0x2E/fusion
1
0
Fork 1
mirror of https://github.com/0x2E/fusion.git synced 2025-06-08 05:27:15 +09:00
Code Activity
276 commits 5 branches 59 tags 3.4 MiB
Commit graph

6 commits

Author SHA1 Message Date
Yuan
bc8109fe39
refactor: replace zap log with slog (#150) 
* refactor: replace zap log with slog

* fix
 2025-04-25 17:18:25 +08:00
Michael Lynch
bfd4e8c66b Check passwords based on hashes rather than plaintext 
fusion's current password mechanism is vulnerable to a timing attack:

https://en.wikipedia.org/wiki/Timing_attack

Because fusion checks passwords using simple character-by-character string comparison, a password attempt that begins with the correct characters will take longer to evaluate than one that starts with incorrect characters. For example, if the correct password is 'platypus123' then a password attempt of 'plates' will take longer to evaluate than 'spoons' because 'plates' and 'platypus' share a common prefix. An attacker who attempts the password 'plates' will know that they likely have the correct prefix.

To prevent the timing attack, this change hashes the user's password using PBKDF2 and compares hashes using subtle.ConstantTimeCompare, which is specifically designed to prevent timing attacks.
 2025-01-12 11:31:01 -05:00
Michael Lynch
15caa9988b Get rid of global state for config 2025-01-04 20:00:25 -05:00
rook1e
4c7889deff
refactor: use uber-go/zap 2024-03-18 22:10:57 +08:00
rook1e
977a3fa28e
fix: add debug mode 2024-03-08 13:19:32 +08:00
rook1e
e9b065e9fb
init 2024-03-06 16:54:13 +08:00