-

Author: geosoft1

CHANGES

@@ -0,0 +1,6 @@
+1.0.0-release-build230419
+first release
+
+1.1.0-release-build300419
+- salted and hashed passwords in database
+- send random recovery passwords on mail

README.md

@@ -12,11 +12,34 @@ Basic server side web application with the following functionality:
 - config file in JSON format
 - database generated from file or model (with [Mysql Workbench](https://dev.mysql.com/downloads/workbench/))
 - responsive interface for mobile access, browser back button disabled
+- salted and hashed passwords in database
 
 ### Integrations
 
 The skeleton is based on [W3CSS](https://www.w3schools.com/w3css/), a very lightweight CSS framework and is designed to integrate with [JQuery](https://jquery.com/), [Angular](https://angular.io/), [Fontawesome](https://fontawesome.com/v4.7.0/icons/) and some useful libraries like [Datetime picker](https://trentrichardson.com/examples/timepicker/) and [Google Charts](https://developers.google.com/chart/) (see `ui/head.html` file).
 
+### Compilation modes
+
+#### Plaint text passwords
+
+	go build -tags="plain"
+
+Passwords are stored in plain text in the database and sent as plain text on mail to recovery (unrecomanded).
+
+#### Hashed passwords
+
+	go build -tags="sha1 random"
+
+Passwords are stored hashed in the database and sent as random on mail to recovery (recomanded).
+
+#### Salted and hashed passwords
+
+	go build -tags="saltsha1 random"
+
+Passwords are stored salted and hashed in the database and sent as random on mail to recovery (highly recomanded).
+
+The tag `random` mean send password as random string.
+
 ### How is look like?
 
 #### Signup screen
@@ -134,6 +157,4 @@ Look carefully over **TODO** and **NOTE** comments because you may need to adjus
 
 ### Known issues
 
-The skeleton is designed to work with HTML5 so make sure your browser support this.
-
-For now the passwords are stored in plain text in the database. Add your own security or wait until will be available soon in the next version.
+The skeleton is designed to work with HTML5 so make sure your browser support this.

database.sql

@@ -2,7 +2,7 @@ CREATE TABLE IF NOT EXISTS `skel`.`user` (
   `user_id` INT NOT NULL AUTO_INCREMENT,
   `name` VARCHAR(45) NULL,
   `email` VARCHAR(50) NULL,
-  `password` VARCHAR(16) NULL,
+  `password` VARCHAR(128) NULL,
   `active` TINYINT(1) NULL DEFAULT 1,
   PRIMARY KEY (`user_id`),
   UNIQUE INDEX `email_UNIQUE` (`email` ASC))

db_user.go

@@ -1,3 +1,5 @@
+// +build plain
+
 package main
 
 import (
@@ -36,9 +38,9 @@ func sqlGetUser(u *User) error {
 	return nil
 }
 
-// Create new user.
+// Create new user identifyed by name, email and password.
 func sqlInsert(u *User) error {
-	if _, err := db.Exec("INSERT user SET name=?,email=?,password=?", &u.Name, &u.Email, &u.Password); err != nil {
+	if _, err := db.Exec("INSERT user SET name=?, email=?, password=?", &u.Name, &u.Email, &u.Password); err != nil {
 		log.Println(err)
 		return err
 	}
@@ -54,9 +56,9 @@ func sqlUpdateUser(u *User) error {
 	return nil
 }
 
-// Delete a user identifyed by email and password.
+// Delete a user identifyed by email.
 func sqlDeleteUser(u *User) error {
-	if _, err := db.Exec("DELETE FROM user WHERE email=? AND password=?", u.Email, u.Password); err != nil {
+	if _, err := db.Exec("DELETE FROM user WHERE email=?", u.Email); err != nil {
 		log.Println(err)
 		return err
 	}

db_user_salt_sha1.go

@@ -0,0 +1,67 @@
+// +build saltsha1
+
+package main
+
+import (
+	"log"
+
+	_ "github.com/go-sql-driver/mysql"
+)
+
+// NOTE user management
+
+// Count users from database.
+func sqlUserCount() (error, int) {
+	var n int
+	if err := db.QueryRow("SELECT COUNT(*) from user").Scan(&n); err != nil {
+		log.Println(err)
+		return err, 0
+	}
+	return nil, n
+}
+
+// Get a user identifyed by email and password.
+func sqlAuthenticateUser(u *User) error {
+	if err := db.QueryRow("SELECT * FROM user WHERE email=? AND password=SHA1(?)", u.Email, u.Password+salt).Scan(&u.Id, &u.Name, &u.Email, &u.Password, &u.isActive); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Get the user identifyed by email.
+func sqlGetUser(u *User) error {
+	if err := db.QueryRow("SELECT * FROM user WHERE email=?", u.Email).Scan(&u.Id, &u.Name, &u.Email, &u.Password, &u.isActive); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Create new user identifyed by name, email and password.
+func sqlInsert(u *User) error {
+	u.Password += salt
+	if _, err := db.Exec("INSERT user SET name=?, email=?, password=SHA1(?)", &u.Name, &u.Email, &u.Password); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Update a user identifyed by email and password.
+func sqlUpdateUser(u *User) error {
+	if _, err := db.Exec("UPDATE user SET name=?, password=SHA1(?) WHERE email=?", u.Name, u.Password+salt, u.Email); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Delete a user identifyed by email.
+func sqlDeleteUser(u *User) error {
+	if _, err := db.Exec("DELETE FROM user WHERE email=?", u.Email); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}

db_user_sha1.go

@@ -0,0 +1,66 @@
+// +build sha1
+
+package main
+
+import (
+	"log"
+
+	_ "github.com/go-sql-driver/mysql"
+)
+
+// NOTE user management
+
+// Count users from database.
+func sqlUserCount() (error, int) {
+	var n int
+	if err := db.QueryRow("SELECT COUNT(*) from user").Scan(&n); err != nil {
+		log.Println(err)
+		return err, 0
+	}
+	return nil, n
+}
+
+// Get a user identifyed by email and password.
+func sqlAuthenticateUser(u *User) error {
+	if err := db.QueryRow("SELECT * FROM user WHERE email=? AND password=SHA1(?)", u.Email, u.Password).Scan(&u.Id, &u.Name, &u.Email, &u.Password, &u.isActive); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Get the user identifyed by email.
+func sqlGetUser(u *User) error {
+	if err := db.QueryRow("SELECT * FROM user WHERE email=?", u.Email).Scan(&u.Id, &u.Name, &u.Email, &u.Password, &u.isActive); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Create new user identifyed by name, email and password.
+func sqlInsert(u *User) error {
+	if _, err := db.Exec("INSERT user SET name=?, email=?, password=SHA1(?)", &u.Name, &u.Email, &u.Password); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Update a user identifyed by email and password.
+func sqlUpdateUser(u *User) error {
+	if _, err := db.Exec("UPDATE user SET name=?, password=SHA1(?) WHERE email=?", u.Name, u.Password, u.Email); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}
+
+// Delete a user identifyed by email.
+func sqlDeleteUser(u *User) error {
+	if _, err := db.Exec("DELETE FROM user WHERE email=?", u.Email); err != nil {
+		log.Println(err)
+		return err
+	}
+	return nil
+}

main.go

@@ -19,7 +19,7 @@ import (
 
 // TODO application version
 // https://semver.org/#semantic-versioning-200
-const SW_VERSION = "1.0.0-release-build260419"
+const SW_VERSION = "1.1.0-release-build300419"
 
 // NOTE session cookie name
 const SESSID = "SESSID"
@@ -66,12 +66,17 @@ var httpsEnabled = flag.Bool("https-enabled", false, "enable https server")
 
 var config = &Config{}
 var templ = template.New("templ").Delims("[[", "]]") // integrate with angular
-// core routers
-var router = mux.NewRouter() // main router
+var router = mux.NewRouter()                         // main router
+
+// NOTE this is the salt for secured passwords
+const salt = "super-secret-key"
+
+// NOTE random recovery password length
+const token_len = 8
 
 var (
 	// key must be 16, 24 or 32 bytes long (AES-128, AES-192 or AES-256)
-	key   = []byte("super-secret-key")
+	key   = []byte(salt)
 	store = sessions.NewCookieStore(key)
 )
 

model/skel_full.mwb

@@ -12,8 +12,8 @@
     <h3>Edit user</h3>
     <form method="post" action="">
       <p><input type="text" placeholder="Name" name="name" value="[[.Name]]" title="Name" autofocus>
-      <p><input type="password" placeholder="Password" name="password" id="password" value="[[.Password]]" title="Password">
-      <p><input type="password" placeholder="Confirm password" name="password" id="confirm_password" value="[[.Password]]" title="Confirm password">
+      <p><input type="password" placeholder="Password" name="password" id="password" value="" title="Password">
+      <p><input type="password" placeholder="Confirm password" name="password" id="confirm_password" value="" title="Confirm password">
       <p><button type="submit" name="submit" value="save">Save</button>
     </form>
     <hr>

ui/user.html

@@ -0,0 +1,39 @@
+// +build plain
+
+package main
+
+import (
+	"log"
+	"net/http"
+
+	gomail "gopkg.in/gomail.v2"
+)
+
+func reset(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case "GET":
+		templ.ExecuteTemplate(w, "reset", nil)
+	case "POST":
+		var user User
+		user.Email = r.FormValue("email")
+		if err := sqlGetUser(&user); err != nil {
+			http.Error(w, http.StatusText(http.StatusNotAcceptable), http.StatusNotAcceptable)
+			return
+		}
+		log.Println(user.Password)
+		return
+		// https://stackoverflow.com/a/24431749
+		mail := gomail.NewMessage()
+		mail.SetAddressHeader("From", config.SMTP.User, config.SMTP.Name)
+		mail.SetAddressHeader("To", r.FormValue("email"), "")
+		mail.SetHeader("Subject", "Check your password request")
+		mail.SetBody("text/html", user.Password)
+		dialer := gomail.NewPlainDialer(config.SMTP.Server, config.SMTP.Port, config.SMTP.User, config.SMTP.Password)
+		//dialer.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+		if err := dialer.DialAndSend(mail); err != nil {
+			log.Println(err)
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.Write([]byte("A mail with instructions was send, read and <a href=\"/\">sign in</a>"))
+	}
+}

ui_reset.go

@@ -0,0 +1,47 @@
+// +build random
+
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/geosoft1/token"
+
+	gomail "gopkg.in/gomail.v2"
+)
+
+func reset(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case "GET":
+		templ.ExecuteTemplate(w, "reset", nil)
+	case "POST":
+		var user User
+		user.Email = r.FormValue("email")
+		if err := sqlGetUser(&user); err != nil {
+			http.Error(w, http.StatusText(http.StatusNotAcceptable), http.StatusNotAcceptable)
+			return
+		}
+		// TODO reset password to random, uncomment the following 4 lines
+		user.Password = token.GetToken(token_len)
+		if err := sqlUpdateUser(&user); err != nil {
+			http.Error(w, http.StatusText(http.StatusNotAcceptable), http.StatusNotAcceptable)
+			return
+		}
+		log.Println(user.Password)
+		return
+		// https://stackoverflow.com/a/24431749
+		mail := gomail.NewMessage()
+		mail.SetAddressHeader("From", config.SMTP.User, config.SMTP.Name)
+		mail.SetAddressHeader("To", r.FormValue("email"), "")
+		mail.SetHeader("Subject", "Check your password request")
+		mail.SetBody("text/html", user.Password)
+		dialer := gomail.NewPlainDialer(config.SMTP.Server, config.SMTP.Port, config.SMTP.User, config.SMTP.Password)
+		//dialer.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+		if err := dialer.DialAndSend(mail); err != nil {
+			log.Println(err)
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.Write([]byte("A mail with instructions was send, read and <a href=\"/\">sign in</a>"))
+	}
+}