start working on the frontend side

2025-12-24 19:53:45 +00:00
parent 3aa0169af0
commit c962a223c6
84 changed files with 14761 additions and 58 deletions
--- a/backend/internal/auth/handler.go
+++ b/backend/internal/auth/handler.go
@@ -8,6 +8,7 @@ import (
 	"github.com/atlasos/calypso/internal/common/config"
 	"github.com/atlasos/calypso/internal/common/database"
 	"github.com/atlasos/calypso/internal/common/logger"
+	"github.com/atlasos/calypso/internal/common/password"
 	"github.com/atlasos/calypso/internal/iam"
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
@@ -206,11 +207,13 @@ func (h *Handler) ValidateToken(tokenString string) (*iam.User, error) {
 }

 // verifyPassword verifies a password against an Argon2id hash
-func (h *Handler) verifyPassword(password, hash string) bool {
-	// TODO: Implement proper Argon2id verification
-	// For now, this is a stub
-	// In production, use golang.org/x/crypto/argon2 and compare hashes
-	return true
+func (h *Handler) verifyPassword(pwd, hash string) bool {
+	valid, err := password.VerifyPassword(pwd, hash)
+	if err != nil {
+		h.logger.Warn("Password verification error", "error", err)
+		return false
+	}
+	return valid
 }

 // generateToken generates a JWT token for a user
@@ -235,8 +238,8 @@ func (h *Handler) generateToken(user *iam.User) (string, time.Time, error) {

 // createSession creates a session record in the database
 func (h *Handler) createSession(userID, token, ipAddress, userAgent string, expiresAt time.Time) error {
-	// Hash the token for storage
-	tokenHash := hashToken(token)
+	// Hash the token for storage using SHA-256
+	tokenHash := HashToken(token)

 	query := `
 		INSERT INTO sessions (user_id, token_hash, ip_address, user_agent, expires_at)
@@ -253,10 +256,4 @@ func (h *Handler) updateLastLogin(userID string) error {
 	return err
 }

-// hashToken creates a simple hash of the token for storage
-func hashToken(token string) string {
-	// TODO: Use proper cryptographic hash (SHA-256)
-	// For now, return a placeholder
-	return token[:32] + "..."
-}

--- a/backend/internal/auth/password.go
+++ b/backend/internal/auth/password.go
@@ -0,0 +1,107 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/atlasos/calypso/internal/common/config"
+	"golang.org/x/crypto/argon2"
+)
+
+// HashPassword hashes a password using Argon2id
+func HashPassword(password string, params config.Argon2Params) (string, error) {
+	// Generate a random salt
+	salt := make([]byte, params.SaltLength)
+	if _, err := rand.Read(salt); err != nil {
+		return "", fmt.Errorf("failed to generate salt: %w", err)
+	}
+
+	// Hash the password
+	hash := argon2.IDKey(
+		[]byte(password),
+		salt,
+		params.Iterations,
+		params.Memory,
+		params.Parallelism,
+		params.KeyLength,
+	)
+
+	// Encode the hash and salt in the standard format
+	// Format: $argon2id$v=<version>$m=<memory>,t=<iterations>,p=<parallelism>$<salt>$<hash>
+	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
+	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
+
+	encodedHash := fmt.Sprintf(
+		"$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
+		argon2.Version,
+		params.Memory,
+		params.Iterations,
+		params.Parallelism,
+		b64Salt,
+		b64Hash,
+	)
+
+	return encodedHash, nil
+}
+
+// VerifyPassword verifies a password against an Argon2id hash
+func VerifyPassword(password, encodedHash string) (bool, error) {
+	// Parse the encoded hash
+	parts := strings.Split(encodedHash, "$")
+	if len(parts) != 6 {
+		return false, errors.New("invalid hash format")
+	}
+
+	if parts[1] != "argon2id" {
+		return false, errors.New("unsupported hash algorithm")
+	}
+
+	// Parse version
+	var version int
+	if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {
+		return false, fmt.Errorf("failed to parse version: %w", err)
+	}
+	if version != argon2.Version {
+		return false, errors.New("incompatible version")
+	}
+
+	// Parse parameters
+	var memory, iterations uint32
+	var parallelism uint8
+	if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &iterations, &parallelism); err != nil {
+		return false, fmt.Errorf("failed to parse parameters: %w", err)
+	}
+
+	// Decode salt and hash
+	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
+	if err != nil {
+		return false, fmt.Errorf("failed to decode salt: %w", err)
+	}
+
+	hash, err := base64.RawStdEncoding.DecodeString(parts[5])
+	if err != nil {
+		return false, fmt.Errorf("failed to decode hash: %w", err)
+	}
+
+	// Compute the hash of the provided password
+	otherHash := argon2.IDKey(
+		[]byte(password),
+		salt,
+		iterations,
+		memory,
+		parallelism,
+		uint32(len(hash)),
+	)
+
+	// Compare hashes using constant-time comparison
+	if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
--- a/backend/internal/auth/token.go
+++ b/backend/internal/auth/token.go
@@ -0,0 +1,20 @@
+package auth
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+)
+
+// HashToken creates a cryptographic hash of the token for storage
+// Uses SHA-256 to hash the token before storing in the database
+func HashToken(token string) string {
+	hash := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(hash[:])
+}
+
+// VerifyTokenHash verifies if a token matches a stored hash
+func VerifyTokenHash(token, storedHash string) bool {
+	computedHash := HashToken(token)
+	return computedHash == storedHash
+}
+
--- a/backend/internal/auth/token_test.go
+++ b/backend/internal/auth/token_test.go
@@ -0,0 +1,70 @@
+package auth
+
+import (
+	"testing"
+)
+
+func TestHashToken(t *testing.T) {
+	token := "test-jwt-token-string-12345"
+	hash := HashToken(token)
+
+	// Verify hash is not empty
+	if hash == "" {
+		t.Error("HashToken returned empty string")
+	}
+
+	// Verify hash length (SHA-256 produces 64 hex characters)
+	if len(hash) != 64 {
+		t.Errorf("HashToken returned hash of length %d, expected 64", len(hash))
+	}
+
+	// Verify hash is deterministic (same token produces same hash)
+	hash2 := HashToken(token)
+	if hash != hash2 {
+		t.Error("HashToken returned different hashes for same token")
+	}
+}
+
+func TestHashToken_DifferentTokens(t *testing.T) {
+	token1 := "token1"
+	token2 := "token2"
+
+	hash1 := HashToken(token1)
+	hash2 := HashToken(token2)
+
+	// Different tokens should produce different hashes
+	if hash1 == hash2 {
+		t.Error("Different tokens produced same hash")
+	}
+}
+
+func TestVerifyTokenHash(t *testing.T) {
+	token := "test-jwt-token-string-12345"
+	storedHash := HashToken(token)
+
+	// Test correct token
+	if !VerifyTokenHash(token, storedHash) {
+		t.Error("VerifyTokenHash returned false for correct token")
+	}
+
+	// Test wrong token
+	if VerifyTokenHash("wrong-token", storedHash) {
+		t.Error("VerifyTokenHash returned true for wrong token")
+	}
+
+	// Test empty token
+	if VerifyTokenHash("", storedHash) {
+		t.Error("VerifyTokenHash returned true for empty token")
+	}
+}
+
+func TestHashToken_EmptyToken(t *testing.T) {
+	hash := HashToken("")
+	if hash == "" {
+		t.Error("HashToken should return hash even for empty token")
+	}
+	if len(hash) != 64 {
+		t.Errorf("HashToken returned hash of length %d for empty token, expected 64", len(hash))
+	}
+}
+