package service import ( "bytes" "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/base64" "fmt" "io" "golang.org/x/crypto/bcrypt" ) type ( AuthService struct { authRepository authRepository } authRepository interface { GetPassphrase() []byte GetBase64AesKey() []byte } ) var tokenSeed = []byte("this is a token for cerrado") func NewAuthService(repostiory authRepository) *AuthService { return &AuthService{ authRepository: repostiory, } } func (a *AuthService) CheckAuth(username, password string) bool { passphrase := a.authRepository.GetPassphrase() pass := []byte(fmt.Sprintf("%s:%s", username, password)) err := bcrypt.CompareHashAndPassword(passphrase, pass) return err == nil } func (a *AuthService) IssueToken() ([]byte, error) { // TODO: do this block only once base := a.authRepository.GetBase64AesKey() dbuf, err := base64.StdEncoding.DecodeString(string(base)) if err != nil { return nil, err } block, err := aes.NewCipher(dbuf) if err != nil { return nil, err } gcm, err := cipher.NewGCM(block) if err != nil { return nil, err } nonce := make([]byte, gcm.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { return nil, err } ciphertext := gcm.Seal(nonce, nonce, tokenSeed, nil) return ciphertext, nil } func (a *AuthService) ValidateToken(token []byte) (bool, error) { base := a.authRepository.GetBase64AesKey() dbuf, err := base64.StdEncoding.DecodeString(string(base)) if err != nil { return false, err } block, err := aes.NewCipher(dbuf) if err != nil { return false, err } gcm, err := cipher.NewGCM(block) if err != nil { return false, err } nonceSize := gcm.NonceSize() if len(token) < nonceSize { return false, fmt.Errorf("ciphertext too short") } nonce, ciphertext := token[:nonceSize], token[nonceSize:] plaintext, err := gcm.Open(nil, nonce, ciphertext, nil) if err != nil { return false, err } return bytes.Equal(tokenSeed, plaintext), nil } func GenerateHash(username, password string) (string, error) { passphrase := fmt.Sprintf("%s:%s", username, password) bytes, err := bcrypt.GenerateFromPassword([]byte(passphrase), 14) if err != nil { return "", err } return string(bytes), nil } func GenerateAesKey() (string, error) { key := make([]byte, 32) _, err := rand.Read(key) if err != nil { return "", err } return base64.StdEncoding.EncodeToString(key), nil }