rework auth

api/core.go

@@ -16,7 +16,6 @@ import (
 // CoreConfig is used to parameterize a core
 type CoreConfig struct {
 	DATABASE_URL      string
-	ENCRYPTION_KEY    string
 	ENCRYPTION_SECRET string
 	SIGNING_KEY       string
 	ADMIN_USERNAME    string
@@ -81,7 +80,6 @@ func ReadConfigs() (*CoreConfig, error) {
 	}
 
 	conf.DATABASE_URL = k.String(databaseURLKey)
-	conf.ENCRYPTION_KEY = k.String(encryptionKeyKey)
 	conf.ENCRYPTION_SECRET = k.String(encryptionSecretKey)
 	conf.SIGNING_KEY = k.String(signingKeyKey)
 	conf.ADMIN_USERNAME = k.String(adminUsernameKey)
@@ -119,7 +117,10 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 		panic(err)
 	}
 
-	priv := _vault.NewAESPrivatiser([]byte(conf.ENCRYPTION_KEY), conf.ENCRYPTION_SECRET)
+	priv, err := _vault.NewAESPrivatiser(conf.ENCRYPTION_SECRET)
+	if err != nil {
+		panic(err)
+	}
 	signer, err := _vault.NewHMACSigner([]byte(conf.SIGNING_KEY))
 	if err != nil {
 		panic(err)

api/main.go

@@ -196,6 +196,7 @@ func main() {
 	listenAddr := fmt.Sprintf("%s:%v", coreConfig.API_HOST, coreConfig.API_PORT)
 	core.logger.Info(fmt.Sprintf("Listening on %s", listenAddr))
 	err = app.Listen(listenAddr)
+
 	if err != nil {
 		panic(err)
 	}

api/testing_utils.go

@@ -34,12 +34,11 @@ func InitTestingVault(t *testing.T) (*fiber.App, *Core) {
 	app := SetupApi(core)
 
 	db, err := _vault.NewSqlStore(coreConfig.DATABASE_URL)
-
 	if err != nil {
 		t.Fatal("Failed to create db", err)
 	}
 
-	priv := _vault.NewAESPrivatiser([]byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 05}, "abc&1*~#^2^#s0^=)^^7%b34")
+	priv, err := _vault.NewAESPrivatiser("abc&1*~#^2^#s0^=)^^7%b34")
 	if err != nil {
 		t.Fatal("Failed to create privatiser", err)
 	}

test.env

@@ -3,7 +3,6 @@ THORN_API_HOST=0.0.0.0
 THORN_API_PORT=3001
 THORN_ADMIN_USERNAME=admin
 THORN_ADMIN_PASSWORD=admin
-THORN_ENCRYPTION_KEY="#.9U#JW#XbB12345"
 THORN_ENCRYPTION_SECRET="abc&1*~#^2^#s0^=)^^7%b34"
 THORN_SIGNING_KEY=secret
 THORN_DEV_MODE=false

vault/aes_privatiser.go

@@ -4,49 +4,52 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/base64"
+	"errors"
 )
 
 type AESPrivatiser struct {
-	bytes  []byte
 	secret string
 }
 
-func NewAESPrivatiser(bytes []byte, secret string) AESPrivatiser {
-	return AESPrivatiser{bytes, secret}
-}
-
-func Encode(b []byte) string {
-	return base64.StdEncoding.EncodeToString(b)
+func NewAESPrivatiser(secret string) (*AESPrivatiser, error) {
+	if len(secret) != 16 && len(secret) != 24 && len(secret) != 32 {
+		return nil, errors.New("invalid secret length; must be 16, 24, or 32 bytes for AES-128, AES-192, AES-256 respectively")
+	}
+	return &AESPrivatiser{secret}, nil
 }
 
-func Decode(s string) []byte {
-	data, err := base64.StdEncoding.DecodeString(s)
+func (p *AESPrivatiser) Encrypt(text string) (string, error) {
+	block, err := aes.NewCipher([]byte(p.secret))
 	if err != nil {
-		panic(err)
+		return "", err
 	}
-	return data
+
+	// Using a fixed IV for deterministic encryption
+	iv := make([]byte, aes.BlockSize) // Fixed IV (e.g., all zeros)
+
+	cfb := cipher.NewCFBEncrypter(block, iv)
+	cipherText := make([]byte, len(text))
+	cfb.XORKeyStream(cipherText, []byte(text))
+
+	return base64.StdEncoding.EncodeToString(cipherText), nil
 }
 
-func (p AESPrivatiser) Encrypt(text string) (string, error) {
+func (p *AESPrivatiser) Decrypt(encodedText string) (string, error) {
 	block, err := aes.NewCipher([]byte(p.secret))
 	if err != nil {
 		return "", err
 	}
-	plainText := []byte(text)
-	cfb := cipher.NewCFBEncrypter(block, p.bytes)
-	cipherText := make([]byte, len(plainText))
-	cfb.XORKeyStream(cipherText, plainText)
-	return Encode(cipherText), nil
-}
 
-func (p AESPrivatiser) Decrypt(text string) (string, error) {
-	block, err := aes.NewCipher([]byte(p.secret))
+	data, err := base64.StdEncoding.DecodeString(encodedText)
 	if err != nil {
 		return "", err
 	}
-	cipherText := Decode(text)
-	cfb := cipher.NewCFBDecrypter(block, p.bytes)
-	plainText := make([]byte, len(cipherText))
-	cfb.XORKeyStream(plainText, cipherText)
+
+	iv := make([]byte, aes.BlockSize) // Same fixed IV as used in encryption
+
+	cfb := cipher.NewCFBDecrypter(block, iv)
+	plainText := make([]byte, len(data))
+	cfb.XORKeyStream(plainText, data)
+
 	return string(plainText), nil
 }

vault/aes_privatiser_test.go

@@ -4,10 +4,12 @@ import "testing"
 
 func TestEncrypt(t *testing.T) {
 	t.Run("Can encrypt and decrypt", func(t *testing.T) {
-		bytes := []byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 05}
 		secret := "abc&1*~#^2^#s0^=)^^7%b34"
 		val := "hello world!"
-		p := NewAESPrivatiser(bytes, secret)
+		p, err := NewAESPrivatiser(secret)
+		if err != nil {
+			t.Errorf("Error creating privatiser: %v", err)
+		}
 		encrypted, err := p.Encrypt(val)
 		if err != nil {
 			t.Errorf("Error encrypting: %v", err)

vault/vault.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/go-playground/validator/v10"
-	"golang.org/x/crypto/bcrypt"
 )
 
 type Field struct {
@@ -257,6 +256,7 @@ func (vault Vault) CreateRecord(
 
 		// Encrypt field value
 		encryptedValue, err := vault.Priv.Encrypt(fieldValue)
+
 		if err != nil {
 			return "", err
 		}
@@ -446,7 +446,8 @@ func (vault Vault) CreatePrincipal(
 		return err
 	}
 
-	hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(principal.Password), bcrypt.DefaultCost)
+	// hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(principal.Password), bcrypt.DefaultCost)
+	hashedPassword, _ := vault.Priv.Encrypt(principal.Password)
 	principal.Password = string(hashedPassword)
 	principal.Id = GenerateId("prin")
 	principal.CreatedAt = time.Now()
@@ -488,7 +489,12 @@ func (vault Vault) Login(
 		return nil, &ForbiddenError{}
 	}
 
-	if err := bcrypt.CompareHashAndPassword([]byte(dbPrincipal.Password), []byte(password)); err != nil {
+	decryptedPassword, err := vault.Priv.Decrypt(dbPrincipal.Password)
+	if err != nil {
+		vault.Logger.Error(fmt.Sprintf("Error decrypting password: %s", err.Error()))
+		return nil, &ForbiddenError{}
+	}
+	if decryptedPassword != password {
 		return nil, &ForbiddenError{}
 	}
 

vault/vault_test.go

@@ -20,7 +20,7 @@ func initVault(t *testing.T) (Vault, VaultDB, Privatiser) {
 		panic(err)
 	}
 	db.Flush(ctx)
-	priv := NewAESPrivatiser([]byte{35, 46, 57, 24, 85, 35, 24, 74, 87, 35, 88, 98, 66, 32, 14, 05}, "abc&1*~#^2^#s0^=)^^7%b34")
+	priv, _ := NewAESPrivatiser("abc&1*~#^2^#s0^=)^^7%b34")
 	signer, _ := NewHMACSigner([]byte("testkey"))
 	_ = db.CreatePolicy(ctx, &Policy{
 		Id:          "root",