salt

Bumer-32 · Bumer-32 · commit 6b98dcdd2801 · 2025-06-22T15:44:56.000+03:00
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/PREIWTCMS.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/PREIWTCMS.kt
@@ -60,7 +60,8 @@ object PREIWTCMS : PreLaunchEntrypoint {
             if (Users.selectAll().empty()) {
                 Users.insert {
                     it[username] = "admin"
-                    it[passwordHash] = DigestUtils.sha256Hex("iwtcms").toString()
+                    it[passwordHash] = DigestUtils.sha256Hex("iwtcms" + "ySXBvMifqXULEm1uRKP91ctmL6tCwCMi").toString()
+                    it[salt] = "ySXBvMifqXULEm1uRKP91ctmL6tCwCMi"
                     it[uniqueId] = DigestUtils.sha256Hex("admin+iwtcms").toString()
                     it[admin] = true
                 }
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/CreateUser.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/CreateUser.kt
@@ -9,6 +9,7 @@ import kotlinx.coroutines.runBlocking
 import kotlinx.serialization.Serializable
 import org.apache.commons.codec.digest.DigestUtils
 import org.jetbrains.exposed.exceptions.ExposedSQLException
+import org.jetbrains.exposed.sql.SqlExpressionBuilder.eq
 import org.jetbrains.exposed.sql.insert
 import org.jetbrains.exposed.sql.selectAll
 import org.jetbrains.exposed.sql.transactions.transaction
@@ -17,7 +18,7 @@ import ua.pp.lumivoid.iwtcms.ktor.api.getPermissionsList
 import ua.pp.lumivoid.iwtcms.ktor.tables.UserPermissions
 import ua.pp.lumivoid.iwtcms.ktor.tables.Users
 
-object CreateUserP : Request() {
+object CreateUser : Request() {
     override val path = "/api/createUser"
 
     override val request: Routing.() -> Unit = {
@@ -29,14 +30,20 @@ object CreateUserP : Request() {
                 permission = "create users",
                 success = {
                     transaction {
-                        try {
+                        var salt = generateSequence { genSalt() }
+                            .first { saltCandidate -> 
+                                Users.selectAll().where(Users.salt eq saltCandidate).empty()
+                            }
+
+                        runCatching {
                             Users.insert {
                                 it[Users.username] = payload.username
-                                it[Users.passwordHash] = DigestUtils.sha256Hex(payload.password)
-                                it[Users.uniqueId] = DigestUtils.sha256Hex("${payload.username}+${payload.password}")
+                                it[Users.passwordHash] = DigestUtils.sha256Hex(payload.password + salt)
+                                it[Users.salt] = salt
+                                it[Users.uniqueId] = DigestUtils.sha256Hex("${payload.username}+${payload.password}+${salt}")
                                 it[Users.admin] = payload.isAdmin
                             }
-                        } catch (_: ExposedSQLException) {
+                        }.onFailure {
                             runBlocking { call.respondText("User already exists", status = HttpStatusCode.Conflict) }
                             return@transaction
                         }
@@ -60,6 +67,13 @@ object CreateUserP : Request() {
             )
         }
     }
+
+    fun genSalt(): String {
+        val allowedChars = ('A'..'Z') + ('a'..'z') + ('0'..'9')
+        return (1..32)
+            .map { allowedChars.random() }
+            .joinToString("")
+    }
 }
 
 @Serializable
@@ -68,4 +82,4 @@ data class CreateUserPayload(
     val password: String,
     val isAdmin: Boolean,
     val permissions: Map<String, Boolean>,
-)
+)
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/DeleteUser.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/DeleteUser.kt
@@ -15,7 +15,7 @@ import ua.pp.lumivoid.iwtcms.ktor.api.doAuth
 import ua.pp.lumivoid.iwtcms.ktor.tables.UserPermissions
 import ua.pp.lumivoid.iwtcms.ktor.tables.Users
 
-object DeleteUserP : Request() {
+object DeleteUser : Request() {
     override val path = "/api/deleteUser"
 
     override val request: Routing.() -> Unit = {
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/EditPermissions.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/EditPermissions.kt
@@ -15,7 +15,7 @@ import ua.pp.lumivoid.iwtcms.ktor.api.doAuth
 import ua.pp.lumivoid.iwtcms.ktor.tables.UserPermissions
 import ua.pp.lumivoid.iwtcms.ktor.tables.Users
 
-object EditPermissionsP : Request() {
+object EditPermissions : Request() {
     override val path = "/api/editPermissions"
 
     override val request: Routing.() -> Unit = {
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/Login.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/api/requests/Login.kt
@@ -10,33 +10,35 @@ import io.ktor.server.sessions.set
 import kotlinx.serialization.Serializable
 import org.apache.commons.codec.digest.DigestUtils
 import org.jetbrains.exposed.sql.ResultRow
-import org.jetbrains.exposed.sql.and
 import org.jetbrains.exposed.sql.selectAll
 import org.jetbrains.exposed.sql.transactions.experimental.newSuspendedTransaction
 import ua.pp.lumivoid.iwtcms.ktor.cookie.UserSession
 import ua.pp.lumivoid.iwtcms.ktor.tables.Users
 
-object LoginP : Request() {
+object Login : Request() {
     override val path = "/api/login"
 
     override val request: Routing.() -> Unit = {
         post(path) {
             val payload = call.receive<LoginPayload>()
 
             newSuspendedTransaction {
-                val user: ResultRow =
-                    try {
-                        Users
-                            .selectAll()
-                            .where { (Users.username eq payload.username) and (Users.passwordHash eq DigestUtils.sha256Hex(payload.password)) }
-                            .first()
-                    } catch (_: NoSuchElementException) {
+                try {
+                    val user: ResultRow = Users
+                                            .selectAll()
+                                            .where { (Users.username eq payload.username) }
+                                            .first()
+                    val salt = user[Users.salt]
+
+                    if (DigestUtils.sha256Hex(payload.password + salt) == user[Users.passwordHash]) {
+                        call.sessions.set(UserSession(user[Users.username], user[Users.uniqueId]))
+                        call.respondText("Login successful")
+                    } else {
                         call.respondText("Login failed", status = HttpStatusCode.Unauthorized)
-                        return@newSuspendedTransaction
                     }
-
-                call.sessions.set(UserSession(name = user[Users.username], id = user[Users.uniqueId]))
-                call.respondText("Login successful")
+                } catch (_: NoSuchElementException) {
+                    call.respondText("Login failed", status = HttpStatusCode.Unauthorized)
+                }
             }
         }
     }
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/plugins/Routing.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/plugins/Routing.kt
@@ -17,13 +17,13 @@ import io.ktor.server.websocket.timeout
 import ua.pp.lumivoid.iwtcms.Constants
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.CheckLogin
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.Configs
-import ua.pp.lumivoid.iwtcms.ktor.api.requests.CreateUserP
-import ua.pp.lumivoid.iwtcms.ktor.api.requests.DeleteUserP
-import ua.pp.lumivoid.iwtcms.ktor.api.requests.EditPermissionsP
+import ua.pp.lumivoid.iwtcms.ktor.api.requests.CreateUser
+import ua.pp.lumivoid.iwtcms.ktor.api.requests.DeleteUser
+import ua.pp.lumivoid.iwtcms.ktor.api.requests.EditPermissions
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.Files
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.IsAllowed
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.IsDevEnabled
-import ua.pp.lumivoid.iwtcms.ktor.api.requests.LoginP
+import ua.pp.lumivoid.iwtcms.ktor.api.requests.Login
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.Logout
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.LogsHistory
 import ua.pp.lumivoid.iwtcms.ktor.api.requests.Main
@@ -76,17 +76,17 @@ fun Application.configureRouting() {
 
     Main.register(r)
     LogsHistory.register(r)
-    LoginP.register(r)
+    Login.register(r)
     IsAllowed.register(r)
     Files.register(r)
     Version.register(r)
     CheckLogin.register(r)
     IsDevEnabled.register(r)
     Logout.register(r)
     Configs.register(r)
-    CreateUserP.register(r)
-    DeleteUserP.register(r)
-    EditPermissionsP.register(r)
+    CreateUser.register(r)
+    DeleteUser.register(r)
+    EditPermissions.register(r)
 
     ConsoleWS.register(r)
     ServerStatsWS.register(r)
diff --git a/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/tables/Users.kt b/src/main/kotlin/ua/pp/lumivoid/iwtcms/ktor/tables/Users.kt
@@ -6,6 +6,7 @@ object Users : Table("users") {
     val id = integer("id").autoIncrement()
     val username = varchar("username", 128).uniqueIndex()
     val passwordHash = char("password_hash", 64)
-    val uniqueId = char("unique_id", 64)
+    val salt = char("salt", 32).uniqueIndex()
+    val uniqueId = char("unique_id", 64).uniqueIndex()
     val admin = bool("admin").default(false)
 }

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ object Users : Table("users") {`
`6`	`6`	`val id = integer("id").autoIncrement()`
`7`	`7`	`val username = varchar("username", 128).uniqueIndex()`
`8`	`8`	`val passwordHash = char("password_hash", 64)`
`9`		`- val uniqueId = char("unique_id", 64)`
	`9`	`+ val salt = char("salt", 32).uniqueIndex()`
	`10`	`+ val uniqueId = char("unique_id", 64).uniqueIndex()`
`10`	`11`	`val admin = bool("admin").default(false)`
`11`	`12`	`}`