53 lines
1.3 KiB
Go

package security
import (
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"errors"
"golang.org/x/crypto/bcrypt"
)
func HashPassword(password string) (string, error) {
if len(password) < 6 {
return "", errors.New("password must contain at least 6 characters")
}
return hashPassword(password)
}
// HashPasswordWithoutMinimum is reserved for credential domains that define their
// own policy before hashing. bcrypt still enforces its 72-byte maximum; keeping this
// separate prevents the external-admin exception from weakening main-admin passwords.
func HashPasswordWithoutMinimum(password string) (string, error) {
return hashPassword(password)
}
func hashPassword(password string) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return "", err
}
return string(hash), nil
}
func CheckPassword(hash string, password string) bool {
return bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) == nil
}
func NewRefreshToken() (string, string, error) {
raw := make([]byte, 32)
if _, err := rand.Read(raw); err != nil {
return "", "", err
}
token := hex.EncodeToString(raw)
return token, HashToken(token), nil
}
func HashToken(token string) string {
sum := sha256.Sum256([]byte(token))
return hex.EncodeToString(sum[:])
}