From 9a3630b07cb870266669ba120985a2c0a8ebbf5c Mon Sep 17 00:00:00 2001 From: Chaoscaot Date: Tue, 19 Dec 2023 20:49:37 +0100 Subject: [PATCH] Code Review Stuff --- src/de/steamwar/sql/SteamwarUser.java | 77 ++++++++++++++++----------- 1 file changed, 47 insertions(+), 30 deletions(-) diff --git a/src/de/steamwar/sql/SteamwarUser.java b/src/de/steamwar/sql/SteamwarUser.java index 514e428..3166124 100644 --- a/src/de/steamwar/sql/SteamwarUser.java +++ b/src/de/steamwar/sql/SteamwarUser.java @@ -25,18 +25,28 @@ import lombok.SneakyThrows; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; +import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; import java.sql.Timestamp; import java.util.*; +import java.util.function.BiConsumer; import java.util.function.Consumer; import java.util.logging.Level; import java.util.stream.Collectors; public class SteamwarUser { private static final SecureRandom random = new SecureRandom(); + private static final SecretKeyFactory factory; static { - new SqlTypeMapper<>(UUID.class, "CHAR(36)", (rs, identifier) -> UUID.fromString(rs.getString(identifier)), (st, index, value) -> st.setString(index, value.toString())); + try { + factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512"); + } catch (NoSuchAlgorithmException e) { + throw new SecurityException(e); + } + + new SqlTypeMapper<>(UUID.class, "CHAR(36)", (rs, identifier) -> UUID.fromString(rs.getString(identifier)), (st, index, value) -> st.setString(index, value.toString())); new SqlTypeMapper<>(Locale.class, "VARCHAR(32)", (rs, identifier) -> { String l = rs.getString(identifier); return l != null ? Locale.forLanguageTag(l) : null; @@ -110,12 +120,13 @@ public class SteamwarUser { return byDiscord.select(discordId); } - public static SteamwarUser getOrCreate(UUID uuid, String name, Consumer newPlayer) { + public static SteamwarUser getOrCreate(UUID uuid, String name, Consumer newPlayer, BiConsumer nameUpdate) { SteamwarUser user = get(uuid); if (user != null) { if (!user.userName.equals(name)) { updateName.update(name, user.id); + nameUpdate.accept(user.userName, name); user.userName = name; } @@ -288,44 +299,50 @@ public class SteamwarUser { } } - @SneakyThrows public void setPassword(String password) { - byte[] salt = new byte[16]; - random.nextBytes(salt); - String saltString = Base64.getEncoder().encodeToString(salt); + try { + byte[] salt = new byte[16]; + random.nextBytes(salt); + String saltString = Base64.getEncoder().encodeToString(salt); - PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 65536, 512); - SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512"); - byte[] hash = factory.generateSecret(spec).getEncoded(); - - String hashString = Base64.getEncoder().encodeToString(hash); - - this.password = hashString + ":" + saltString; - updatePassword.update(this.password, id); + byte[] hash = generateHash(password, salt); + String hashString = Base64.getEncoder().encodeToString(hash); + this.password = hashString + ":" + saltString; + updatePassword.update(this.password, id); + } catch (Exception e) { + throw new SecurityException(e); + } } - @SneakyThrows public boolean verifyPassword(String password) { - if (this.password == null) { + try { + if (this.password == null) { + return false; + } + + String[] parts = this.password.split(":"); + if (parts.length != 2) { + SQLConfig.impl.getLogger().log(Level.SEVERE ,"Invalid password hash for user {0} ({1})", new Object[]{userName, id}); + return false; + } + + String hashString = parts[0]; + byte[] realHash = Base64.getDecoder().decode(hashString); + String saltString = parts[1]; + byte[] salt = Base64.getDecoder().decode(saltString); + byte[] hash = generateHash(password, salt); + return Arrays.equals(realHash, hash); + } catch (Exception e) { + SQLConfig.impl.getLogger().log(Level.SEVERE, "Error while verifying password for user " + userName + " (" + id + ")", e); return false; } + } - String[] parts = this.password.split(":"); - if (parts.length != 2) { - SQLConfig.impl.getLogger().log(Level.SEVERE ,"Invalid password hash for user {0} ({1})", new Object[]{userName, id}); - return false; - } - - String hashString = parts[0]; - byte[] realHash = Base64.getDecoder().decode(hashString); - String saltString = parts[1]; - byte[] salt = Base64.getDecoder().decode(saltString); - + private byte[] generateHash(String password, byte[] salt) + throws InvalidKeySpecException { PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 65536, 512); - SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512"); - byte[] hash = factory.generateSecret(spec).getEncoded(); + return factory.generateSecret(spec).getEncoded(); - return Arrays.equals(realHash, hash); } private void initPunishments() {