hash password , fixes #1

2025-04-02 10:52:45 -04:00 · 2024-06-28 21:11:19 -04:00 · 2024-06-28 21:11:19 -04:00 · 37f8caff79
commit 37f8caff79
parent 8c83e0002f
2 changed files with 9 additions and 7 deletions
--- a/src/server.nim
+++ b/src/server.nim
@ -3,6 +3,7 @@ import std/[strutils, os, logging]
 import jester
 import norm/[model, sqlite]
 import server/[users, files]
+import checksums/sha3

 addHandler newConsoleLogger(fmtStr = "")

@ -57,16 +58,17 @@ routes:
          db.genNewToken(user)

        else:
-          var testUser = newUser()
          try:
            db.select(user, "username = ?", @"username")
-            db.select(testUser, "password = ?", @"password")
          except NotFoundError:
-            resp "Login failed, Incorrect username and/or password!"
-          
-          if user.username == testUser.username and user.password == testUser.password:
+            resp "Login failed, Incorrect username and/or password!" # fails if username is wrong but mentions password to obfuscates if a user exists or not
+          echo user.password
+          echo @"password"
+          echo $Sha3_512.secureHash(@"password")
+          if user.password == $Sha3_512.secureHash(@"password"):
            db.genNewToken(user)
-          
+          else:
+            resp "Login failed, Incorrect username and/or password!" # fails if password is wrong but mentions username to obfuscates if a user exists or not
        resp user.token

      #? endpoint POST `/api/getItem`
--- a/src/server/users.nim
+++ b/src/server/users.nim
@ -34,4 +34,4 @@ proc genNewToken*(db: DbConn, user: var User) =

 # creates a new user object and sets default values, recommended by the norm documentation 
 proc newUser*(username: string = "", email: string = "", password: string = ""): User =
-  User(username: username, email: email, password: password, token: generateToken(username))
+  User(username: username, email: email, password: $Sha3_512.secureHash(password), token: generateToken(username))