Fallback to BCrypt auth when BCRYPT_AUTH_FALLBACK

9 years ago · 927a0c1406
2 changed files with 11 additions and 1 deletions
--- a/models/user.go
+++ b/models/user.go
@ -21,6 +21,8 @@ import (
 	"strings"
 	"time"

+	"golang.org/x/crypto/bcrypt"
+
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/xorm"
 	"github.com/nfnt/resize"
@ -251,7 +253,13 @@ func (u *User) EncodePasswd() {
 func (u *User) ValidatePassword(passwd string) bool {
 	newUser := &User{Passwd: passwd, Salt: u.Salt}
 	newUser.EncodePasswd()
-	return u.Passwd == newUser.Passwd
+	if u.Passwd == newUser.Passwd {
+		return true
+	}
+	if setting.BCryptAuthFallback && bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil {
+		return true
+	}
+	return false
 }

 // UploadAvatar saves custom avatar for user.
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -77,6 +77,7 @@ var (
 	CookieUserName       string
 	CookieRememberName   string
 	ReverseProxyAuthUser string
+	BCryptAuthFallback   bool

 	// Database settings.
 	UseSQLite3    bool
@ -324,6 +325,7 @@ func NewContext() {
 	CookieUserName = sec.Key("COOKIE_USERNAME").String()
 	CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").String()
 	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
+	BCryptAuthFallback = sec.Key("BCRYPT_AUTH_FALLBACK").MustBool()

 	sec = Cfg.Section("attachment")
 	AttachmentPath = sec.Key("PATH").MustString(path.Join(AppDataPath, "attachments"))