miniflux-v2/internal/crypto/crypto.go

// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

package crypto // import "miniflux.app/v2/internal/crypto"

import (
	"crypto/hmac"
	"crypto/rand"
	"crypto/sha256"
	"crypto/subtle"
	"encoding/base64"
	"encoding/hex"
	"fmt"

	"golang.org/x/crypto/bcrypt"
)

// HashFromBytes returns a SHA-256 checksum of the input.
func HashFromBytes(value []byte) string {
	return fmt.Sprintf("%x", sha256.Sum256(value))
}

// Hash returns a SHA-256 checksum of a string.
func Hash(value string) string {
	return HashFromBytes([]byte(value))
}

// GenerateRandomBytes returns random bytes.
func GenerateRandomBytes(size int) []byte {
	b := make([]byte, size)
	if _, err := rand.Read(b); err != nil {
		panic(err)
	}

	return b
}

// GenerateRandomString returns a random string.
func GenerateRandomString(size int) string {
	return base64.URLEncoding.EncodeToString(GenerateRandomBytes(size))
}

// GenerateRandomStringHex returns a random hexadecimal string.
func GenerateRandomStringHex(size int) string {
	return hex.EncodeToString(GenerateRandomBytes(size))
}

func HashPassword(password string) (string, error) {
	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
	return string(bytes), err
}

func GenerateSHA256Hmac(secret string, data []byte) string {
	h := hmac.New(sha256.New, []byte(secret))
	h.Write(data)
	return hex.EncodeToString(h.Sum(nil))
}

func GenerateUUID() string {
	b := GenerateRandomBytes(16)
	return fmt.Sprintf("%X-%X-%X-%X-%X", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
}

func ConstantTimeCmp(a, b string) bool {
	return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1
}
Replace copyright header with SPDX identifier 2023-06-19 23:42:47 +02:00			`// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
First commit 2017-11-20 06:10:04 +01:00
Move internal packages to an internal folder For reference: https://go.dev/doc/go1.4#internalpackages 2023-08-11 04:46:45 +02:00			`package crypto // import "miniflux.app/v2/internal/crypto"`
First commit 2017-11-20 06:10:04 +01:00
			`import (`
Add generic webhook integration 2023-09-09 07:45:17 +02:00			`"crypto/hmac"`
First commit 2017-11-20 06:10:04 +01:00			`"crypto/rand"`
			`"crypto/sha256"`
Use constant-time comparison for anti-csrf tokens This is probably completely overkill, but since anti-csrf tokens are secrets, they should be compared against untrusted inputs in constant time. 2024-03-04 00:08:55 +01:00			`"crypto/subtle"`
First commit 2017-11-20 06:10:04 +01:00			`"encoding/base64"`
Add "Share article" feature A new "shareCode" field is generated for each entry, and allows unlogged users to access the entry through the /shared endpoint. This feature is particularly useful to share articles from miniflux to third-party users without having them to visit the original source. The image proxy is disabled and special cache headers are proposed in the shared page to avoid denial of service. 2019-10-05 13:30:25 +02:00			`"encoding/hex"`
First commit 2017-11-20 06:10:04 +01:00			`"fmt"`
Fix regression in integration page and simplify SQL query 2023-07-11 05:59:49 +02:00
			`"golang.org/x/crypto/bcrypt"`
First commit 2017-11-20 06:10:04 +01:00			`)`

			`// HashFromBytes returns a SHA-256 checksum of the input.`
			`func HashFromBytes(value []byte) string {`
Make use of HashFromBytes everywhere It feels a bit silly to have a function and to not make use of it. 2024-03-11 23:03:23 +01:00			`return fmt.Sprintf("%x", sha256.Sum256(value))`
First commit 2017-11-20 06:10:04 +01:00			`}`

			`// Hash returns a SHA-256 checksum of a string.`
			`func Hash(value string) string {`
			`return HashFromBytes([]byte(value))`
			`}`

			`// GenerateRandomBytes returns random bytes.`
			`func GenerateRandomBytes(size int) []byte {`
			`b := make([]byte, size)`
			`if _, err := rand.Read(b); err != nil {`
Improve OAuth2 integration 2017-11-25 01:09:10 +01:00			`panic(err)`
First commit 2017-11-20 06:10:04 +01:00			`}`

			`return b`
			`}`

			`// GenerateRandomString returns a random string.`
			`func GenerateRandomString(size int) string {`
			`return base64.URLEncoding.EncodeToString(GenerateRandomBytes(size))`
			`}`
Add "Share article" feature A new "shareCode" field is generated for each entry, and allows unlogged users to access the entry through the /shared endpoint. This feature is particularly useful to share articles from miniflux to third-party users without having them to visit the original source. The image proxy is disabled and special cache headers are proposed in the shared page to avoid denial of service. 2019-10-05 13:30:25 +02:00
			`// GenerateRandomStringHex returns a random hexadecimal string.`
			`func GenerateRandomStringHex(size int) string {`
			`return hex.EncodeToString(GenerateRandomBytes(size))`
			`}`
Fix regression in integration page and simplify SQL query 2023-07-11 05:59:49 +02:00
			`func HashPassword(password string) (string, error) {`
			`bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)`
			`return string(bytes), err`
			`}`
Add generic webhook integration 2023-09-09 07:45:17 +02:00
			`func GenerateSHA256Hmac(secret string, data []byte) string {`
			`h := hmac.New(sha256.New, []byte(secret))`
			`h.Write(data)`
			`return hex.EncodeToString(h.Sum(nil))`
			`}`
Remove github.com/google/uuid Replace it with a hand-rolled implementation. Heck, an UUID isn't even a requirement, according to [omnivore](https://docs.omnivore.app/integrations/api.html#saving-a-url-with-the-api)'s documentation, any "unique id" would do. 2024-02-26 14:53:16 +01:00
			`func GenerateUUID() string {`
			`b := GenerateRandomBytes(16)`
			`return fmt.Sprintf("%X-%X-%X-%X-%X", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])`
			`}`
Use constant-time comparison for anti-csrf tokens This is probably completely overkill, but since anti-csrf tokens are secrets, they should be compared against untrusted inputs in constant time. 2024-03-04 00:08:55 +01:00
			`func ConstantTimeCmp(a, b string) bool {`
			`return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1`
			`}`