pw protected invitation get destroyed after 3 failed retrieval attempts
This commit is contained in:
ycc
@@ -2,6 +2,7 @@ package server
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"crypto/subtle"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"math/big"
|
"math/big"
|
||||||
@@ -27,6 +28,24 @@ func (r *RedisRouter) StoreInvitation(invitation []byte, timeout int, password s
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (r *RedisRouter) GetInvitation(id string, password string) ([]byte, error) {
|
func (r *RedisRouter) GetInvitation(id string, password string) ([]byte, error) {
|
||||||
|
// Check failed attempts counter
|
||||||
|
failedAttemptsKey := "mwfa:" + id
|
||||||
|
failedAttempts := 0 // Default when key doesn't exist
|
||||||
|
val, err := r.Client.Get(failedAttemptsKey).Int()
|
||||||
|
if err == nil {
|
||||||
|
failedAttempts = val
|
||||||
|
} else if err != redis.Nil {
|
||||||
|
return nil, fmt.Errorf("failed to check attempts: %w", err)
|
||||||
|
}
|
||||||
|
// If err == redis.Nil, key doesn't exist, so failedAttempts stays 0
|
||||||
|
|
||||||
|
// If already hit the limit, delete invitation and fail
|
||||||
|
if failedAttempts >= 3 {
|
||||||
|
r.deleteInvitation(id)
|
||||||
|
return nil, errors.New("invitation locked due to too many failed attempts")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if password is required
|
||||||
passRequired := false
|
passRequired := false
|
||||||
expectedpass, err := r.Client.Get("mwpw:" + id).Result()
|
expectedpass, err := r.Client.Get("mwpw:" + id).Result()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -34,16 +53,43 @@ func (r *RedisRouter) GetInvitation(id string, password string) ([]byte, error)
|
|||||||
} else {
|
} else {
|
||||||
passRequired = true
|
passRequired = true
|
||||||
}
|
}
|
||||||
if passRequired && password != expectedpass {
|
|
||||||
|
// Validate password with constant-time comparison
|
||||||
|
if passRequired {
|
||||||
|
if subtle.ConstantTimeCompare([]byte(password), []byte(expectedpass)) != 1 {
|
||||||
|
// Increment failed attempts
|
||||||
|
newCount := failedAttempts + 1
|
||||||
|
r.Client.Set(failedAttemptsKey, newCount, 0)
|
||||||
|
|
||||||
|
// If this was the 3rd attempt, delete invitation
|
||||||
|
if newCount >= 3 {
|
||||||
|
r.deleteInvitation(id)
|
||||||
|
return nil, errors.New("auth failed - invitation destroyed after 3 attempts")
|
||||||
|
}
|
||||||
return nil, errors.New("auth failed")
|
return nil, errors.New("auth failed")
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Success - get invitation data
|
||||||
mwiv, err := r.Client.Get("mwiv:" + id).Result()
|
mwiv, err := r.Client.Get("mwiv:" + id).Result()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Clear failed attempts counter on successful access
|
||||||
|
r.Client.Del(failedAttemptsKey)
|
||||||
|
|
||||||
return []byte(mwiv), nil
|
return []byte(mwiv), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// deleteInvitation removes all invitation-related keys from Redis
|
||||||
|
func (r *RedisRouter) deleteInvitation(id string) {
|
||||||
|
r.Client.Del("mwiv:" + id) // invitation data
|
||||||
|
r.Client.Del("mwpw:" + id) // password
|
||||||
|
r.Client.Del("mwfa:" + id) // failed attempts
|
||||||
|
r.Client.Del("mwan:" + id) // answer to invitation
|
||||||
|
}
|
||||||
|
|
||||||
func (r *RedisRouter) StoreAnswerToInvitation(id string, timeout int, invitation []byte, serverTimeout int) time.Time {
|
func (r *RedisRouter) StoreAnswerToInvitation(id string, timeout int, invitation []byte, serverTimeout int) time.Time {
|
||||||
if timeout > serverTimeout {
|
if timeout > serverTimeout {
|
||||||
timeout = serverTimeout
|
timeout = serverTimeout
|
||||||
|
|||||||
Reference in New Issue
Block a user