From 3bb8a78d073563c309195581780254b0e6f9dbe6 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 28 Feb 2020 17:20:32 +0100 Subject: [PATCH] Store the user's key in the session store so that login/unlock is automatic if cookie is still there --- main.go | 5 +++++ web.go | 28 ++++++++++++++++------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/main.go b/main.go index dadb468..80eede0 100644 --- a/main.go +++ b/main.go @@ -23,6 +23,7 @@ type ConfigFile struct { DbType string `json:"db_type"` DbPath string `json:"db_path"` MatrixDomain string `json:"matrix_domain"` + SessionKey string `json:"web_session_key"` } var configFlag = flag.String("config", "./config.json", "Configuration file path") @@ -31,6 +32,9 @@ var config *ConfigFile var registration *mxlib.Registration func readConfig() ConfigFile { + defaultKey := make([]byte, 32) + rand.Read(defaultKey) + config_file := ConfigFile{ LogLevel: "info", ASBindAddr: "0.0.0.0:8321", @@ -39,6 +43,7 @@ func readConfig() ConfigFile { Server: "http://localhost:8008", DbType: "sqlite3", DbPath: "easybridge.db", + SessionKey: hex.EncodeToString(defaultKey), } _, err := os.Stat(*configFlag) diff --git a/web.go b/web.go index ce7fd0e..d50d91c 100644 --- a/web.go +++ b/web.go @@ -1,7 +1,6 @@ package main import ( - "crypto/rand" "html/template" "net/http" "strconv" @@ -11,6 +10,7 @@ import ( "github.com/gorilla/sessions" log "github.com/sirupsen/logrus" "golang.org/x/crypto/argon2" + "golang.org/x/crypto/blake2b" "git.deuxfleurs.fr/Deuxfleurs/easybridge/connector" "git.deuxfleurs.fr/Deuxfleurs/easybridge/mxlib" @@ -22,12 +22,8 @@ var sessionsStore sessions.Store = nil var userKeys = map[string]*[32]byte{} func StartWeb() { - session_key := make([]byte, 32) - n, err := rand.Read(session_key) - if err != nil || n != 32 { - log.Fatal(err) - } - sessionsStore = sessions.NewCookieStore(session_key) + session_key := blake2b.Sum256([]byte(config.SessionKey)) + sessionsStore = sessions.NewCookieStore(session_key[:]) r := mux.NewRouter() r.HandleFunc("/", handleHome) @@ -41,7 +37,7 @@ func StartWeb() { log.Printf("Starting web UI HTTP server on %s", config.WebBindAddr) go func() { - err = http.ListenAndServe(config.WebBindAddr, logRequest(r)) + err := http.ListenAndServe(config.WebBindAddr, logRequest(r)) if err != nil { log.Fatal("Cannot start http server: ", err) } @@ -66,10 +62,17 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginInfo { session, err := sessionsStore.Get(r, SESSION_NAME) if err == nil { - mxid, ok := session.Values["login_mxid"] - if ok { + mxid, ok := session.Values["login_mxid"].(string) + user_key, ok2 := session.Values["login_user_key"].([]byte) + if ok && ok2 { + if _, had_key := userKeys[mxid]; !had_key && len(user_key) == 32 { + key := new([32]byte) + copy(key[:], user_key) + userKeys[mxid] = key + LoadDbAccounts(mxid, key) + } login_info = &LoginInfo{ - MxId: mxid.(string), + MxId: mxid, } } } @@ -154,7 +157,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo { key := new([32]byte) key_slice := argon2.IDKey([]byte(password), []byte("EZBRIDGE account store"), 3, 64*1024, 4, 32) - copy(key[:], key_slice[:]) + copy(key[:], key_slice) userKeys[mxid] = key SaveDbAccounts(mxid, key) @@ -167,6 +170,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo { } session.Values["login_mxid"] = mxid + session.Values["login_user_key"] = key_slice err = session.Save(r, w) if err != nil {