diff --git a/internal/api/auth/signin.go b/internal/api/auth/signin.go index 9cc2881e4..04e8ac654 100644 --- a/internal/api/auth/signin.go +++ b/internal/api/auth/signin.go @@ -25,6 +25,7 @@ import ( "slices" "strings" + "codeberg.org/gruf/go-byteutil" "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" "github.com/pquerna/otp/totp" @@ -169,8 +170,8 @@ func (m *Module) validatePassword( } if err := bcrypt.CompareHashAndPassword( - []byte(user.EncryptedPassword), - []byte(password), + byteutil.S2B(user.EncryptedPassword), + byteutil.S2B(password), ); err != nil { err := fmt.Errorf("password hash didn't match for user %s during sign in attempt: %s", user.Email, err) return incorrectPassword(err) @@ -278,8 +279,8 @@ func (m *Module) validate2FACode(c *gin.Context, user *gtsmodel.User, code strin // Check against the user's stored codes. for i := 0; i < len(user.TwoFactorBackups); i++ { err := bcrypt.CompareHashAndPassword( - []byte(user.TwoFactorBackups[i]), - []byte(code), + byteutil.S2B(user.TwoFactorBackups[i]), + byteutil.S2B(code), ) if err != nil { // Doesn't match, diff --git a/internal/api/client/accounts/accountdelete.go b/internal/api/client/accounts/accountdelete.go index 6438462c6..90fcd6eef 100644 --- a/internal/api/client/accounts/accountdelete.go +++ b/internal/api/client/accounts/accountdelete.go @@ -21,6 +21,7 @@ import ( "errors" "net/http" + "codeberg.org/gruf/go-byteutil" "github.com/gin-gonic/gin" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" @@ -87,7 +88,10 @@ func (m *Module) AccountDeletePOSTHandler(c *gin.Context) { return } - if err := bcrypt.CompareHashAndPassword([]byte(authed.User.EncryptedPassword), []byte(form.Password)); err != nil { + if err := bcrypt.CompareHashAndPassword( + byteutil.S2B(authed.User.EncryptedPassword), + byteutil.S2B(form.Password), + ); err != nil { err = errors.New("invalid password provided in account delete request") apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1) return diff --git a/internal/api/client/user/passwordchange_test.go b/internal/api/client/user/passwordchange_test.go index 8a741f96c..baf6f6b8d 100644 --- a/internal/api/client/user/passwordchange_test.go +++ b/internal/api/client/user/passwordchange_test.go @@ -23,6 +23,7 @@ import ( "net/http" "testing" + "codeberg.org/gruf/go-byteutil" "github.com/stretchr/testify/suite" "github.com/superseriousbusiness/gotosocial/internal/api/client/user" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -50,11 +51,17 @@ func (suite *PasswordChangeTestSuite) TestPasswordChangePOST() { } // new password should pass - err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("peepeepoopoopassword")) + err = bcrypt.CompareHashAndPassword( + byteutil.S2B(dbUser.EncryptedPassword), + byteutil.S2B("peepeepoopoopassword"), + ) suite.NoError(err) // old password should fail - err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("password")) + err = bcrypt.CompareHashAndPassword( + byteutil.S2B(dbUser.EncryptedPassword), + byteutil.S2B("password"), + ) suite.EqualError(err, "crypto/bcrypt: hashedPassword is not the hash of the given password") } diff --git a/internal/processing/account/move.go b/internal/processing/account/move.go index c8665cf04..734331503 100644 --- a/internal/processing/account/move.go +++ b/internal/processing/account/move.go @@ -25,6 +25,7 @@ import ( "slices" "time" + "codeberg.org/gruf/go-byteutil" "github.com/superseriousbusiness/gotosocial/internal/ap" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" @@ -70,8 +71,8 @@ func (p *Processor) MoveSelf( } if err := bcrypt.CompareHashAndPassword( - []byte(authed.User.EncryptedPassword), - []byte(form.Password), + byteutil.S2B(authed.User.EncryptedPassword), + byteutil.S2B(form.Password), ); err != nil { const text = "invalid password provided in Move request" return gtserror.NewErrorBadRequest(errors.New(text), text) diff --git a/internal/processing/user/email.go b/internal/processing/user/email.go index ea9dbb64c..417c7c341 100644 --- a/internal/processing/user/email.go +++ b/internal/processing/user/email.go @@ -23,6 +23,7 @@ import ( "fmt" "time" + "codeberg.org/gruf/go-byteutil" "github.com/superseriousbusiness/gotosocial/internal/ap" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" "github.com/superseriousbusiness/gotosocial/internal/db" @@ -41,7 +42,10 @@ func (p *Processor) EmailChange( newEmail string, ) (*apimodel.User, gtserror.WithCode) { // Ensure provided password is correct. - if err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte(password)); err != nil { + if err := bcrypt.CompareHashAndPassword( + byteutil.S2B(user.EncryptedPassword), + byteutil.S2B(password), + ); err != nil { err := gtserror.Newf("%w", err) return nil, gtserror.NewErrorUnauthorized(err, "password was incorrect") } diff --git a/internal/processing/user/password.go b/internal/processing/user/password.go index 68bc8ddb5..ead79e209 100644 --- a/internal/processing/user/password.go +++ b/internal/processing/user/password.go @@ -20,6 +20,7 @@ package user import ( "context" + "codeberg.org/gruf/go-byteutil" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/validate" @@ -29,7 +30,10 @@ import ( // PasswordChange processes a password change request for the given user. func (p *Processor) PasswordChange(ctx context.Context, user *gtsmodel.User, oldPassword string, newPassword string) gtserror.WithCode { // Ensure provided oldPassword is the correct current password. - if err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte(oldPassword)); err != nil { + if err := bcrypt.CompareHashAndPassword( + byteutil.S2B(user.EncryptedPassword), + byteutil.S2B(oldPassword), + ); err != nil { err := gtserror.Newf("%w", err) return gtserror.NewErrorUnauthorized(err, "old password was incorrect") } @@ -48,7 +52,7 @@ func (p *Processor) PasswordChange(ctx context.Context, user *gtsmodel.User, old // Hash the new password. encryptedPassword, err := bcrypt.GenerateFromPassword( - []byte(newPassword), + byteutil.S2B(newPassword), bcrypt.DefaultCost, ) if err != nil { diff --git a/internal/processing/user/password_test.go b/internal/processing/user/password_test.go index ee30558c6..7d45341c0 100644 --- a/internal/processing/user/password_test.go +++ b/internal/processing/user/password_test.go @@ -22,6 +22,7 @@ import ( "net/http" "testing" + "codeberg.org/gruf/go-byteutil" "github.com/stretchr/testify/suite" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "golang.org/x/crypto/bcrypt" @@ -37,7 +38,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordOK() { errWithCode := suite.user.PasswordChange(context.Background(), user, "password", "verygoodnewpassword") suite.NoError(errWithCode) - err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte("verygoodnewpassword")) + err := bcrypt.CompareHashAndPassword( + byteutil.S2B(user.EncryptedPassword), + byteutil.S2B("verygoodnewpassword"), + ) suite.NoError(err) // get user from the db again @@ -46,7 +50,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordOK() { suite.NoError(err) // check the password has changed - err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("verygoodnewpassword")) + err = bcrypt.CompareHashAndPassword( + byteutil.S2B(dbUser.EncryptedPassword), + byteutil.S2B("verygoodnewpassword"), + ) suite.NoError(err) } @@ -64,7 +71,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordIncorrectOld() { suite.NoError(err) // check the password has not changed - err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("password")) + err = bcrypt.CompareHashAndPassword( + byteutil.S2B(dbUser.EncryptedPassword), + byteutil.S2B("password"), + ) suite.NoError(err) } @@ -82,7 +92,10 @@ func (suite *ChangePasswordTestSuite) TestChangePasswordWeakNew() { suite.NoError(err) // check the password has not changed - err = bcrypt.CompareHashAndPassword([]byte(dbUser.EncryptedPassword), []byte("password")) + err = bcrypt.CompareHashAndPassword( + byteutil.S2B(dbUser.EncryptedPassword), + byteutil.S2B("password"), + ) suite.NoError(err) } diff --git a/internal/processing/user/twofactor.go b/internal/processing/user/twofactor.go index bd7f562b3..a222ab938 100644 --- a/internal/processing/user/twofactor.go +++ b/internal/processing/user/twofactor.go @@ -31,6 +31,7 @@ import ( "strings" "time" + "codeberg.org/gruf/go-byteutil" "github.com/google/uuid" "github.com/pquerna/otp" "github.com/pquerna/otp/totp" @@ -251,8 +252,8 @@ func (p *Processor) TwoFactorDisable( // Ensure provided password is correct. if err := bcrypt.CompareHashAndPassword( - []byte(user.EncryptedPassword), - []byte(password), + byteutil.S2B(user.EncryptedPassword), + byteutil.S2B(password), ); err != nil { const errText = "incorrect password" return gtserror.NewErrorUnauthorized(errors.New(errText), errText)