rezidir/GeoShare
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'remove bcrypt from registration key, use plain string comparison' (#7) from dev into release

Browse Source 
Reviewed-on: #7
This commit was merged in pull request #7.
This commit is contained in:
rezidir
2026-06-25 16:55:19 +03:00
parent 38e843253e fdb3140b8b
commit 7c4c350a71
4 changed files with 8 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+1 -1
View File
@@ -11,5 +11,5 @@ POSTGRES_USER="user"
POSTGRES_PASSWORD="pwd" POSTGRES_PASSWORD="pwd"
# TOKEN_LIFETIME in minutes # TOKEN_LIFETIME in minutes
TOKEN_LIFETIME=600 TOKEN_LIFETIME=600
# Secret key for registration (plaintext, hashed with bcrypt at startup) # Secret key for registration (plaintext comparison)
REGISTRATION_SECRET_KEY=your-registration-key REGISTRATION_SECRET_KEY=your-registration-key
api.yaml
+1 -1
View File
@@ -254,7 +254,7 @@ components:
example: "securePass123" example: "securePass123"
secret_key: secret_key:
type: string type: string
description: Plaintext registration secret key (REGISTRATION_SECRET_KEY from server .env) description: Registration secret key (REGISTRATION_SECRET_KEY from server .env)
example: "FtracKer*1405." example: "FtracKer*1405."
LoginResponse: LoginResponse:
bin/.env
+1 -1
View File
@@ -11,5 +11,5 @@ POSTGRES_USER="postgres"
POSTGRES_PASSWORD="postgres" POSTGRES_PASSWORD="postgres"
# TOKEN_LIFETIME in minutes # TOKEN_LIFETIME in minutes
TOKEN_LIFETIME=600 TOKEN_LIFETIME=600
# Secret key for registration (plaintext, hashed with bcrypt at startup) # Secret key for registration (plaintext comparison)
REGISTRATION_SECRET_KEY=FtracKer*1405. REGISTRATION_SECRET_KEY=FtracKer*1405.
bin/routes/auth_routes.dart
+5 -9
View File
@@ -12,15 +12,8 @@ import 'dart:io';
class AuthRoutes { class AuthRoutes {
final DatabaseProvider database; final DatabaseProvider database;
final Map<String, DateTime> _lastRequest = {}; final Map<String, DateTime> _lastRequest = {};
final String _registrationKeyHash;
AuthRoutes(this.database) : _registrationKeyHash = _loadRegistrationKeyHash(); AuthRoutes(this.database);
static String _loadRegistrationKeyHash() {
final dotenv = DotEnv();
final key = dotenv['REGISTRATION_SECRET_KEY'] ?? '';
return BCrypt.hashpw(key, BCrypt.gensalt());
}
Router get routes { Router get routes {
final router = Router(); final router = Router();
@@ -119,7 +112,10 @@ class AuthRoutes {
return response; return response;
} }
if (!BCrypt.checkpw(secretKey, _registrationKeyHash)) { final envDotenv = DotEnv();
final registrationKey = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';
if (secretKey != registrationKey) {
stopwatch.stop(); stopwatch.stop();
final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'}); final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);