Simplify backend api and use secure comparison

divoxx · divoxx · commit a606a4e40e7b · 2017-02-14T15:57:47.000-08:00
diff --git a/assertion_jwt_grant_type.go b/assertion_jwt_grant_type.go
@@ -68,7 +68,7 @@ func (gt AssertionJWTGrantType) TokenHandler(c *Client, ew *EncoderResponseWrite
 		return
 	}
 
-	u, err := gt.persistence.GetUserByLogin(jwtTk.Subject)
+	u, err := gt.persistence.GetUserByUsername(jwtTk.Subject)
 	if err != nil {
 		log.Println("JWT subject is not a valid user")
 		ew.Encode(ErrInvalidGrant)
diff --git a/backend.go b/backend.go
@@ -52,8 +52,7 @@ type PersistenceBackend interface {
 	//*
 	// User persistence
 	//*
-	GetUserByLogin(login string) (*User, error)
-	GetUserByCredentials(username, password string) (*User, error)
+	GetUserByUsername(username string) (*User, error)
 }
 
 type AuthorizationPageData struct {
diff --git a/common.go b/common.go
@@ -26,7 +26,7 @@ import (
 )
 
 type User struct {
-	Login    string
+	Username string
 	Password string
 }
 
@@ -155,3 +155,18 @@ func secureRandomBytes(bytes uint) ([]byte, error) {
 	_, err := rand.Read(r)
 	return r, err
 }
+
+// secureCompare will compare two slice of bytes in constant time, ensuring no timing information
+// is leaked in order to prevent timing attacks.
+func secureCompare(a, b []byte) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	var result byte
+	for i := 0; i < len(a); i++ {
+		result |= a[i] ^ b[i]
+	}
+
+	return result == 0
+}
diff --git a/in_memory_persistence.go b/in_memory_persistence.go
@@ -133,9 +133,9 @@ func (b *InMemoryPersistence) SaveScope(s *Scope) error {
 	return nil
 }
 
-// GetUserByLogin lookup the user that matches the login
-func (b *InMemoryPersistence) GetUserByLogin(login string) (*User, error) {
-	u, exst := b.users[login]
+// GetUserByUsername lookup the user that matches the login
+func (b *InMemoryPersistence) GetUserByUsername(username string) (*User, error) {
+	u, exst := b.users[username]
 	if !exst {
 		return nil, ErrNotFound
 	}
@@ -155,6 +155,6 @@ func (b *InMemoryPersistence) GetUserByCredentials(username, password string) (*
 // SaveUser persists the user in the backend, it's not part of the Backend interface
 // but we need a way to add users to the Backend.
 func (b *InMemoryPersistence) SaveUser(u *User) error {
-	b.users[u.Login] = u
+	b.users[u.Username] = u
 	return nil
 }
diff --git a/integration_test.go b/integration_test.go
@@ -95,7 +95,7 @@ func setupProvider() (oauth2.PersistenceBackend, *oauth2.ClientAgent, *httptest.
 		panic(err)
 	}
 
-	user := oauth2.User{Login: "username"}
+	user := oauth2.User{Username: "username"}
 	if err := inMemory.SaveUser(&user); err != nil {
 		panic(err)
 	}
@@ -168,7 +168,7 @@ func TestAuthorizationCodeGrantType(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if persistedAuth.Client.ID != clt.ID || persistedAuth.User.Login != "username" {
+	if persistedAuth.Client.ID != clt.ID || persistedAuth.User.Username != "username" {
 		t.Errorf("Authorization does not match client or user")
 	}
 
@@ -192,7 +192,7 @@ func TestAuthorizationCodeGrantType(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if refreshedPersistedAuth.Client.ID != clt.ID || refreshedPersistedAuth.User.Login != "username" {
+	if refreshedPersistedAuth.Client.ID != clt.ID || refreshedPersistedAuth.User.Username != "username" {
 		t.Errorf("Authorization does not match client or user")
 	}
 
@@ -247,7 +247,7 @@ func TestPasswordGrantType(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if a2.Client.ID != clt.ID || a2.User.Login != "username" {
+	if a2.Client.ID != clt.ID || a2.User.Username != "username" {
 		t.Errorf("Authorization does not match client or user")
 	}
 
@@ -282,7 +282,7 @@ func TestAssertionGrantType(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if a2.Client.ID != clt.ID || a2.User.Login != "username" {
+	if a2.Client.ID != clt.ID || a2.User.Username != "username" {
 		t.Errorf("Authorization does not match client or user")
 	}
 
diff --git a/resource_owner_credentials_grant_type.go b/resource_owner_credentials_grant_type.go
@@ -57,12 +57,17 @@ func (gt ResourceOwnerCredentialsGrantType) TokenHandler(c *Client, ew *EncoderR
 		return
 	}
 
-	u, err := gt.persistence.GetUserByCredentials(username, password)
+	u, err := gt.persistence.GetUserByUsername(username)
 	if err != nil {
 		log.Println("invalid credentials")
 		ew.Encode(ErrAccessDenied)
 		return
 	}
+	if !secureCompare([]byte(username), []byte(u.Username)) {
+		log.Println("invalid password")
+		ew.Encode(ErrAccessDenied)
+		return
+	}
 
 	auth, err := NewAuthorization(c, u, scope, true, false)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ func (gt AssertionJWTGrantType) TokenHandler(c Client, ew EncoderResponseWrite`
`68`	`68`	`return`
`69`	`69`	`}`
`70`	`70`
`71`		`- u, err := gt.persistence.GetUserByLogin(jwtTk.Subject)`
	`71`	`+ u, err := gt.persistence.GetUserByUsername(jwtTk.Subject)`
`72`	`72`	`if err != nil {`
`73`	`73`	`log.Println("JWT subject is not a valid user")`
`74`	`74`	`ew.Encode(ErrInvalidGrant)`
Original file line number	Diff line number	Diff line change
`@@ -52,8 +52,7 @@ type PersistenceBackend interface {`
`52`	`52`	`//*`
`53`	`53`	`// User persistence`
`54`	`54`	`//*`
`55`		`- GetUserByLogin(login string) (*User, error)`
`56`		`- GetUserByCredentials(username, password string) (*User, error)`
	`55`	`+ GetUserByUsername(username string) (*User, error)`
`57`	`56`	`}`
`58`	`57`
`59`	`58`	`type AuthorizationPageData struct {`
Original file line number	Diff line number	Diff line change
`@@ -133,9 +133,9 @@ func (b InMemoryPersistence) SaveScope(s Scope) error {`
`133`	`133`	`return nil`
`134`	`134`	`}`
`135`	`135`
`136`		`-// GetUserByLogin lookup the user that matches the login`
`137`		`-func (b InMemoryPersistence) GetUserByLogin(login string) (User, error) {`
`138`		`- u, exst := b.users[login]`
	`136`	`+// GetUserByUsername lookup the user that matches the login`
	`137`	`+func (b InMemoryPersistence) GetUserByUsername(username string) (User, error) {`
	`138`	`+ u, exst := b.users[username]`
`139`	`139`	`if !exst {`
`140`	`140`	`return nil, ErrNotFound`
`141`	`141`	`}`
`@@ -155,6 +155,6 @@ func (b InMemoryPersistence) GetUserByCredentials(username, password string) (`
`155`	`155`	`// SaveUser persists the user in the backend, it's not part of the Backend interface`
`156`	`156`	`// but we need a way to add users to the Backend.`
`157`	`157`	`func (b InMemoryPersistence) SaveUser(u User) error {`
`158`		`- b.users[u.Login] = u`
	`158`	`+ b.users[u.Username] = u`
`159`	`159`	`return nil`
`160`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ func setupProvider() (oauth2.PersistenceBackend, oauth2.ClientAgent, httptest.`
`95`	`95`	`panic(err)`
`96`	`96`	`}`
`97`	`97`
`98`		`- user := oauth2.User{Login: "username"}`
	`98`	`+ user := oauth2.User{Username: "username"}`
`99`	`99`	`if err := inMemory.SaveUser(&user); err != nil {`
`100`	`100`	`panic(err)`
`101`	`101`	`}`
`@@ -168,7 +168,7 @@ func TestAuthorizationCodeGrantType(t *testing.T) {`
`168`	`168`	`t.Fatal(err)`
`169`	`169`	`}`
`170`	`170`
`171`		`- if persistedAuth.Client.ID != clt.ID \|\| persistedAuth.User.Login != "username" {`
	`171`	`+ if persistedAuth.Client.ID != clt.ID \|\| persistedAuth.User.Username != "username" {`
`172`	`172`	`t.Errorf("Authorization does not match client or user")`
`173`	`173`	`}`
`174`	`174`
`@@ -192,7 +192,7 @@ func TestAuthorizationCodeGrantType(t *testing.T) {`
`192`	`192`	`t.Fatal(err)`
`193`	`193`	`}`
`194`	`194`
`195`		`- if refreshedPersistedAuth.Client.ID != clt.ID \|\| refreshedPersistedAuth.User.Login != "username" {`
	`195`	`+ if refreshedPersistedAuth.Client.ID != clt.ID \|\| refreshedPersistedAuth.User.Username != "username" {`
`196`	`196`	`t.Errorf("Authorization does not match client or user")`
`197`	`197`	`}`
`198`	`198`
`@@ -247,7 +247,7 @@ func TestPasswordGrantType(t *testing.T) {`
`247`	`247`	`t.Fatal(err)`
`248`	`248`	`}`
`249`	`249`
`250`		`- if a2.Client.ID != clt.ID \|\| a2.User.Login != "username" {`
	`250`	`+ if a2.Client.ID != clt.ID \|\| a2.User.Username != "username" {`
`251`	`251`	`t.Errorf("Authorization does not match client or user")`
`252`	`252`	`}`
`253`	`253`
`@@ -282,7 +282,7 @@ func TestAssertionGrantType(t *testing.T) {`
`282`	`282`	`t.Fatal(err)`
`283`	`283`	`}`
`284`	`284`
`285`		`- if a2.Client.ID != clt.ID \|\| a2.User.Login != "username" {`
	`285`	`+ if a2.Client.ID != clt.ID \|\| a2.User.Username != "username" {`
`286`	`286`	`t.Errorf("Authorization does not match client or user")`
`287`	`287`	`}`
`288`	`288`