From ed717679bac17e3ee12e25941cc55597b8169dd5 Mon Sep 17 00:00:00 2001 From: Johannes Loher Date: Sun, 15 Oct 2017 16:43:39 +0200 Subject: [PATCH 1/2] Store passwords as salted hashes using bcrypt --- dub.json | 5 +++++ source/calendarwebapp/authenticator.d | 12 +++++++++--- test/calendarwebapp/testauthenticator.d | 16 ++++++++-------- 3 files changed, 22 insertions(+), 11 deletions(-) diff --git a/dub.json b/dub.json index 3db2ce0..8b3aee1 100644 --- a/dub.json +++ b/dub.json @@ -4,9 +4,14 @@ "Johannes Loher" ], "dependencies": { + "botan": "~>1.12.9", "vibe-d": "~>0.8.1", + "vibe-d:tls": "~>0.8.1", "poodinis": "~>8.0.1" }, + "subConfigurations": { + "vibe-d:tls": "botan" + }, "description": "A simple webapplication to edit and view calendar entries", "copyright": "Copyright © 2017, Johannes Loher", "license": "MIT", diff --git a/source/calendarwebapp/authenticator.d b/source/calendarwebapp/authenticator.d index 89c36b5..b48d83b 100644 --- a/source/calendarwebapp/authenticator.d +++ b/source/calendarwebapp/authenticator.d @@ -2,7 +2,6 @@ module calendarwebapp.authenticator; import poodinis; -import vibe.data.bson : Bson; import vibe.db.mongo.collection : MongoCollection; interface Authenticator @@ -19,8 +18,15 @@ private: public: bool checkUser(string username, string password) @safe { - auto result = users.findOne(["username" : username, "password" : password]); - return result != Bson(null); + import botan.passhash.bcrypt : checkBcrypt; + import vibe.data.bson : Bson; + + auto result = users.findOne(["username" : username]); + /* checkBcrypt should be called using vibe.core.concurrency.async to + avoid blocking, but https://github.com/vibe-d/vibe.d/issues/1521 is + blocking this */ + return (result != Bson(null)) && (() @trusted => checkBcrypt(password, + result["password"].get!string))(); } } diff --git a/test/calendarwebapp/testauthenticator.d b/test/calendarwebapp/testauthenticator.d index 65f6542..4e744c2 100644 --- a/test/calendarwebapp/testauthenticator.d +++ b/test/calendarwebapp/testauthenticator.d @@ -7,7 +7,7 @@ import poodinis; import unit_threaded.mock; import unit_threaded.should; -import vibe.data.bson : Bson; +import vibe.data.bson : Bson, BsonObjectID; interface Collection { @@ -41,13 +41,13 @@ public: container.register!(Authenticator, MongoDBAuthenticator!(Collection))( RegistrationOption.doNotAddConcreteTypeRegistration); - collection.returnValue!"findOne"(Bson(true), Bson(null)); - collection.expect!"findOne"(["username" : "", "password" : ""]); - collection.expect!"findOne"(["username" : "foo", "password" : "bar"]); + auto userBson = Bson(["_id" : Bson(BsonObjectID.fromString("5988ef4ae6c19089a1a53b79")), "username" : Bson("foo"), + "password" : Bson("$2a$10$9LBqOZV99ARiE4Nx.2b7GeYfqk2.0A32PWGu2cRGyW2hRJ0xeDfnO")]); + + collection.returnValue!"findOne"(Bson(null), userBson, userBson); auto authenticator = container.resolve!(Authenticator); - authenticator.checkUser("", "").shouldBeTrue; - authenticator.checkUser("foo", "bar").shouldBeFalse; - - collection.verify; + authenticator.checkUser("", "").shouldBeFalse; + authenticator.checkUser("foo", "bar").shouldBeTrue; + authenticator.checkUser("foo", "baz").shouldBeFalse; } From 026ea7128f3e311b427031578cbda0e939ed25f2 Mon Sep 17 00:00:00 2001 From: Johannes Loher Date: Tue, 17 Oct 2017 23:15:26 +0200 Subject: [PATCH 2/2] dont't compile source/calendarwebapp/app.d when perform a unittest build. Fixes #5 --- dub.json | 1 + 1 file changed, 1 insertion(+) diff --git a/dub.json b/dub.json index 8b3aee1..8bdeac1 100644 --- a/dub.json +++ b/dub.json @@ -29,6 +29,7 @@ "targetType": "executable", "preBuildCommands": ["dub run unit-threaded -c gen_ut_main -- -f generated/ut.d test"], "mainSourceFile": "generated/ut.d", + "excludedSourceFiles": ["source/calendarwebapp/app.d"], "sourcePaths": ["test"], "dependencies": { "unit-threaded": "~>0.7.31"