218 lines
5.3 KiB
Go
218 lines
5.3 KiB
Go
package model
|
|
|
|
import (
|
|
"acc-server-manager/local/utl/configs"
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"errors"
|
|
"io"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
// SteamCredentials represents stored Steam login credentials
|
|
type SteamCredentials struct {
|
|
ID uuid.UUID `gorm:"type:uuid;primary_key;" json:"id"`
|
|
Username string `gorm:"not null" json:"username"`
|
|
Password string `gorm:"not null" json:"-"` // Encrypted, not exposed in JSON
|
|
DateCreated time.Time `json:"dateCreated"`
|
|
LastUpdated time.Time `json:"lastUpdated"`
|
|
}
|
|
|
|
// TableName specifies the table name for GORM
|
|
func (SteamCredentials) TableName() string {
|
|
return "steam_credentials"
|
|
}
|
|
|
|
// BeforeCreate is a GORM hook that runs before creating new credentials
|
|
func (s *SteamCredentials) BeforeCreate(tx *gorm.DB) error {
|
|
if s.ID == uuid.Nil {
|
|
s.ID = uuid.New()
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
if s.DateCreated.IsZero() {
|
|
s.DateCreated = now
|
|
}
|
|
s.LastUpdated = now
|
|
|
|
// Encrypt password before saving
|
|
encrypted, err := EncryptPassword(s.Password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
s.Password = encrypted
|
|
|
|
return nil
|
|
}
|
|
|
|
// BeforeUpdate is a GORM hook that runs before updating credentials
|
|
func (s *SteamCredentials) BeforeUpdate(tx *gorm.DB) error {
|
|
s.LastUpdated = time.Now().UTC()
|
|
|
|
// Only encrypt if password field is being updated
|
|
if tx.Statement.Changed("Password") {
|
|
encrypted, err := EncryptPassword(s.Password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
s.Password = encrypted
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// AfterFind is a GORM hook that runs after fetching credentials
|
|
func (s *SteamCredentials) AfterFind(tx *gorm.DB) error {
|
|
// Decrypt password after fetching
|
|
if s.Password != "" {
|
|
decrypted, err := DecryptPassword(s.Password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
s.Password = decrypted
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Validate checks if the credentials are valid with enhanced security checks
|
|
func (s *SteamCredentials) Validate() error {
|
|
if s.Username == "" {
|
|
return errors.New("username is required")
|
|
}
|
|
|
|
// Enhanced username validation
|
|
if len(s.Username) < 3 || len(s.Username) > 64 {
|
|
return errors.New("username must be between 3 and 64 characters")
|
|
}
|
|
|
|
// Check for valid characters in username (alphanumeric, underscore, hyphen)
|
|
if matched, _ := regexp.MatchString(`^[a-zA-Z0-9_-]+$`, s.Username); !matched {
|
|
return errors.New("username contains invalid characters")
|
|
}
|
|
|
|
if s.Password == "" {
|
|
return errors.New("password is required")
|
|
}
|
|
|
|
// Basic password validation
|
|
if len(s.Password) < 6 {
|
|
return errors.New("password must be at least 6 characters long")
|
|
}
|
|
|
|
if len(s.Password) > 128 {
|
|
return errors.New("password is too long")
|
|
}
|
|
|
|
// Check for obvious weak passwords
|
|
weakPasswords := []string{"password", "123456", "steam", "admin", "user"}
|
|
lowerPass := strings.ToLower(s.Password)
|
|
for _, weak := range weakPasswords {
|
|
if lowerPass == weak {
|
|
return errors.New("password is too weak")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetEncryptionKey returns the encryption key from config.
|
|
// The key is loaded from the ENCRYPTION_KEY environment variable.
|
|
func GetEncryptionKey() []byte {
|
|
key := []byte(configs.EncryptionKey)
|
|
if len(key) != 32 {
|
|
panic("encryption key must be exactly 32 bytes for AES-256")
|
|
}
|
|
return key
|
|
}
|
|
|
|
// EncryptPassword encrypts a password using AES-256-GCM with enhanced security
|
|
func EncryptPassword(password string) (string, error) {
|
|
if password == "" {
|
|
return "", errors.New("password cannot be empty")
|
|
}
|
|
|
|
if len(password) > 1024 {
|
|
return "", errors.New("password too long")
|
|
}
|
|
|
|
key := GetEncryptionKey()
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Create a new GCM cipher
|
|
gcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Create a cryptographically secure nonce
|
|
nonce := make([]byte, gcm.NonceSize())
|
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Encrypt the password with authenticated encryption
|
|
ciphertext := gcm.Seal(nonce, nonce, []byte(password), nil)
|
|
|
|
// Return base64 encoded encrypted password
|
|
return base64.StdEncoding.EncodeToString(ciphertext), nil
|
|
}
|
|
|
|
// DecryptPassword decrypts an encrypted password with enhanced validation
|
|
func DecryptPassword(encryptedPassword string) (string, error) {
|
|
if encryptedPassword == "" {
|
|
return "", errors.New("encrypted password cannot be empty")
|
|
}
|
|
|
|
// Validate base64 format
|
|
if len(encryptedPassword) < 24 { // Minimum reasonable length
|
|
return "", errors.New("invalid encrypted password format")
|
|
}
|
|
|
|
key := GetEncryptionKey()
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Create a new GCM cipher
|
|
gcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Decode base64 encoded password
|
|
ciphertext, err := base64.StdEncoding.DecodeString(encryptedPassword)
|
|
if err != nil {
|
|
return "", errors.New("invalid base64 encoding")
|
|
}
|
|
|
|
nonceSize := gcm.NonceSize()
|
|
if len(ciphertext) < nonceSize {
|
|
return "", errors.New("ciphertext too short")
|
|
}
|
|
|
|
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
|
|
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
|
|
if err != nil {
|
|
return "", errors.New("decryption failed - invalid ciphertext or key")
|
|
}
|
|
|
|
// Validate decrypted content
|
|
decrypted := string(plaintext)
|
|
if len(decrypted) == 0 || len(decrypted) > 1024 {
|
|
return "", errors.New("invalid decrypted password")
|
|
}
|
|
|
|
return decrypted, nil
|
|
}
|