commit d8b3731f19c6246a5062b6a820585e2620c52592
parent 4c9b10a0bb6b461d413c94a7c7e300a9adc85d49
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Fri, 2 Dec 2022 16:52:42 -0500
prevent potential bug where someone could update a different key than the one the pgp code was generated for
Diffstat:
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/pkg/web/handlers/handlers.go b/pkg/web/handlers/handlers.go
@@ -429,7 +429,7 @@ func SessionsGpgTwoFactorHandler(c echo.Context) error {
}
data.EncryptedMessage = c.Request().PostFormValue("encrypted_message")
data.Code = c.Request().PostFormValue("pgp_code")
- if data.Code != token {
+ if data.Code != token.Value {
data.ErrorCode = "invalid code"
return c.Render(http.StatusOK, "sessions-gpg-two-factor", data)
}
@@ -472,7 +472,7 @@ func SessionsGpgSignTwoFactorHandler(c echo.Context) error {
var data sessionsGpgSignTwoFactorData
if c.Request().Method == http.MethodGet {
- data.ToBeSignedMessage = generatePgpToBeSignedTokenMessage(user.ID, "Signed message for darkforest 2fa")
+ data.ToBeSignedMessage = generatePgpToBeSignedTokenMessage(user.ID, "Signed message for darkforest 2fa", user.GPGPublicKey)
return c.Render(http.StatusOK, "sessions-gpg-sign-two-factor", data)
}
@@ -483,7 +483,7 @@ func SessionsGpgSignTwoFactorHandler(c echo.Context) error {
data.ToBeSignedMessage = c.Request().PostFormValue("to_be_signed_message")
data.SignedMessage = c.Request().PostFormValue("signed_message")
- if err := utils.PgpCheckSignMessage(user.GPGPublicKey, token, data.SignedMessage); err != nil {
+ if err := utils.PgpCheckSignMessage(token.PKey, token.Value, data.SignedMessage); err != nil {
logrus.Error(err)
data.ErrorSignedMessage = "invalid signature"
return c.Render(http.StatusOK, "sessions-gpg-sign-two-factor", data)
@@ -3275,8 +3275,13 @@ func ChatArchiveHandler(c echo.Context) error {
return c.Render(http.StatusOK, "chat-archive", data)
}
-var ageTokenCache = cache1.NewWithKey[int64, string](10*time.Minute, time.Hour)
-var pgpTokenCache = cache1.NewWithKey[int64, string](10*time.Minute, time.Hour)
+type ValueTokenCache struct {
+ Value string // Either age/pgp token or msg to sign
+ PKey string // age/pgp public key
+}
+
+var ageTokenCache = cache1.NewWithKey[int64, ValueTokenCache](10*time.Minute, time.Hour)
+var pgpTokenCache = cache1.NewWithKey[int64, ValueTokenCache](10*time.Minute, time.Hour)
func SettingsPGPHandler(c echo.Context) error {
authUser := c.Get("authUser").(*database.User)
@@ -3306,7 +3311,7 @@ func SettingsAgeHandler(c echo.Context) error {
func generateAgeEncryptedTokenMessage(userID int64, pkey string) (string, error) {
token := utils.GenerateToken32()
- ageTokenCache.Set(userID, token, 10*time.Minute)
+ ageTokenCache.Set(userID, ValueTokenCache{Value: token, PKey: pkey}, 10*time.Minute)
recipient, err := age.ParseX25519Recipient(pkey)
if err != nil {
@@ -3330,15 +3335,15 @@ func generateAgeEncryptedTokenMessage(userID int64, pkey string) (string, error)
func generatePgpEncryptedTokenMessage(userID int64, pkey string) (string, error) {
token := utils.GenerateToken32()
- pgpTokenCache.Set(userID, token, 10*time.Minute)
+ pgpTokenCache.Set(userID, ValueTokenCache{Value: token, PKey: pkey}, 10*time.Minute)
msg := "The required code is below the line.\n----------------------------------------------------------------------------------\n" + token + "\n"
return utils.GeneratePgpEncryptedMessage(pkey, msg)
}
-func generatePgpToBeSignedTokenMessage(userID int64, txt string) string {
+func generatePgpToBeSignedTokenMessage(userID int64, txt, pkey string) string {
token := utils.GenerateToken10()
msg := fmt.Sprintf("%s\n%s\n%s", txt, token, time.Now().UTC().Format("Jan 02, 2006"))
- pgpTokenCache.Set(userID, msg, 10*time.Minute)
+ pgpTokenCache.Set(userID, ValueTokenCache{Value: msg, PKey: pkey}, 10*time.Minute)
return msg
}
@@ -3354,7 +3359,7 @@ func AddPGPHandler(c echo.Context) error {
data.GpgMode = utils.DoParseBool(c.Request().PostFormValue("gpg_mode"))
if data.GpgMode {
- data.ToBeSignedMessage = generatePgpToBeSignedTokenMessage(authUser.ID, "Signed message for darkforest")
+ data.ToBeSignedMessage = generatePgpToBeSignedTokenMessage(authUser.ID, "Signed message for darkforest", data.PGPPublicKey)
return c.Render(http.StatusOK, "pgp_code", data)
} else {
@@ -3378,7 +3383,7 @@ func AddPGPHandler(c echo.Context) error {
if data.GpgMode {
data.ToBeSignedMessage = c.Request().PostFormValue("to_be_signed_message")
data.SignedMessage = c.Request().PostFormValue("signed_message")
- if err := utils.PgpCheckSignMessage(data.PGPPublicKey, token, data.SignedMessage); err != nil {
+ if err := utils.PgpCheckSignMessage(token.PKey, token.Value, data.SignedMessage); err != nil {
logrus.Error(err)
data.ErrorSignedMessage = "invalid signature"
return c.Render(http.StatusOK, "pgp_code", data)
@@ -3387,14 +3392,14 @@ func AddPGPHandler(c echo.Context) error {
} else {
data.EncryptedMessage = c.Request().PostFormValue("encrypted_message")
data.Code = c.Request().PostFormValue("pgp_code")
- if data.Code != token {
+ if data.Code != token.Value {
data.ErrorCode = "invalid code"
return c.Render(http.StatusOK, "pgp_code", data)
}
}
pgpTokenCache.Delete(authUser.ID)
- authUser.GPGPublicKey = data.PGPPublicKey
+ authUser.GPGPublicKey = token.PKey
_ = authUser.Save()
return c.Redirect(http.StatusFound, "/settings/pgp")
}
@@ -3423,15 +3428,15 @@ func AddAgeHandler(c echo.Context) error {
if !found {
return c.Redirect(http.StatusFound, "/settings/age")
}
- data.AgePublicKey = c.Request().PostFormValue("age_public_key")
+ data.AgePublicKey = token.PKey
data.EncryptedMessage = c.Request().PostFormValue("encrypted_message")
data.Code = c.Request().PostFormValue("age_code")
- if data.Code != token {
+ if data.Code != token.Value {
data.ErrorCode = "invalid code"
return c.Render(http.StatusOK, "age_code", data)
}
ageTokenCache.Delete(authUser.ID)
- authUser.AgePublicKey = data.AgePublicKey
+ authUser.AgePublicKey = token.PKey
_ = authUser.Save()
return c.Redirect(http.StatusFound, "/settings/age")
}
