Implement pin hardening

This commit is contained in:
Rene Vergara 2023-01-26 12:13:17 -06:00
parent e6d3646fa8
commit 6d14ccd48a
No known key found for this signature in database
GPG key ID: 65122AD495A7F5B2
3 changed files with 13 additions and 6 deletions

View file

@ -6,6 +6,7 @@
module ZGoBackend where module ZGoBackend where
import qualified BLAKE3 as BLK
import Config import Config
import Control.Concurrent (forkIO, threadDelay) import Control.Concurrent (forkIO, threadDelay)
import Control.Exception (try) import Control.Exception (try)
@ -14,6 +15,7 @@ import Control.Monad.IO.Class
import Data.Aeson import Data.Aeson
import Data.Array import Data.Array
import qualified Data.Bson as B import qualified Data.Bson as B
import qualified Data.ByteArray as BA
import qualified Data.ByteString as BS import qualified Data.ByteString as BS
import qualified Data.ByteString.Base64 as B64 import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as C import qualified Data.ByteString.Char8 as C
@ -426,12 +428,17 @@ addUser nodeUser nodePwd p db node (Just tx) = do
when isNew $ do when isNew $ do
let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx)) let newPin = unsafePerformIO (generatePin (fromIntegral $ blocktime tx))
_ <- sendPin nodeUser nodePwd node (address tx) newPin _ <- sendPin nodeUser nodePwd node (address tx) newPin
let pinHash =
BLK.hash
[ BA.pack . BS.unpack . C.pack . T.unpack $ newPin <> session tx :: BA.Bytes
]
insert_ insert_
"users" "users"
[ "address" =: address tx [ "address" =: address tx
, "session" =: session tx , "session" =: session tx
, "blocktime" =: blocktime tx , "blocktime" =: blocktime tx
, "pin" =: newPin , "pin" =:
(T.pack . show $ (pinHash :: BLK.Digest BLK.DEFAULT_DIGEST_LEN))
, "validated" =: False , "validated" =: False
] ]

View file

@ -521,7 +521,7 @@ main = do
["expiration" =: ["$lt" =: now], "paid" =: True] ["expiration" =: ["$lt" =: now], "paid" =: True]
"owners")) "owners"))
res `shouldBe` [] res `shouldBe` []
xit "login txs are converted to users" $ \p -> do it "login txs are converted to users" $ \p -> do
let myTx = let myTx =
ZGoTx ZGoTx
Nothing Nothing

View file

@ -10,7 +10,7 @@ port = 3000
tls = false tls = false
certificate = "/path/to/cert.pem" certificate = "/path/to/cert.pem"
key = "/path/to/key.pem" key = "/path/to/key.pem"
mailHost = "127.0.0.1" smtpHost = "127.0.0.1"
mailPort = 1025 smtpPort = 1025
mailUser = "contact@zgo.cash" smtpUser = "contact@zgo.cash"
mailPwd = "uib3K8BkCPexl_wr5bYfrg" smtpPwd = "uib3K8BkCPexl_wr5bYfrg"