security improvements

2025-06-29 21:59:41 +02:00
parent 7fdda06dba
commit caba5bae70
30 changed files with 3929 additions and 147 deletions
--- a/local/model/steam_credentials.go
+++ b/local/model/steam_credentials.go
@@ -8,6 +8,8 @@ import (
 	"encoding/base64"
 	"errors"
 	"io"
+	"regexp"
+	"strings"
 	"time"

 	"gorm.io/gorm"
@@ -74,25 +76,67 @@ func (s *SteamCredentials) AfterFind(tx *gorm.DB) error {
 	return nil
 }

-// Validate checks if the credentials are valid
+// Validate checks if the credentials are valid with enhanced security checks
 func (s *SteamCredentials) Validate() error {
 	if s.Username == "" {
 		return errors.New("username is required")
 	}
+
+	// Enhanced username validation
+	if len(s.Username) < 3 || len(s.Username) > 64 {
+		return errors.New("username must be between 3 and 64 characters")
+	}
+
+	// Check for valid characters in username (alphanumeric, underscore, hyphen)
+	if matched, _ := regexp.MatchString(`^[a-zA-Z0-9_-]+$`, s.Username); !matched {
+		return errors.New("username contains invalid characters")
+	}
+
 	if s.Password == "" {
 		return errors.New("password is required")
 	}
+
+	// Basic password validation
+	if len(s.Password) < 6 {
+		return errors.New("password must be at least 6 characters long")
+	}
+
+	if len(s.Password) > 128 {
+		return errors.New("password is too long")
+	}
+
+	// Check for obvious weak passwords
+	weakPasswords := []string{"password", "123456", "steam", "admin", "user"}
+	lowerPass := strings.ToLower(s.Password)
+	for _, weak := range weakPasswords {
+		if lowerPass == weak {
+			return errors.New("password is too weak")
+		}
+	}
+
 	return nil
 }

 // GetEncryptionKey returns the encryption key from config.
 // The key is loaded from the ENCRYPTION_KEY environment variable.
 func GetEncryptionKey() []byte {
-	return []byte(configs.EncryptionKey)
+	key := []byte(configs.EncryptionKey)
+	if len(key) != 32 {
+		panic("encryption key must be exactly 32 bytes for AES-256")
+	}
+	return key
 }

-// EncryptPassword encrypts a password using AES-256
+// EncryptPassword encrypts a password using AES-256-GCM with enhanced security
 func EncryptPassword(password string) (string, error) {
+	if password == "" {
+		return "", errors.New("password cannot be empty")
+	}
+
+	if len(password) > 1024 {
+		return "", errors.New("password too long")
+	}
+
 	key := GetEncryptionKey()
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -105,21 +149,30 @@ func EncryptPassword(password string) (string, error) {
 		return "", err
 	}

-	// Create a nonce
+	// Create a cryptographically secure nonce
 	nonce := make([]byte, gcm.NonceSize())
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		return "", err
 	}

-	// Encrypt the password
+	// Encrypt the password with authenticated encryption
 	ciphertext := gcm.Seal(nonce, nonce, []byte(password), nil)

 	// Return base64 encoded encrypted password
 	return base64.StdEncoding.EncodeToString(ciphertext), nil
 }

-// DecryptPassword decrypts an encrypted password
+// DecryptPassword decrypts an encrypted password with enhanced validation
 func DecryptPassword(encryptedPassword string) (string, error) {
+	if encryptedPassword == "" {
+		return "", errors.New("encrypted password cannot be empty")
+	}
+
+	// Validate base64 format
+	if len(encryptedPassword) < 24 { // Minimum reasonable length
+		return "", errors.New("invalid encrypted password format")
+	}
+
 	key := GetEncryptionKey()
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -135,7 +188,7 @@ func DecryptPassword(encryptedPassword string) (string, error) {
 	// Decode base64 encoded password
 	ciphertext, err := base64.StdEncoding.DecodeString(encryptedPassword)
 	if err != nil {
-		return "", err
+		return "", errors.New("invalid base64 encoding")
 	}

 	nonceSize := gcm.NonceSize()
@@ -146,8 +199,14 @@ func DecryptPassword(encryptedPassword string) (string, error) {
 	nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
 	plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
 	if err != nil {
-		return "", err
+		return "", errors.New("decryption failed - invalid ciphertext or key")
 	}

-	return string(plaintext), nil
-} 
+	// Validate decrypted content
+	decrypted := string(plaintext)
+	if len(decrypted) == 0 || len(decrypted) > 1024 {
+		return "", errors.New("invalid decrypted password")
+	}
+
+	return decrypted, nil
+}
--- a/local/model/user.go
+++ b/local/model/user.go
@@ -1,6 +1,7 @@
 package model

 import (
+	"acc-server-manager/local/utl/password"
 	"errors"

 	"github.com/google/uuid"
@@ -11,54 +12,57 @@ import (
 type User struct {
 	ID       uuid.UUID `json:"id" gorm:"type:uuid;primary_key;"`
 	Username string    `json:"username" gorm:"unique_index;not null"`
-	Password string    `json:"password" gorm:"not null"`
+	Password string    `json:"-" gorm:"not null"` // Never expose password in JSON
 	RoleID   uuid.UUID `json:"role_id" gorm:"type:uuid"`
 	Role     Role      `json:"role"`
 }

-
-// BeforeCreate is a GORM hook that runs before creating new credentials
+// BeforeCreate is a GORM hook that runs before creating new users
 func (s *User) BeforeCreate(tx *gorm.DB) error {
 	s.ID = uuid.New()
-	// Encrypt password before saving
-	encrypted, err := EncryptPassword(s.Password)
+
+	// Validate password strength
+	if err := password.ValidatePasswordStrength(s.Password); err != nil {
+		return err
+	}
+
+	// Hash password before saving
+	hashed, err := password.HashPassword(s.Password)
 	if err != nil {
 		return err
 	}
-	s.Password = encrypted
+	s.Password = hashed

 	return nil
 }

-// BeforeUpdate is a GORM hook that runs before updating credentials
+// BeforeUpdate is a GORM hook that runs before updating users
 func (s *User) BeforeUpdate(tx *gorm.DB) error {
-
-	// Only encrypt if password field is being updated
+	// Only hash if password field is being updated
 	if tx.Statement.Changed("Password") {
-		encrypted, err := EncryptPassword(s.Password)
+		// Validate password strength
+		if err := password.ValidatePasswordStrength(s.Password); err != nil {
+			return err
+		}
+
+		hashed, err := password.HashPassword(s.Password)
 		if err != nil {
 			return err
 		}
-		s.Password = encrypted
+		s.Password = hashed
 	}

 	return nil
 }

-// AfterFind is a GORM hook that runs after fetching credentials
+// AfterFind is a GORM hook that runs after fetching users
 func (s *User) AfterFind(tx *gorm.DB) error {
-	// Decrypt password after fetching
-	if s.Password != "" {
-		decrypted, err := DecryptPassword(s.Password)
-		if err != nil {
-			return err
-		}
-		s.Password = decrypted
-	}
+	// Password remains hashed - never decrypt
+	// This hook is kept for potential future use
 	return nil
 }

-// Validate checks if the credentials are valid
+// Validate checks if the user data is valid
 func (s *User) Validate() error {
 	if s.Username == "" {
 		return errors.New("username is required")
@@ -67,4 +71,9 @@ func (s *User) Validate() error {
 		return errors.New("password is required")
 	}
 	return nil
-}
+}
+
+// VerifyPassword verifies a plain text password against the stored hash
+func (s *User) VerifyPassword(plainPassword string) error {
+	return password.VerifyPassword(s.Password, plainPassword)
+}