summaryrefslogtreecommitdiff
path: root/db/db.go
diff options
context:
space:
mode:
authorwikiapiserver2026-06-25 12:30:55 +0200
committerwikiapiserver2026-06-25 12:30:55 +0200
commit550ca6c19b99e899d60153faeaf505530d508f3d (patch)
tree571510acf91667ce8bc1ad379247e84c7ac9744e /db/db.go
parent6667426e24bba82ade4702cb8f85849bebec6077 (diff)
downloadwikiapiserver-550ca6c19b99e899d60153faeaf505530d508f3d.tar.gz
refactor: store password in plaintext
Remove SHA-256 hashing for the password column. Tokens still hashed with SHA-256 in the database.
Diffstat (limited to 'db/db.go')
-rw-r--r--db/db.go12
1 files changed, 6 insertions, 6 deletions
diff --git a/db/db.go b/db/db.go
index e011334..acb4437 100644
--- a/db/db.go
+++ b/db/db.go
@@ -15,7 +15,7 @@ import (
)
const (
- tokenLength = 32 // bytes → 64 hex chars
+ tokenLength = 32
accessTokenTTL = 24 * time.Hour
)
@@ -82,7 +82,7 @@ func isDupKeyError(err error) bool {
// --- queries ---
-// CreateAccount inserts a new row with hashed credentials and fresh tokens.
+// CreateAccount inserts a new row with plaintext password and fresh tokens.
func (d *DB) CreateAccount(ctx context.Context, username, plaintextPW string) (*Account, error) {
rt, err := randomHex(tokenLength)
if err != nil {
@@ -95,7 +95,7 @@ func (d *DB) CreateAccount(ctx context.Context, username, plaintextPW string) (*
res, err := d.conn.ExecContext(ctx,
`INSERT INTO account (username, password, refresh_token, access_token, access_token_created)
- VALUES (?, SHA2(?, 256), SHA2(?, 256), SHA2(?, 256), NOW())`,
+ VALUES (?, ?, SHA2(?, 256), SHA2(?, 256), NOW())`,
username, plaintextPW, rt, at,
)
if err != nil {
@@ -123,10 +123,10 @@ func (d *DB) CreateAccount(ctx context.Context, username, plaintextPW string) (*
// Authenticate verifies plaintext credentials and returns fresh tokens.
func (d *DB) Authenticate(ctx context.Context, username, plaintextPW string) (*Account, error) {
- var storedHash string
+ var storedPW string
err := d.conn.QueryRowContext(ctx,
`SELECT password FROM account WHERE username = ?`, username,
- ).Scan(&storedHash)
+ ).Scan(&storedPW)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, errors.New("invalid credentials")
@@ -134,7 +134,7 @@ func (d *DB) Authenticate(ctx context.Context, username, plaintextPW string) (*A
return nil, fmt.Errorf("query user: %w", err)
}
- if storedHash != sha256hex(plaintextPW) {
+ if storedPW != plaintextPW {
return nil, errors.New("invalid credentials")
}