hash the password server-side too

2 files changed, 16 insertions, 3 deletions

diff --git a/src/auth.rs b/src/auth.rs
index 8178593..af74b08 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -3,9 +3,12 @@ use std::path::{PathBuf};
 use std::fs;
 use std::env;
 use std::io::ErrorKind;
-use serde_json;
 
+use serde_json;
 use serde::{Serialize, Deserialize};
+use sha2::{Sha256, Digest};
+use base64::decode;
+
 use crate::{
 	PlayerId,
 	errors::AnyError,
@@ -31,6 +34,17 @@ pub struct User {
 	pub role: UserRole
 }
 
+impl User {
+	pub fn validate_token(&self, token: &str) -> bool {
+		if let (Ok(saved), Ok(given)) = (decode(&self.pass_token), decode(token)) {
+			let hashed: Vec<u8> = Sha256::digest(&given)[..].to_vec();
+			hashed == saved
+		} else {
+			false
+		}
+	}
+}
+
 macro_rules! inv {
 	($code:expr) => {($code).map_err(|err| LoaderError::InvalidResource(Box::new(err)))}
 }
diff --git a/src/gameserver.rs b/src/gameserver.rs
index 37b889f..4947c8d 100644
--- a/src/gameserver.rs
+++ b/src/gameserver.rs
@@ -209,8 +209,7 @@ impl GameServer {
 							println!("Name mismatch: user entry for {:?} has name {}", player, user.name);
 							return Err(merr!("server", "name mismatch"));
 						}
-						if token != user.pass_token {
-							println!("password mismatch: '{}' '{}'", token, user.pass_token);
+						if !user.validate_token(&token) {
 							return Err(merr!("invalidtoken", "invalid pass token"));
 						}
 						()