Changeset 173 in code for trunk

Timestamp:

Mar 27, 2020, 9:38:38 PM (5 years ago)

Author:

contact

Message:

Stop accessing user data in downstreamConn.authenticate

This becomes racy once user.Password is updated on-the-fly.

Location:

trunk

Files:

• db.go (modified) (1 diff)
• downstream.go (modified) (2 diffs)

trunk/db.go

@@ -105 +105 @@
 
         return users, nil
+}
+
+func (db *DB) GetUser(username string) (*User, error) {
+        db.lock.RLock()
+        defer db.lock.RUnlock()
+
+        user := &User{Username: username}
+
+        var password *string
+        row := db.db.QueryRow("SELECT password FROM User WHERE username = ?", username)
+        if err := row.Scan(&password); err != nil {
+                return nil, err
+        }
+        user.Password = fromStringPtr(password)
+        return user, nil
 }
 

trunk/downstream.go

@@ -587 +587 @@
         username, networkName := unmarshalUsername(username)
 
-        u := dc.srv.getUser(username)
-        if u == nil {
-                dc.logger.Printf("failed authentication for %q: unknown username", username)
-                return errAuthFailed
-        }
-
-        err := bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
+        u, err := dc.srv.db.GetUser(username)
         if err != nil {
                 dc.logger.Printf("failed authentication for %q: %v", username, err)
@@ -599 +593 @@
         }
 
-        dc.user = u
+        err = bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
+        if err != nil {
+                dc.logger.Printf("failed authentication for %q: %v", username, err)
+                return errAuthFailed
+        }
+
+        dc.user = dc.srv.getUser(username)
+        if dc.user == nil {
+                dc.logger.Printf("failed authentication for %q: user not active", username)
+                return errAuthFailed
+        }
         dc.networkName = networkName
         return nil