From 85cbad3ef420ffdd7fec8657d247fdfe5e03903d Mon Sep 17 00:00:00 2001
From: Columbiysky <c.7843543@gmail.com>
Date: Sat, 3 May 2025 12:27:53 +0300
Subject: feat: hashing user passwords

solves problems #2944, #2783
---
 web/controller/setting.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'web/controller')

diff --git a/web/controller/setting.go b/web/controller/setting.go
index d04969dc..1ca65b07 100644
--- a/web/controller/setting.go
+++ b/web/controller/setting.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"time"
 
+	"x-ui/util/crypto"
 	"x-ui/web/entity"
 	"x-ui/web/service"
 	"x-ui/web/session"
@@ -84,7 +85,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 		return
 	}
 	user := session.GetLoginUser(c)
-	if user.Username != form.OldUsername || user.Password != form.OldPassword {
+	if user.Username != form.OldUsername || !crypto.CheckPasswordHash(user.Password, form.OldPassword) {
 		jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect")))
 		return
 	}
@@ -95,7 +96,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 	err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword)
 	if err == nil {
 		user.Username = form.NewUsername
-		user.Password = form.NewPassword
+		user.Password, _ = crypto.HashPasswordAsBcrypt(form.NewPassword)
 		session.SetLoginUser(c, user)
 	}
 	jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err)
-- 
cgit v1.2.3