Merge remote-tracking branch 'origin/main'

This commit is contained in:
Richard Reiswich 2023-01-16 18:02:45 +01:00
commit f072cc9f66

View File

@ -6,6 +6,7 @@ package com.bib.essensbestellungsverwaltung;
import javax.crypto.SecretKeyFactory; import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.PBEKeySpec;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException; import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec; import java.security.spec.KeySpec;
import java.util.ArrayList; import java.util.ArrayList;
@ -52,7 +53,7 @@ public class AccountMgr {
String[] userH = {"name", "firstname", "addressid", "password", "email"}; String[] userH = {"name", "firstname", "addressid", "password", "email"};
String name = userData[0]; String name = userData[0];
String firstname = userData[1]; String firstname = userData[1];
String pw = hashAndSalt(userData[2]); String pw = hashAndSalt(userData[2], getSalt());
String email = userData[3]; String email = userData[3];
long id = Database.insert("address", addressH, addressData); long id = Database.insert("address", addressH, addressData);
@ -102,8 +103,14 @@ public class AccountMgr {
* @return id or -1 * @return id or -1
*/ */
protected static long login(String email, String pw){ protected static long login(String email, String pw){
String[] pwH = {"email"};
String[] pwD = {email};
List<String> foundEmail = Database.select("user",pwH,pwD);
String[] userParts = foundEmail.get(0).split(":");
String[] pwParts = userParts[4].split("\\.");
String salt = pwParts[1];
String[] userH = {"email","password"}; String[] userH = {"email","password"};
String[] userD = {email,hashAndSalt(pw)}; String[] userD = {email,hashAndSalt(pw,salt)};
return Database.getSingleId("user",userH,userD); return Database.getSingleId("user",userH,userD);
} }
@ -136,10 +143,10 @@ public class AccountMgr {
* @param pw the password to hash * @param pw the password to hash
* @return hashed and salted password * @return hashed and salted password
*/ */
protected static String hashAndSalt(String pw){ protected static String hashAndSalt(String pw, String salt){
//todo: find a better way to salt Base64.Decoder dec = Base64.getDecoder();
byte[] magicSalt = new byte[]{96, 13, 100, 85, -37, 52, -123, 86, -123, -92, 16, 15, -110, -42, -49, 0}; byte[] bySalt = dec.decode(salt);
KeySpec spec = new PBEKeySpec(pw.toCharArray(), magicSalt,310001,256); KeySpec spec = new PBEKeySpec(pw.toCharArray(), bySalt,310001,256);
String hashedPw; String hashedPw;
try { try {
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
@ -149,9 +156,18 @@ public class AccountMgr {
} catch (InvalidKeySpecException | NoSuchAlgorithmException e) { } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
hashedPw += "." + salt;
return hashedPw; return hashedPw;
} }
private static String getSalt(){
SecureRandom sec = new SecureRandom();
byte[] salt = new byte[16];
sec.nextBytes(salt);
Base64.Encoder enc = Base64.getEncoder();
return enc.encodeToString(salt);
}
/** /**
* gives the invoice for one month and one child * gives the invoice for one month and one child
* @param date YYYY-MM the month * @param date YYYY-MM the month