rpcserver: Fix websocket auth failure.

[liukun]

Fix a bug that allow any user/password combinations except the correct one to pass the authentication of websocket and can act as a limited user.

I tried to add a test but the code is too deep in a long function to write a proper test. A more proper way is to reuse the function func (s *Server) checkAuth() in rpcserver.go, but that changed more lines and make the diff not clear enough. If need I can do the changes.

[rstaudt2]

Good find! This fix looks proper to me and is now the same as the logic for the non-websocket case, which is correct. It looks like it was unintentionally introduced in #2509 when changing the check to be constant time.

It also looks like this case can only be hit if an unauthenticated websocket connection is established to begin with since authenticated connections are correctly rejected here if an incorrect user/pass are provided. This is likely why this wasn't noticed previously.

If you would like to add tests, you could consider doing it in a separate commit or PR from this fix if the concern was just that it is a larger diff.

On a minor note, per the code contribution guidelines, you should wrap your commit description to 72 chars and can also remove the PR checklist from the description now.

[liukun]

@rstaudt2 Thanks! I refactored all the similar codes to use a newly created function in rpcserver.go and added a test case of that function. Not too big IMO, so I just commit this together. Also wrapped the commit message to 72 chars.

[rstaudt2]

Creating a single function for this with corresponding tests makes sense to me—I left a few comments inline.

[rstaudt2]

The updates look good to me. I noted just a couple of other small things inline.

[davecgh]

The logic all looks correct now. Thanks for the updates. I have a few minor nits left inline and then it should be good for merge.

[davecgh]

Updates look good and I've tested the following scenarios:

• Connecting via HTTP without an auth header results in an authentication failure and immediate disconnection as expected
• Connecting via HTTP with an auth header that has incorrect credentials results in an authentication failure and immediate disconnection as expected
• Connecting via HTTP with an auth header that has correct credentials connects as expected
• Connecting via WebSockets without an auth header is allowed:
  • The authenticate RPC with invalid credentials results in an authentication failure and immediate disconnection as expected
  • The authenticate RPC with valid credentials results in a usable connection as expected
  • Any other RPCs aside from authenticate when not yet authenticated result in immediate disconnection as expected
• Connecting via WebSockets with an auth header that has incorrect credentials results in an authentication failure and immediate disconnection as expected
• Connecting via WebSockets with an auth header that has correct credentials connects as expected

[rstaudt2]

Looks good to me with the latest updates.

The test coverage looks good as well:

go test -tags rpctest -run="TestCheckAuthUserPass|TestCheckAuth" -coverprofile=cov.out &&
go tool cover -func=cov.out | grep -E "checkAuthUserPass|checkAuthMAC"

github.com/decred/dcrd/internal/rpcserver/rpcserver.go:5858:  checkAuthMAC  100.0%
github.com/decred/dcrd/internal/rpcserver/rpcserver.go:5879:  checkAuthUserPass  100.0%