Remove user passwords (#539)

* Remove user passwords

Co-authored-by: Jonas Plum <git@jonasplum.de>

database/migrations/migrations.go

@@ -61,8 +61,6 @@ func generateMigrations() ([]Migration, error) {
 
 		&updateDocument[model.Settings]{ID: "update-settings-global-1", Collection: "settings", Key: "global", Document: &model.Settings{ArtifactStates: []*model.Type{{Icon: "mdi-help-circle-outline", ID: "unknown", Name: "Unknown", Color: pointer.String(model.TypeColorInfo)}, {Icon: "mdi-skull", ID: "malicious", Name: "Malicious", Color: pointer.String(model.TypeColorError)}, {Icon: "mdi-check", ID: "clean", Name: "Clean", Color: pointer.String(model.TypeColorSuccess)}}, ArtifactKinds: []*model.Type{{Icon: "mdi-server", ID: "asset", Name: "Asset"}, {Icon: "mdi-bullseye", ID: "ioc", Name: "IOC"}}, Timeformat: "yyyy-MM-dd hh:mm:ss"}},
 
-		&updateSchema{ID: "update-user-simple-login", Name: "users", DataType: "user", Schema: `{"type":"object","properties":{"apikey":{"type":"boolean"},"blocked":{"type":"boolean"},"roles":{"items":{"type":"string"},"type":"array"},"salt":{"type":"string"},"sha256":{"type":"string"},"sha512":{"type":"string"}},"required":["blocked","apikey","roles"],"$id":"#/definitions/User"}`},
-
 		&mapRoles{ID: "simplify-roles"},
 	}, nil
 }

database/user.go

@@ -3,7 +3,6 @@ package database
 import (
 	"context"
 	"crypto/sha256"
-	"crypto/sha512"
 	"errors"
 	"fmt"
 	"log"
@@ -34,13 +33,11 @@ func generateKey() string {
 	return string(b)
 }
 
-func toUser(user *model.UserForm, salt, sha256, sha512 *string) *model.User {
+func toUser(user *model.UserForm, sha256 *string) *model.User {
 	u := &model.User{
 		Blocked: user.Blocked,
 		Roles:   user.Roles,
-		Salt:    salt,
 		Sha256:  sha256,
-		Sha512:  sha512,
 		Apikey:  user.Apikey,
 	}
 
@@ -89,16 +86,14 @@ func (db *Database) UserGetOrCreate(ctx context.Context, newUser *model.UserForm
 }
 
 func (db *Database) UserCreate(ctx context.Context, newUser *model.UserForm) (*model.NewUserResponse, error) {
-	var key, salt, sha256Hash, sha512Hash *string
+	var key, sha256Hash *string
 	if newUser.Apikey {
 		key, sha256Hash = generateAPIKey()
-	} else if newUser.Password != nil {
-		salt, sha512Hash = hashUserPassword(newUser)
 	}
 
 	var doc model.User
 	newctx := driver.WithReturnNew(ctx, &doc)
-	meta, err := db.userCollection.CreateDocument(ctx, newctx, strcase.ToKebab(newUser.ID), toUser(newUser, salt, sha256Hash, sha512Hash))
+	meta, err := db.userCollection.CreateDocument(ctx, newctx, strcase.ToKebab(newUser.ID), toUser(newUser, sha256Hash))
 	if err != nil {
 		return nil, err
 	}
@@ -117,7 +112,7 @@ func (db *Database) UserCreateSetupAPIKey(ctx context.Context, key string) (*mod
 
 	var doc model.User
 	newctx := driver.WithReturnNew(ctx, &doc)
-	meta, err := db.userCollection.CreateDocument(ctx, newctx, strcase.ToKebab(newUser.ID), toUser(newUser, nil, sha256Hash, nil))
+	meta, err := db.userCollection.CreateDocument(ctx, newctx, strcase.ToKebab(newUser.ID), toUser(newUser, sha256Hash))
 	if err != nil {
 		return nil, err
 	}
@@ -136,19 +131,11 @@ func (db *Database) UserUpdate(ctx context.Context, id string, user *model.UserF
 		return nil, errors.New("cannot update an API key")
 	}
 
-	var salt, sha512Hash *string
-	if user.Password != nil {
-		salt, sha512Hash = hashUserPassword(user)
-	} else {
-		salt = doc.Salt
-		sha512Hash = doc.Sha512
-	}
-
 	ctx = driver.WithReturnNew(ctx, &doc)
 
 	user.ID = id
 
-	meta, err := db.userCollection.ReplaceDocument(ctx, id, toUser(user, salt, nil, sha512Hash))
+	meta, err := db.userCollection.ReplaceDocument(ctx, id, toUser(user, nil))
 	if err != nil {
 		return nil, err
 	}
@@ -244,13 +231,3 @@ func generateAPIKey() (key, sha256Hash *string) {
 
 	return &newKey, sha256Hash
 }
-
-func hashUserPassword(newUser *model.UserForm) (salt, sha512Hash *string) {
-	if newUser.Password != nil {
-		saltKey := generateKey()
-		salt = &saltKey
-		sha512Hash = pointer.String(fmt.Sprintf("%x", sha512.Sum512([]byte(saltKey+*newUser.Password))))
-	}
-
-	return salt, sha512Hash
-}