Replace SHA256 with BCrypt for hashed passwords

Author: proofrock

ROAD_TO_WS4SQL.md

@@ -8,11 +8,12 @@ The version in this branch is a work in progress to add features and (unfortunat
 
 - SQLite is embedded via [mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) and CGO. Should be way faster.
 - Support for DuckDB (see below).
-- Target platforms (because of CGO) are now 4 (`win/amd64`, `macos/arm64`, `linux/amd64`, `linux/arm64`).
-  - For Docker, `linux/amd64` and `linux/arm64`.
 - [**BREAKING CHANGE**] When running the app, the config files must be specified on the command line, the file paths cannot be used anymore (there). This is described in the "Migration" section below. The file path is in the config file.
-- The only exception is a "simple case" to serve a file path without any config. This can be done with the new `--quick-db` parameter.
+  - The only exception is a "simple case" to serve a file path without any config. This can be done with the new `--quick-db` parameter.
+- [**BREAKING CHANGE**] Hashed passwords in auth config must now be hashed with BCrypt, not SHA256.
 - Fail fast if the request is empty, don't even attempt to authenticate.
+- Target platforms (because of CGO) are now 4 (`win/amd64`, `macos/arm64`, `linux/amd64`, `linux/arm64`).
+  - For Docker, `linux/amd64` and `linux/arm64`.
 - Docker images are now based on `distroless/static-debian12`.
 - Docker images are now hosted on Github's Container Registry.
 
@@ -30,6 +31,8 @@ database:
   readOnly: false       # Same as before, but moved here.
 ```
 
+- For any hashed password previously specified in an `auth` block, the hash must be BCrypt, not SHA256.
+
 ## Specific to DuckDB
 
 - `noFail` is not supported.

src/authentication.go

@@ -19,23 +19,33 @@ package main
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
 	"database/sql"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"strings"
 
 	mllog "github.com/proofrock/go-mylittlelogger"
 	"github.com/proofrock/ws4sql/structs"
 	"github.com/proofrock/ws4sql/utils"
+	"golang.org/x/crypto/bcrypt"
 )
 
 const (
 	authModeInline = "INLINE"
 	authModeHttp   = "HTTP"
 )
 
+// Finds the user in the credentials
+func findCred(db *structs.Db, user string) *structs.CredentialsCfg {
+	for i := range db.Auth.ByCredentials {
+		cred := &db.Auth.ByCredentials[i] // don't want to copy the struct
+		if cred.User == user {
+			return cred
+		}
+	}
+	return nil
+}
+
 // Checks auth. If auth is granted, returns nil, if not an error.
 // Version with explicit credentials, called by the authentication
 // middleware and by the "other" auth function, that accepts
@@ -55,13 +65,25 @@ func applyAuthCreds(db *structs.Db, user, password string) error {
 			return nil
 		}
 	} else {
-		passedSHA := sha256.Sum256([]byte(password))
-		expectedSHA, ok := db.Auth.HashedCreds[user]
-		if !ok || !bytes.Equal(expectedSHA, passedSHA[:]) {
+		cred := findCred(db, user) // O(n) but n is small
+		if cred == nil {
 			return errors.New("wrong credentials")
 		}
+		cachedPwd := cred.ClearTextPassword.Load()
+		pwdBytes := []byte(password)
+		if cachedPwd != nil {
+			if bytes.Equal(pwdBytes, cachedPwd.([]byte)) {
+				return nil
+			} else {
+				return errors.New("wrong credentials")
+			}
+		}
+		if bcrypt.CompareHashAndPassword([]byte(cred.HashedPassword), []byte(password)) == nil {
+			cred.ClearTextPassword.Store(pwdBytes)
+			return nil
+		}
+		return errors.New("wrong credentials")
 	}
-	return nil
 }
 
 // Checks auth. If auth is granted, returns nil, if not an error.
@@ -92,30 +114,23 @@ func parseAuth(db *structs.Db) {
 		}
 		mllog.StdOut("  + Authentication enabled, with query")
 	} else {
-		(*db).Auth.HashedCreds = make(map[string][]byte)
 		for i := range auth.ByCredentials {
-			if auth.ByCredentials[i].User == "" {
+			cred := &auth.ByCredentials[i] // don't want to copy the struct
+			if cred.User == "" {
 				mllog.Fatal("no user for credential")
 			}
-			var b []byte
-			if (auth.ByCredentials[i].HashedPassword == "") == (auth.ByCredentials[i].Password == "") {
+			if (cred.HashedPassword == "") == (cred.Password == "") {
 				mllog.Fatal("one and only one of 'password' and 'hashedPassword' must be specified")
 			}
-			// Converts all the password to hashes, if they weren't passed as hashes in the
-			// first place. For uniformity and (vaguely) security.
-			if auth.ByCredentials[i].HashedPassword != "" {
-				var err error
-				b, err = hex.DecodeString(auth.ByCredentials[i].HashedPassword)
-				if err != nil || len(b) != 32 {
-					mllog.Fatalf("for db '%s', hashedPassword doesn't seem to be SHA256/hex.", *db.DatabaseDef.Id)
-				}
-			} else {
-				bytes32 := sha256.Sum256([]byte(auth.ByCredentials[i].Password))
-				b = bytes32[:]
+			// Populates the cleartext password cache, so that there is only one
+			// point where the password is stored in clear text.
+			// If the password is specified as a BCrypt hash, it will be cached
+			// when the BCrypt "puzzle" is solved for the first time.
+			if cred.Password != "" {
+				cred.ClearTextPassword.Store([]byte(cred.Password))
 			}
-			(*db).Auth.HashedCreds[auth.ByCredentials[i].User] = b
 		}
-		mllog.StdOutf("  + Authentication enabled, with %d credentials", len((*db).Auth.HashedCreds))
+		mllog.StdOutf("  + Authentication enabled, with %d credentials", len(auth.ByCredentials))
 	}
 
 	if auth.CustomErrorCode != nil {

src/authentication_test.go

@@ -51,7 +51,7 @@ func TestSetupAuthCreds(t *testing.T) {
 					Path:           utils.Ptr("../test/test1.db"),
 					DisableWALMode: utils.Ptr(true),
 				},
-				Auth: &structs.Authr{
+				Auth: &structs.Auth{
 					Mode: "INLINE",
 					ByCredentials: []structs.CredentialsCfg{
 						{
@@ -60,7 +60,7 @@ func TestSetupAuthCreds(t *testing.T) {
 						},
 						{
 							User:           "paolo",
-							HashedPassword: "b133a0c0e9bee3be20163d2ad31d6248db292aa6dcb1ee087a2aa50e0fc75ae2", // "ciao"
+							HashedPassword: "$2a$10$r4UdAVQ9SroqwTEX3tGCDO3coSFQSEp7QINiSwYb5ARhD7wkTPYtS", // "ciao"
 						},
 					},
 				},
@@ -75,7 +75,7 @@ func TestSetupAuthCreds(t *testing.T) {
 					"CREATE TABLE AUTH (USER TEXT PRIMARY KEY, PASS TEXT)",
 					"INSERT INTO AUTH VALUES ('_pietro', 'hey'), ('_paolo', 'ciao')",
 				},
-				Auth: &structs.Authr{
+				Auth: &structs.Auth{
 					Mode:    "inline", // check if case insensitive
 					ByQuery: "SELECT 1 FROM AUTH WHERE USER = :user AND PASS = :password",
 				},
@@ -224,6 +224,14 @@ func TestAuthWithCreds2(t *testing.T) {
 		t.Errorf("did not succeed, but should have: %s", body)
 		return
 	}
+
+	// Second time it should use the cached password
+	code, body, _ = call("test1", req, t)
+
+	if code != 200 {
+		t.Errorf("did not succeed, but should have: %s", body)
+		return
+	}
 }
 
 func TestNoAuthWithQuery1(t *testing.T) {
@@ -336,7 +344,7 @@ func TestBASetupAuthCreds(t *testing.T) {
 					Path:           utils.Ptr("../test/test1.db"),
 					DisableWALMode: utils.Ptr(true),
 				},
-				Auth: &structs.Authr{
+				Auth: &structs.Auth{
 					Mode: "HTTP",
 					ByCredentials: []structs.CredentialsCfg{
 						{
@@ -345,7 +353,7 @@ func TestBASetupAuthCreds(t *testing.T) {
 						},
 						{
 							User:           "paolo",
-							HashedPassword: "b133a0c0e9bee3be20163d2ad31d6248db292aa6dcb1ee087a2aa50e0fc75ae2", // "ciao"
+							HashedPassword: "$2a$10$r4UdAVQ9SroqwTEX3tGCDO3coSFQSEp7QINiSwYb5ARhD7wkTPYtS", // "ciao"
 						},
 					},
 				},
@@ -360,7 +368,7 @@ func TestBASetupAuthCreds(t *testing.T) {
 					"CREATE TABLE AUTH (USER TEXT PRIMARY KEY, PASS TEXT)",
 					"INSERT INTO AUTH VALUES ('_pietro', 'hey'), ('_paolo', 'ciao')",
 				},
-				Auth: &structs.Authr{
+				Auth: &structs.Auth{
 					Mode:    "http", // check if case insensitive
 					ByQuery: "SELECT 1 FROM AUTH WHERE USER = :user AND PASS = :password",
 				},
@@ -567,7 +575,7 @@ func TestCustomCodeSetup(t *testing.T) {
 					Path:           utils.Ptr("../test/test1.db"),
 					DisableWALMode: utils.Ptr(true),
 				},
-				Auth: &structs.Authr{
+				Auth: &structs.Auth{
 					Mode:            "HTTP",
 					CustomErrorCode: &errCode,
 					ByCredentials: []structs.CredentialsCfg{
@@ -577,7 +585,7 @@ func TestCustomCodeSetup(t *testing.T) {
 						},
 						{
 							User:           "paolo",
-							HashedPassword: "b133a0c0e9bee3be20163d2ad31d6248db292aa6dcb1ee087a2aa50e0fc75ae2", // "ciao"
+							HashedPassword: "$2a$10$r4UdAVQ9SroqwTEX3tGCDO3coSFQSEp7QINiSwYb5ARhD7wkTPYtS", // "ciao"
 						},
 					},
 				},
@@ -592,7 +600,7 @@ func TestCustomCodeSetup(t *testing.T) {
 					"CREATE TABLE AUTH (USER TEXT PRIMARY KEY, PASS TEXT)",
 					"INSERT INTO AUTH VALUES ('_pietro', 'hey'), ('_paolo', 'ciao')",
 				},
-				Auth: &structs.Authr{
+				Auth: &structs.Auth{
 					Mode:            "inline", // check if case insensitive
 					CustomErrorCode: &errCode,
 					ByQuery:         "SELECT 1 FROM AUTH WHERE USER = :user AND PASS = :password",

src/go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/proofrock/go-mylittlelogger v0.4.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/wI2L/jettison v0.7.4
+	golang.org/x/crypto v0.33.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 

src/go.sum

@@ -89,12 +89,14 @@ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c h1:KL/ZBHXgKGVmuZBZ01Lt57yE5ws8ZPSkkihmEyq7FXc=
-golang.org/x/exp v0.0.0-20250128182459-e0ece0dbea4c/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa h1:t2QcU6V556bFjYgu4L6C+6VrCPyJZ+eyRsABUPs1mz4=
+golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

src/structs/configFile.go

@@ -19,6 +19,7 @@ package structs
 import (
 	"database/sql"
 	"sync"
+	"sync/atomic"
 )
 
 // These are for parsing the config file (from YAML)
@@ -39,14 +40,17 @@ type CredentialsCfg struct {
 	User           string `yaml:"user"`
 	Password       string `yaml:"password"`
 	HashedPassword string `yaml:"hashedPassword"`
+	// This is a cache: it's the Password if specified in cleartext, or
+	// gets populated with the cleartext password when the hashed one is
+	// checked.
+	ClearTextPassword atomic.Value
 }
 
-type Authr struct {
+type Auth struct {
 	Mode            string           `yaml:"mode"` // 'INLINE' or 'HTTP'
 	CustomErrorCode *int             `yaml:"customErrorCode"`
 	ByQuery         string           `yaml:"byQuery"`
 	ByCredentials   []CredentialsCfg `yaml:"byCredentials"`
-	HashedCreds     map[string][]byte
 }
 
 type StoredStatement struct {
@@ -66,7 +70,7 @@ type DatabaseDef struct {
 type Db struct {
 	ConfigFilePath          string
 	DatabaseDef             DatabaseDef       `yaml:"database"`
-	Auth                    *Authr            `yaml:"auth"`
+	Auth                    *Auth             `yaml:"auth"`
 	CORSOrigin              string            `yaml:"corsOrigin"`
 	UseOnlyStoredStatements bool              `yaml:"useOnlyStoredStatements"`
 	Maintenance             *ScheduledTask    `yaml:"maintenance"`