feat: secrets of clients now need to be hashed, added command to create hash

2025-04-25 21:35:52 +02:00
parent a77e96be6e
commit 81dcd9c7cc
5 changed files with 58 additions and 9 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -7,9 +7,9 @@ import (
 )

 type ClientConfig struct {
-	Secret   string   `mapstructure:"secret"`
-	Exact    []string `mapstructure:"exact"`
-	Wildcard []string `mapstructure:"wildcard"`
+	SecretHash string   `mapstructure:"secret_hash"`
+	Exact      []string `mapstructure:"exact"`
+	Wildcard   []string `mapstructure:"wildcard"`
 }

 type ServerConfig struct {
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -14,6 +14,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.uber.org/zap"
+	"golang.org/x/crypto/bcrypt"
 )

 var (
@@ -77,8 +78,14 @@ func NewRouter(cfg *config.Config, logger *zap.Logger, prov pvd.Provider) *gin.E
 			ip = c.ClientIP()
 		}
 		clientCfg, ok := cfg.Clients[req.Key]
-		if !ok || req.Secret != clientCfg.Secret {
+		// Compare the provided secret with the stored hash
+		err := bcrypt.CompareHashAndPassword([]byte(clientCfg.SecretHash), []byte(req.Secret))
+		if !ok || err != nil {
 			failedUpdates.Inc()
+			// Log the error only if it's not a not found error, to avoid logging failed auth attempts excessively
+			if err != nil && err != bcrypt.ErrMismatchedHashAndPassword {
+				logger.Error("bcrypt comparison failed", zap.Error(err))
+			}
 			c.JSON(http.StatusUnauthorized, gin.H{"status": "error", "message": "invalid key or secret"})
 			return
 		}
--- a/internal/server/server_router_test.go
+++ b/internal/server/server_router_test.go
@@ -24,6 +24,11 @@ func (m *mockProvider) UpdateRecord(ctx context.Context, host, ip string) error
 }

 func newTestConfig(provider string) *config.Config {
+	// Pre-generate hash for "s3cr3t" (replace with actual hash generation if needed)
+	// Example hash generated with bcrypt.GenerateFromPassword([]byte("s3cr3t"), bcrypt.DefaultCost)
+	// In a real test setup, you might generate this once or use a helper.
+	testSecretHash := "$2a$10$abcdefghijklmnopqrstuv" // Placeholder hash
+
 	return &config.Config{
 		Server: config.ServerConfig{
 			BindAddress: ":0",
@@ -35,9 +40,9 @@ func newTestConfig(provider string) *config.Config {
 		},
 		Clients: map[string]config.ClientConfig{
 			"client1": {
-				Secret:   "s3cr3t",
-				Exact:    []string{"a.example.com"},
-				Wildcard: []string{"example.net"},
+				SecretHash: testSecretHash,
+				Exact:      []string{"a.example.com"},
+				Wildcard:   []string{"example.net"},
 			},
 		},
 	}