Click here to Skip to main content
15,867,308 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hello all,

I am creating a simple licencing system to help licence my own programs and also to help others via github. I have come across a bug that I don't really understand and am asking for some advice.

I will add the client code soon. I also hope to add more advanced features.

Basically,

1. I have a server that listens on a port and hosts a login and register handler.

2. The client will send the username and password (localhost:8080/login/username-password) to the login handler.

3. The server will hash the password and check it against a local file with all the hashes stored locally on my computer.

4. The server will report back if it succeeded or failed.

When I enter the username and password, it seems as though it doesn't check the password. I can put any password and it will say success as long as I have the username right.

I appreciate all suggestions, even if they don't fix the bug.

Thanks!

Code: https://gist.github.com/seriousnerve/1830e77d3e2891b0a5b158c9fb02b37f

What I have tried:

I have tried modifying the if then statements but it seems to just completely skip over the password if statement.
Posted
Updated 10-May-18 16:40pm
Comments
Richard Deeming 11-May-18 9:57am    
There doesn't seem to be any connection between the username and password files. Any user can log in with any other user's password.
Member 13821689 11-May-18 17:50pm    
What do you recommend I do?
Richard Deeming 14-May-18 14:36pm    
Find some way to tie the password hash to the username. JSON, XML, CSV - whatever works best for you.

1 solution

You're using .contains. This is a terrible idea, if you want to be secure, check for equality. My first guess, based on you not telling us anything about your attempts to debug this code, is that
HashDecoded
is empty or a single character, and thus
HashInfo
always contains it.
 
Share this answer
 
Comments
Member 13821689 10-May-18 23:21pm    
Do you have an alternative to use instead of strings.contain?
GKP1992 11-May-18 0:01am    
As Christian Graus pointed out, rather than checking whether HashInfo contains HashDecoded, check whether HashInfo equals HashDecoded.
Member 13821689 11-May-18 17:49pm    
I don't think you understand. The HashInfo is a file that contains multiple hashes for different users. It need to search that file to check if HashDecoded is there. Unless, you have another way to stores hashes. Please don't say MySQL because I hate SQL queries in Go. Hard to debug. Thanks for suggestions!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900