feat: 强制切换到 argon2id

idoknow · Aug 14, 2024 · 2062063 · 2062063
1 parent d37c88d
commit 2062063
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 57 deletions.
diff --git a/backend/config/config.go b/backend/config/config.go
@@ -47,7 +47,6 @@ func SetDefault() {
 	viper.SetDefault("mq.redis.hash.post_publish_status", "campux_post_publish_status")
 	viper.SetDefault("mq.redis.prefix.oauth2_code", "campux_oauth2_code")
 
-	viper.SetDefault("experimental.password.hash.argon", true)
 }
 
 // 创建配置文件对象

diff --git a/backend/database/mongo.go b/backend/database/mongo.go
@@ -168,7 +168,7 @@ func (m *MongoDBManager) GetAccountByUIN(uin int64) (*AccountPO, error) {
 	return &acc, nil
 }
 
-func (m *MongoDBManager) UpdatePassword(uin int64, pwd, salt string) error {
+func (m *MongoDBManager) UpdatePassword(uin int64, pwd string) error {
 
 	// 更新
 	_, err := m.Client.Database(viper.GetString("database.mongo.db")).Collection(ACCOUNT_COLLECTION).UpdateOne(
@@ -178,8 +178,7 @@ func (m *MongoDBManager) UpdatePassword(uin int64, pwd, salt string) error {
 		},
 		bson.M{
 			"$set": bson.M{
-				"pwd":  pwd,
-				"salt": salt,
+				"pwd": pwd,
 			},
 		},
 	)

diff --git a/backend/database/po.go b/backend/database/po.go
@@ -25,8 +25,7 @@ type AccountPO struct {
 	Uin       int64     `json:"uin" bson:"uin"`               // QQ号
 	Pwd       string    `json:"pwd" bson:"pwd"`               // 数据库存md5之后的密码
 	CreatedAt time.Time `json:"created_at" bson:"created_at"` // CST时间
-	UserGroup UserGroup `json:"user_group" bson:"user_group"` // 用户组
-	Salt      string    `json:"salt" bson:"salt"`             // 加盐
+	UserGroup UserGroup `json:"user_group" bson:"user_group"` // 用户
 }
 
 type AccountExpose struct {

diff --git a/backend/service/account.go b/backend/service/account.go
@@ -2,7 +2,6 @@ package service
 
 import (
 	"errors"
-	"github.com/spf13/viper"
 	"time"
 
 	"github.com/RockChinQ/Campux/backend/database"
@@ -35,22 +34,16 @@ func (as *AccountService) CreateAccount(uin int64) (string, error) {
 		return "", ErrAccountAlreadyExist
 	} else {
 		initPwd := util.GenerateRandomPassword()
-		salt := util.GenerateRandomSalt()
 
 		var pwdHash string
-		if viper.GetBool(`experimental.password.hash.argon`) {
-			pwdHash, err = util.CreateHash(initPwd, util.DefaultParams)
-			if err != nil {
-				return "", err
-			}
-		} else {
-			pwdHash = util.EncryptPassword(initPwd, salt)
+		pwdHash, err = util.CreateHash(initPwd, util.DefaultParams)
+		if err != nil {
+			return "", err
 		}
 		acc := &database.AccountPO{
 			Uin:       uin,
 			Pwd:       pwdHash,
 			UserGroup: database.USER_GROUP_USER,
-			Salt:      salt,
 			CreatedAt: util.GetCSTTime(),
 		}
 
@@ -72,13 +65,13 @@ func (as *AccountService) CheckAccount(uin int64, pwd string) (string, error) {
 	}
 
 	var valid bool
-	if viper.GetBool(`experimental.password.hash.argon`) {
-		valid, err = util.ComparePasswordAndHash(pwd, acc.Pwd)
-		if err != nil {
-			return "", err
+	valid, err = util.ComparePasswordAndHash(pwd, acc.Pwd)
+	if err != nil {
+		if err == util.ErrInvalidHash {
+			return "", errors.New("hash 算法已更改，请重置密码")
 		}
-	} else {
-		valid = acc.Pwd == util.EncryptPassword(pwd, acc.Salt)
+
+		return "", err
 	}
 
 	if !valid {
@@ -104,21 +97,16 @@ func (as *AccountService) ResetPassword(uin int64) (string, error) {
 
 	// 生成新密码
 	newPwd := util.GenerateRandomPassword()
-	salt := util.GenerateRandomSalt()
 
 	var encryptedPwd string
 
-	if viper.GetBool(`experimental.password.hash.argon`) {
-		encryptedPwd, err = util.CreateHash(newPwd, util.DefaultParams)
-		if err != nil {
-			return "", err
-		}
-	} else {
-		encryptedPwd = util.EncryptPassword(newPwd, salt)
+	encryptedPwd, err = util.CreateHash(newPwd, util.DefaultParams)
+	if err != nil {
+		return "", err
 	}
 
 	// 更新密码
-	err = as.DB.UpdatePassword(uin, encryptedPwd, salt)
+	err = as.DB.UpdatePassword(uin, encryptedPwd)
 
 	return newPwd, err
 }
@@ -135,20 +123,14 @@ func (as *AccountService) ChangePassword(uin int64, newPwd string) error {
 		return ErrAccountNotFound
 	}
 
-	salt := util.GenerateRandomSalt()
-
 	var encryptedPwd string
-	if viper.GetBool(`experimental.password.hash.argon`) {
-		encryptedPwd, err = util.CreateHash(newPwd, util.DefaultParams)
-		if err != nil {
-			return err
-		}
-	} else {
-		encryptedPwd = util.EncryptPassword(newPwd, salt)
+	encryptedPwd, err = util.CreateHash(newPwd, util.DefaultParams)
+	if err != nil {
+		return err
 	}
 
 	// 更新密码
-	err = as.DB.UpdatePassword(uin, encryptedPwd, salt)
+	err = as.DB.UpdatePassword(uin, encryptedPwd)
 
 	return err
 }

diff --git a/backend/util/crypto.go b/backend/util/crypto.go
@@ -24,19 +24,3 @@ func GenerateRandomPassword() string {
 
 	return string(b)
 }
-
-// 随机生成一个包含小写字母和数字的字符串，长度为16
-// 用于生成salt
-func GenerateRandomSalt() string {
-	const letterBytes = "abcdefghijklmnopqrstuvwxyz0123456789"
-	b := make([]byte, 16)
-	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
-	}
-	return string(b)
-}
-
-// 计算密码的md5值
-func EncryptPassword(password, salt string) string {
-	return MD5(password + salt)
-}