bool index bool } -func serve(w http.ResponseWriter, token string, views ...string) { +func serve(w http.ResponseWriter, token []byte, views ...string) { t, err := template.New("index.html").ParseFS(tmplFS, views...) if err != nil { log.Fatal(err) } - if err := t.Execute(w, token); err != nil { + if err := t.Execute(w, token != nil); err != nil { log.Fatal(err) } } @@ -79,7 +80,7 @@ func (handler BoxHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { return } token := r.Header.Get("X-Token") - if token != handler.token { + if bcrypt.CompareHashAndPassword(handler.token, []byte(token)) != nil { log.Println("unauthorized") w.WriteHeader(http.StatusUnauthorized) return @@ -101,7 +102,7 @@ func (handler BoxHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { return } token := r.Header.Get("X-Token") - if token != handler.token { + if bcrypt.CompareHashAndPassword(handler.token, []byte(token)) != nil { log.Println("unauthorized") w.WriteHeader(http.StatusUnauthorized) return @@ -143,14 +144,19 @@ func main() { index := flag.Bool("i", false, "Enable displaying the resource folder index") flag.Parse() - token := "" + var token []byte = nil if *isToken { - token = os.Getenv("BOX_TOKEN") - if token == "" { + tok := os.Getenv("BOX_TOKEN") + if tok == "" { fmt.Print("Token: ") sc := bufio.NewScanner(os.Stdin) sc.Scan() - token = sc.Text() + tok = sc.Text() + } + var err error = nil + token, err = bcrypt.GenerateFromPassword([]byte(tok), bcrypt.DefaultCost) + if err != nil { + panic(err) } } diff --git a/templates/index.html b/templates/index.html index 0bf6019..8bb0e38 100644 --- a/templates/index.html +++ b/templates/index.html @@ -66,7 +66,7 @@ This ID can then be used to get the file by sending a GET request to /[resourceI If enabled on the server, the resource can be deleted by sending a DELETE request to /[resourceID]. Again if a token has been set on the server, use a X-Token header when sending the request. - {{ if ne . "" }} + {{ if . }} {{end}}

-- cgit v1.2.3