From 6c5b15758fbceef7987b40ee50a71ddc9624372d Mon Sep 17 00:00:00 2001
From: troido <troido@protonmail.com>
Date: Fri, 24 Apr 2020 11:08:42 +0200
Subject: server-side hashing now uses a salt

---
 Cargo.toml  |  2 +-
 src/auth.rs | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index fdd99da..29f65fd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,4 +19,4 @@ ctrlc = { version = "3.1", features = ["termination"] }
 structopt = "0.3"
 unicode_categories = "0.1.1"
 base64 = "0.12.0"
-sha2 = "0.8.1"
+ring = "0.16.12"
diff --git a/src/auth.rs b/src/auth.rs
index af74b08..9541a2e 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -6,8 +6,8 @@ use std::io::ErrorKind;
 
 use serde_json;
 use serde::{Serialize, Deserialize};
-use sha2::{Sha256, Digest};
-use base64::decode;
+use ring::digest;
+use base64;
 
 use crate::{
 	PlayerId,
@@ -31,13 +31,15 @@ pub enum UserRole {
 pub struct User {
 	pub name: String,
 	pub pass_token: String,
+	pub salt: String,
 	pub role: UserRole
 }
 
 impl User {
 	pub fn validate_token(&self, token: &str) -> bool {
-		if let (Ok(saved), Ok(given)) = (decode(&self.pass_token), decode(token)) {
-			let hashed: Vec<u8> = Sha256::digest(&given)[..].to_vec();
+		if let (Ok(saved), Ok(mut given), Ok(mut salt)) = (base64::decode(&self.pass_token), base64::decode(token), base64::decode(&self.salt)) {
+			given.append(&mut salt);
+			let hashed: Vec<u8> = digest::digest(&digest::SHA256, &given).as_ref().to_vec();
 			hashed == saved
 		} else {
 			false
-- 
cgit