perf: sha256 for user's password (close #3552)

2023-08-06 22:09:17 +08:00
parent 30415cefbe
commit 75acbcc115
4 changed files with 62 additions and 16 deletions
--- a/internal/model/user.go
+++ b/internal/model/user.go
@ -1,6 +1,8 @@
 package model

 import (
+	"fmt"
+
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/pkg/errors"
@ -12,10 +14,13 @@ const (
 	ADMIN
 )

+const HashSalt = "https://github.com/alist-org/alist"
+
 type User struct {
 	ID       uint   `json:"id" gorm:"primaryKey"`                      // unique key
 	Username string `json:"username" gorm:"unique" binding:"required"` // username
-	Password string `json:"password"`                                  // password
+	PwdHash  string `json:"-"`                                         // password hash
+	Password string `json:"-"`                                         // password
 	BasePath string `json:"base_path"`                                 // base path
 	Role     int    `json:"role"`                                      // user's role
 	Disabled bool   `json:"disabled"`
@ -45,10 +50,14 @@ func (u User) IsAdmin() bool {
 }

 func (u User) ValidatePassword(password string) error {
-	if password == "" {
+	return u.ValidatePwdHash(HashPwd(password))
+}
+
+func (u User) ValidatePwdHash(pwdHash string) error {
+	if pwdHash == "" {
 		return errors.WithStack(errs.EmptyPassword)
 	}
-	if u.Password != password {
+	if u.PwdHash != pwdHash {
 		return errors.WithStack(errs.WrongPassword)
 	}
 	return nil
@ -101,3 +110,7 @@ func (u User) CanAddQbittorrentTasks() bool {
 func (u User) JoinPath(reqPath string) (string, error) {
 	return utils.JoinBasePath(u.BasePath, reqPath)
 }
+
+func HashPwd(password string) string {
+	return utils.GetSHA256Encode([]byte(fmt.Sprintf("%s-%s", password, HashSalt)))
+}