Changeset 173 in code for trunk/downstream.go


Ignore:
Timestamp:
Mar 27, 2020, 9:38:38 PM (5 years ago)
Author:
contact
Message:

Stop accessing user data in downstreamConn.authenticate

This becomes racy once user.Password is updated on-the-fly.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/downstream.go

    r168 r173  
    587587        username, networkName := unmarshalUsername(username)
    588588
    589         u := dc.srv.getUser(username)
    590         if u == nil {
    591                 dc.logger.Printf("failed authentication for %q: unknown username", username)
    592                 return errAuthFailed
    593         }
    594 
    595         err := bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
     589        u, err := dc.srv.db.GetUser(username)
    596590        if err != nil {
    597591                dc.logger.Printf("failed authentication for %q: %v", username, err)
     
    599593        }
    600594
    601         dc.user = u
     595        err = bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
     596        if err != nil {
     597                dc.logger.Printf("failed authentication for %q: %v", username, err)
     598                return errAuthFailed
     599        }
     600
     601        dc.user = dc.srv.getUser(username)
     602        if dc.user == nil {
     603                dc.logger.Printf("failed authentication for %q: user not active", username)
     604                return errAuthFailed
     605        }
    602606        dc.networkName = networkName
    603607        return nil
Note: See TracChangeset for help on using the changeset viewer.