llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-07 08:10:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: CredManager.GetHashedPassword() only contains one salt arg now (#3928)

Browse Source
This commit is contained in:
Raiki
2025-07-05 18:41:37 +08:00
committed by GitHub
parent b1f68a60a4
commit fb035a5353
13 changed files with 35 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
controllers/user.go
View File

@ -574,7 +574,7 @@ func (c *ApiController) SetPassword() {
targetUser.LastChangePasswordTime = util.GetCurrentTime() targetUser.LastChangePasswordTime = util.GetCurrentTime()
if user.Ldap == "" { if user.Ldap == "" {
_, err = object.UpdateUser(userId, targetUser, []string{"password", "need_update_password", "password_type", "last_change_password_time"}, false) _, err = object.UpdateUser(userId, targetUser, []string{"password", "password_salt", "need_update_password", "password_type", "last_change_password_time"}, false)
} else { } else {
if isAdmin { if isAdmin {
err = object.ResetLdapPassword(targetUser, "", newPassword, c.GetAcceptLanguage()) err = object.ResetLdapPassword(targetUser, "", newPassword, c.GetAcceptLanguage())

2
cred/argon2id.go
View File

@ -23,7 +23,7 @@ func NewArgon2idCredManager() *Argon2idCredManager {
return cm return cm
} }
func (cm *Argon2idCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *Argon2idCredManager) GetHashedPassword(password string, salt string) string {
hash, err := argon2id.CreateHash(password, argon2id.DefaultParams) hash, err := argon2id.CreateHash(password, argon2id.DefaultParams)
if err != nil { if err != nil {
return "" return ""

2
cred/bcrypt.go
View File

@ -9,7 +9,7 @@ func NewBcryptCredManager() *BcryptCredManager {
return cm return cm
} }
func (cm *BcryptCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *BcryptCredManager) GetHashedPassword(password string, salt string) string {
bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil { if err != nil {
return "" return ""

2
cred/manager.go
View File

@ -15,7 +15,7 @@
package cred package cred
type CredManager interface { type CredManager interface {
GetHashedPassword(password string, userSalt string, organizationSalt string) string GetHashedPassword(password string, salt string) string
IsPasswordCorrect(password string, passwordHash string, userSalt string, organizationSalt string) bool IsPasswordCorrect(password string, passwordHash string, userSalt string, organizationSalt string) bool
} }

13
cred/md5-user-salt.go
View File

@ -37,14 +37,13 @@ func NewMd5UserSaltCredManager() *Md5UserSaltCredManager {
return cm return cm
} }
func (cm *Md5UserSaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *Md5UserSaltCredManager) GetHashedPassword(password string, salt string) string {
res := getMd5HexDigest(password) return getMd5HexDigest(getMd5HexDigest(password) + salt)
if userSalt != "" {
res = getMd5HexDigest(res + userSalt)
}
return res
} }
func (cm *Md5UserSaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { func (cm *Md5UserSaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) {
return true
}
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt)
} }

9
cred/pbkdf2-salt.go
View File

@ -28,13 +28,16 @@ func NewPbkdf2SaltCredManager() *Pbkdf2SaltCredManager {
return cm return cm
} }
func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, salt string) string {
// https://www.keycloak.org/docs/latest/server_admin/index.html#password-database-compromised // https://www.keycloak.org/docs/latest/server_admin/index.html#password-database-compromised
decodedSalt, _ := base64.StdEncoding.DecodeString(userSalt) decodedSalt, _ := base64.StdEncoding.DecodeString(salt)
res := pbkdf2.Key([]byte(password), decodedSalt, 27500, 64, sha256.New) res := pbkdf2.Key([]byte(password), decodedSalt, 27500, 64, sha256.New)
return base64.StdEncoding.EncodeToString(res) return base64.StdEncoding.EncodeToString(res)
} }
func (cm *Pbkdf2SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { func (cm *Pbkdf2SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) {
return true
}
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt)
} }

6
cred/pbkdf2_django.go
View File

@ -32,12 +32,8 @@ func NewPbkdf2DjangoCredManager() *Pbkdf2DjangoCredManager {
return cm return cm
} }
func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (m *Pbkdf2DjangoCredManager) GetHashedPassword(password string, salt string) string {
iterations := 260000 iterations := 260000
salt := userSalt
if salt == "" {
salt = organizationSalt
}
saltBytes := []byte(salt) saltBytes := []byte(salt)
passwordBytes := []byte(password) passwordBytes := []byte(password)

2
cred/plain.go
View File

@ -21,7 +21,7 @@ func NewPlainCredManager() *PlainCredManager {
return cm return cm
} }
func (cm *PlainCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *PlainCredManager) GetHashedPassword(password string, salt string) string {
return password return password
} }

13
cred/sha256-salt.go
View File

@ -37,14 +37,13 @@ func NewSha256SaltCredManager() *Sha256SaltCredManager {
return cm return cm
} }
func (cm *Sha256SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *Sha256SaltCredManager) GetHashedPassword(password string, salt string) string {
res := getSha256HexDigest(password) return getSha256HexDigest(getSha256HexDigest(password) + salt)
if organizationSalt != "" {
res = getSha256HexDigest(res + organizationSalt)
}
return res
} }
func (cm *Sha256SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { func (cm *Sha256SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) {
return true
}
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt)
} }

4
cred/sha256-salt_test.go
View File

@ -23,12 +23,12 @@ func TestGetSaltedPassword(t *testing.T) {
password := "123456" password := "123456"
salt := "123" salt := "123"
cm := NewSha256SaltCredManager() cm := NewSha256SaltCredManager()
fmt.Printf("%s -> %s\n", password, cm.GetHashedPassword(password, "", salt)) fmt.Printf("%s -> %s\n", password, cm.GetHashedPassword(password, salt))
} }
func TestGetPassword(t *testing.T) { func TestGetPassword(t *testing.T) {
password := "123456" password := "123456"
cm := NewSha256SaltCredManager() cm := NewSha256SaltCredManager()
// https://passwordsgenerator.net/sha256-hash-generator/ // https://passwordsgenerator.net/sha256-hash-generator/
fmt.Printf("%s -> %s\n", "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92", cm.GetHashedPassword(password, "", "")) fmt.Printf("%s -> %s\n", "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92", cm.GetHashedPassword(password, ""))
} }

13
cred/sha512-salt.go
View File

@ -37,14 +37,13 @@ func NewSha512SaltCredManager() *Sha512SaltCredManager {
return cm return cm
} }
func (cm *Sha512SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string { func (cm *Sha512SaltCredManager) GetHashedPassword(password string, salt string) string {
res := getSha512HexDigest(password) return getSha512HexDigest(getSha512HexDigest(password) + salt)
if organizationSalt != "" {
res = getSha512HexDigest(res + organizationSalt)
}
return res
} }
func (cm *Sha512SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool { func (cm *Sha512SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt) if hashedPwd == cm.GetHashedPassword(plainPwd, organizationSalt) {
return true
}
return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt)
} }

2
object/organization.go
View File

@ -222,7 +222,7 @@ func UpdateOrganization(id string, organization *Organization, isGlobalAdmin boo
if organization.MasterPassword != "" && organization.MasterPassword != "***" { if organization.MasterPassword != "" && organization.MasterPassword != "***" {
credManager := cred.GetCredManager(organization.PasswordType) credManager := cred.GetCredManager(organization.PasswordType)
if credManager != nil { if credManager != nil {
hashedPassword := credManager.GetHashedPassword(organization.MasterPassword, "", organization.PasswordSalt) hashedPassword := credManager.GetHashedPassword(organization.MasterPassword, organization.PasswordSalt)
organization.MasterPassword = hashedPassword organization.MasterPassword = hashedPassword
} }
} }

3
object/user_cred.go
View File

@ -42,8 +42,9 @@ func (user *User) UpdateUserHash() error {
func (user *User) UpdateUserPassword(organization *Organization) { func (user *User) UpdateUserPassword(organization *Organization) {
credManager := cred.GetCredManager(organization.PasswordType) credManager := cred.GetCredManager(organization.PasswordType)
if credManager != nil { if credManager != nil {
hashedPassword := credManager.GetHashedPassword(user.Password, user.PasswordSalt, organization.PasswordSalt) hashedPassword := credManager.GetHashedPassword(user.Password, organization.PasswordSalt)
user.Password = hashedPassword user.Password = hashedPassword
user.PasswordType = organization.PasswordType user.PasswordType = organization.PasswordType
user.PasswordSalt = organization.PasswordSalt
} }
} }