Hash password on client side

Daniel-WWU-IT · Aug 2, 2021 · 97d9e99 · 97d9e99
1 parent 66b146b
commit 97d9e99
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/pkg/siteacc/html/template.go b/pkg/siteacc/html/template.go
@@ -99,7 +99,7 @@ const panelTemplate = `
 			var msgBuffer = new TextEncoder().encode(this);
 			var hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer);
 			var hashArray = Array.from(new Uint8Array(hashBuffer));
-			return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+			return hashArray.map(b => b.toString(16).padStart(2, '0')).join('').toLowerCase();
 		};
 
 		$(CONTENT_JAVASCRIPT)

diff --git a/pkg/siteacc/manager/accmanager.go b/pkg/siteacc/manager/accmanager.go
@@ -19,6 +19,8 @@
 package manager
 
 import (
+	"crypto/sha256"
+	"fmt"
 	"strings"
 	"sync"
 	"time"
@@ -204,6 +206,10 @@ func (mngr *AccountsManager) ResetPassword(name string) error {
 		mngr.sendEmail(accountUpd, nil, email.SendPasswordReset)
 	}
 
+	// Passwords are transferred as lower-case SHA256 hashes, so update the password accordingly
+	accountUpd.Password.Value = fmt.Sprintf("%x", sha256.Sum256([]byte(accountUpd.Password.Value)))
+	err = mngr.UpdateAccount(accountUpd, true, false)
+
 	return err
 }