From 22f7f3cf463edc78d9b6a61de7479dfac82d8e90 Mon Sep 17 00:00:00 2001 From: riwiwa Date: Sun, 8 Feb 2026 00:51:15 -0800 Subject: [PATCH] better password validation --- templates/create_account.gohtml | 10 ++++++++++ templates/login.gohtml | 4 ++-- web/web.go | 30 ++++++++++++++++++++++-------- 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/templates/create_account.gohtml b/templates/create_account.gohtml index 6bcfccb..d62fcee 100644 --- a/templates/create_account.gohtml +++ b/templates/create_account.gohtml @@ -14,6 +14,16 @@

+ {{if eq .Error "length"}} +
+ Password must be 8-64 chars (inclusive). +
+ {{end}} + {{if eq .Error "session"}} +
+ Unable to create session. Please try again. +
+ {{end}} diff --git a/templates/login.gohtml b/templates/login.gohtml index d9719ce..84171cf 100644 --- a/templates/login.gohtml +++ b/templates/login.gohtml @@ -14,12 +14,12 @@

- {{if eq .Error "1"}} + {{if eq .Error "invalid-creds"}}
Invalid credentials. Please try again.
{{end}} - {{if eq .Error "2"}} + {{if eq .Error "session"}}
Unable to create session. Please try again.
diff --git a/web/web.go b/web/web.go index 3fa1a60..f90b966 100644 --- a/web/web.go +++ b/web/web.go @@ -5,6 +5,7 @@ import ( "crypto/rand" "encoding/hex" "encoding/json" + "errors" "fmt" "html/template" "net/http" @@ -136,12 +137,16 @@ func getUserIdByUsername(ctx context.Context, username string) (int, error) { return userId, err } -func hashPassword(pass []byte) string { +func hashPassword(pass []byte) (string, error) { + if len(pass) < 8 || len(pass) > 64 { + return "", errors.New("Error: Password must be greater than 8 chars.") + } hashedPassword, err := bcrypt.GenerateFromPassword(pass, bcrypt.DefaultCost) if err != nil { fmt.Fprintf(os.Stderr, "Couldn't hash password: %v\n", err) + return "", err } - return string(hashedPassword) + return string(hashedPassword), nil } func verifyPassword(hashedPassword string, enteredPassword []byte) bool { @@ -158,9 +163,14 @@ func createAccount(w http.ResponseWriter, r *http.Request) { r.ParseForm() username := r.FormValue("uname") - hashedPassword := hashPassword([]byte(r.FormValue("pass"))) + hashedPassword, err := hashPassword([]byte(r.FormValue("pass"))) + if err != nil { + fmt.Fprintf(os.Stderr, "Error hashing password: %v\n", err) + http.Redirect(w, r, "/createaccount?error=length", http.StatusSeeOther) + return + } - err := db.CreateUsersTable() + err = db.CreateUsersTable() if err != nil { fmt.Fprintf(os.Stderr, "Error ensuring users table exists: %v\n", err) http.Redirect(w, r, "/createaccount", http.StatusSeeOther) @@ -179,7 +189,7 @@ func createAccount(w http.ResponseWriter, r *http.Request) { } else { sessionID := createSession(username) if sessionID == "" { - http.Redirect(w, r, "/login?error=2", http.StatusSeeOther) + http.Redirect(w, r, "/login?error=session", http.StatusSeeOther) return } http.SetCookie(w, &http.Cookie{ @@ -196,7 +206,11 @@ func createAccount(w http.ResponseWriter, r *http.Request) { func createAccountPageHandler() http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - err := templates.ExecuteTemplate(w, "create_account.gohtml", nil) + type data struct { + Error string + } + d := data{Error: "len"} + err := templates.ExecuteTemplate(w, "create_account.gohtml", d) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) } @@ -219,7 +233,7 @@ func loginSubmit(w http.ResponseWriter, r *http.Request) { if verifyPassword(storedPassword, []byte(password)) { sessionID := createSession(username) if sessionID == "" { - http.Redirect(w, r, "/login?error=2", http.StatusSeeOther) + http.Redirect(w, r, "/login?error=session", http.StatusSeeOther) return } http.SetCookie(w, &http.Cookie{ @@ -231,7 +245,7 @@ func loginSubmit(w http.ResponseWriter, r *http.Request) { }) http.Redirect(w, r, "/profile/"+username, http.StatusSeeOther) } else { - http.Redirect(w, r, "/login?error=1", http.StatusSeeOther) + http.Redirect(w, r, "/login?error=invalid-creds", http.StatusSeeOther) } } }