feat: hashing user passwords

solves problems #2944, #2783

2 files changed, 27 insertions, 7 deletions

diff --git a/web/controller/setting.go b/web/controller/setting.go
index d04969dc..1ca65b07 100644
--- a/web/controller/setting.go
+++ b/web/controller/setting.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"time"
 
+	"x-ui/util/crypto"
 	"x-ui/web/entity"
 	"x-ui/web/service"
 	"x-ui/web/session"
@@ -84,7 +85,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 		return
 	}
 	user := session.GetLoginUser(c)
-	if user.Username != form.OldUsername || user.Password != form.OldPassword {
+	if user.Username != form.OldUsername || !crypto.CheckPasswordHash(user.Password, form.OldPassword) {
 		jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect")))
 		return
 	}
@@ -95,7 +96,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 	err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword)
 	if err == nil {
 		user.Username = form.NewUsername
-		user.Password = form.NewPassword
+		user.Password, _ = crypto.HashPasswordAsBcrypt(form.NewPassword)
 		session.SetLoginUser(c, user)
 	}
 	jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err)
diff --git a/web/service/user.go b/web/service/user.go
index 7438cf1a..72ae25a2 100644
--- a/web/service/user.go
+++ b/web/service/user.go
@@ -6,6 +6,7 @@ import (
 	"x-ui/database"
 	"x-ui/database/model"
 	"x-ui/logger"
+	"x-ui/util/crypto"
 
 	"gorm.io/gorm"
 )
@@ -29,8 +30,9 @@ func (s *UserService) CheckUser(username string, password string, secret string)
 	db := database.GetDB()
 
 	user := &model.User{}
+
 	err := db.Model(model.User{}).
-		Where("username = ? and password = ? and login_secret = ?", username, password, secret).
+		Where("username = ? and login_secret = ?", username, secret).
 		First(user).
 		Error
 	if err == gorm.ErrRecordNotFound {
@@ -39,14 +41,25 @@ func (s *UserService) CheckUser(username string, password string, secret string)
 		logger.Warning("check user err:", err)
 		return nil
 	}
-	return user
+
+	if crypto.CheckPasswordHash(user.Password, password) {
+		return user
+	}
+
+	return nil
 }
 
 func (s *UserService) UpdateUser(id int, username string, password string) error {
 	db := database.GetDB()
+	hashedPassword, err := crypto.HashPasswordAsBcrypt(password)
+
+	if err != nil {
+		return err
+	}
+
 	return db.Model(model.User{}).
 		Where("id = ?", id).
-		Updates(map[string]any{"username": username, "password": password}).
+		Updates(map[string]any{"username": username, "password": hashedPassword}).
 		Error
 }
 
@@ -100,17 +113,23 @@ func (s *UserService) UpdateFirstUser(username string, password string) error {
 	} else if password == "" {
 		return errors.New("password can not be empty")
 	}
+	hashedPassword, er := crypto.HashPasswordAsBcrypt(password)
+
+	if er != nil {
+		return er
+	}
+
 	db := database.GetDB()
 	user := &model.User{}
 	err := db.Model(model.User{}).First(user).Error
 	if database.IsNotFound(err) {
 		user.Username = username
-		user.Password = password
+		user.Password = hashedPassword
 		return db.Model(model.User{}).Create(user).Error
 	} else if err != nil {
 		return err
 	}
 	user.Username = username
-	user.Password = password
+	user.Password = hashedPassword
 	return db.Save(user).Error
 }