Better password hashes error handling (#132)

2023-10-13 05:36:00 +02:00
parent 7059d5c834
commit b1acea9f1c
1 changed files with 8 additions and 0 deletions
--- a/internal/web/util.go
+++ b/internal/web/util.go
@@ -265,8 +265,16 @@ func (a Argon2ID) hash(plain string) (string, error) {
 }

 func (a Argon2ID) verify(plain, hash string) (bool, error) {
+	if hash == "" {
+		return false, nil
+	}
+
 	hashParts := strings.Split(hash, "$")

+	if len(hashParts) != 6 {
+		return false, errors.New("invalid hash")
+	}
+
 	_, err := fmt.Sscanf(hashParts[3], "m=%d,t=%d,p=%d", &a.memory, &a.time, &a.threads)
 	if err != nil {
 		return false, err