From b1e9225591d48c4204903dd83b5639d42f1f31e5 Mon Sep 17 00:00:00 2001 From: Mike Cohen Date: Fri, 22 Dec 2023 19:35:39 +1000 Subject: [PATCH 1/2] Bugfix: Return AuthenticationFailedError when password is not OK This fixes a panic in Basic Auth mode. --- services/users/set_user.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/users/set_user.go b/services/users/set_user.go index 7d9f7308f91..037f208abe7 100644 --- a/services/users/set_user.go +++ b/services/users/set_user.go @@ -16,7 +16,8 @@ import ( ) var ( - NameReservedError = errors.New("Username is reserved") + NameReservedError = errors.New("Username is reserved") + AuthenticationFailedError = errors.New("Authentication Failed") ) // Update the user's password. @@ -143,6 +144,8 @@ func verifyPassword(self *api_proto.VelociraptorUser, password string) bool { return subtle.ConstantTimeCompare(hash[:], self.PasswordHash) == 1 } +// Verifies the username's password is ok. If the password is not OK +// returns an AuthenticationFailedError too. func (self *UserManager) VerifyPassword( ctx context.Context, principal, username string, @@ -153,5 +156,10 @@ func (self *UserManager) VerifyPassword( return false, err } - return verifyPassword(user_record, password), nil + ok := verifyPassword(user_record, password) + if !ok { + return ok, AuthenticationFailed + } + + return true, nil } From fd5402f294744f096df77ddbf560dcdac6caa1bc Mon Sep 17 00:00:00 2001 From: Mike Cohen Date: Fri, 22 Dec 2023 19:53:55 +1000 Subject: [PATCH 2/2] Fixed test --- services/users/set_user.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/users/set_user.go b/services/users/set_user.go index 037f208abe7..8a97021697b 100644 --- a/services/users/set_user.go +++ b/services/users/set_user.go @@ -158,7 +158,7 @@ func (self *UserManager) VerifyPassword( ok := verifyPassword(user_record, password) if !ok { - return ok, AuthenticationFailed + return ok, AuthenticationFailedError } return true, nil