SECURITY: store hashed session tokens

2025-10-29 09:15:33 +00:00 · 2025-05-29 03:20:35 +02:00
parent e0bb939764
commit 0d0918fb5d
4 changed files with 19 additions and 7 deletions
--- a/dbmodels/session_generation.go
+++ b/dbmodels/session_generation.go
@@ -2,7 +2,9 @@ package dbmodels

 import (
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"time"

@@ -14,6 +16,13 @@ const (
 	secureTokenByteLength = 64
 )

+func HashStringSHA256(data string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(data))
+	hashedBytes := hasher.Sum(nil)
+	return hex.EncodeToString(hashedBytes)
+}
+
 func generateSecureRandomToken(length int) (string, error) {
 	if length <= 0 {
 		length = secureTokenByteLength
@@ -55,7 +64,8 @@ func CreateSessionToken(
 	session := NewSession(record)

 	// Set required fields with hashed tokens
-	session.SetToken(sessionTokenClear)
+	session.SessionTokenClear = sessionTokenClear
+	session.SetToken(HashStringSHA256(sessionTokenClear))
 	session.SetCSRF(csrfTokenClear)
 	session.SetUser(userID)

@@ -67,7 +77,7 @@ func CreateSessionToken(
 	session.SetLastAccess(types.NowDateTime())
 	session.SetUserAgent(userAgent)
 	session.SetIP(ipAddress)
-	session.SetStatus(TOKEN_STATUS_VALUES[0]) // Active
+	session.SetStatus(TOKEN_STATUS_VALUES[0])

 	if errSave := app.Save(session); errSave != nil {
 		app.Logger().Error("Failed to save session token record", "error", errSave, "userID", userID)
--- a/dbmodels/sessions.go
+++ b/dbmodels/sessions.go
@@ -26,6 +26,7 @@ func (s *FixedSession) IsExpired() bool {
 var _ core.RecordProxy = (*Place)(nil)

 type Session struct {
+	SessionTokenClear string `json:"-"`
 	core.BaseRecordProxy
 }