feat: add optional encrypted return param to GetUser

Author: 0x0elliot

db-connector.go

@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"regexp"
 	"strconv"
 
 	"crypto/sha256"
@@ -5728,8 +5729,9 @@ func FindUser(ctx context.Context, username string) ([]User, error) {
 	return newUsers, nil
 }
 
-func GetUser(ctx context.Context, username string) (*User, error) {
+func GetUser(ctx context.Context, username string, returnEncrypted ...bool) (*User, error) {
 	curUser := &User{}
+	uuidRegex := regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
 
 	parsedKey := strings.ToLower(username)
 	cacheKey := fmt.Sprintf("user_%s", parsedKey)
@@ -5739,6 +5741,21 @@ func GetUser(ctx context.Context, username string) (*User, error) {
 			cacheData := []byte(cache.([]uint8))
 			err = json.Unmarshal(cacheData, &curUser)
 			if err == nil {
+				// uuid or not
+				if len(returnEncrypted) == 0 || !returnEncrypted[0] {
+					if len(curUser.ApiKey) > 0 && !uuidRegex.MatchString(curUser.ApiKey) {
+						decryptedApiKey, decErr := HandleKeyDecryption([]byte(curUser.ApiKey), "apikey")
+						if decErr == nil {
+							curUser.ApiKey = string(decryptedApiKey)
+						}
+					}
+					if len(curUser.Session) > 0 && !uuidRegex.MatchString(curUser.Session) {
+						decryptedSession, decErr := HandleKeyDecryption([]byte(curUser.Session), "session")
+						if decErr == nil {
+							curUser.Session = string(decryptedSession)
+						}
+					}
+				}
 				return curUser, nil
 			}
 		} else {
@@ -5805,6 +5822,19 @@ func GetUser(ctx context.Context, username string) (*User, error) {
 		data, err := json.Marshal(curUser)
 		if err != nil {
 			log.Printf("[WARNING] Failed marshalling user: %s", err)
+			// uuid check
+			if len(returnEncrypted) == 0 || !returnEncrypted[0] {
+				if len(curUser.ApiKey) > 0 && !uuidRegex.MatchString(curUser.ApiKey) {
+					if decrypted, decErr := HandleKeyDecryption([]byte(curUser.ApiKey), "apikey"); decErr == nil {
+						curUser.ApiKey = string(decrypted)
+					}
+				}
+				if len(curUser.Session) > 0 && !uuidRegex.MatchString(curUser.Session) {
+					if decrypted, decErr := HandleKeyDecryption([]byte(curUser.Session), "session"); decErr == nil {
+						curUser.Session = string(decrypted)
+					}
+				}
+			}
 			return curUser, nil
 		}
 
@@ -5814,6 +5844,21 @@ func GetUser(ctx context.Context, username string) (*User, error) {
 		}
 	}
 
+	if len(returnEncrypted) == 0 || !returnEncrypted[0] {
+		if len(curUser.ApiKey) > 0 && !uuidRegex.MatchString(curUser.ApiKey) {
+			decryptedApiKey, err := HandleKeyDecryption([]byte(curUser.ApiKey), "apikey")
+			if err == nil {
+				curUser.ApiKey = string(decryptedApiKey)
+			}
+		}
+		if len(curUser.Session) > 0 && !uuidRegex.MatchString(curUser.Session) {
+			decryptedSession, err := HandleKeyDecryption([]byte(curUser.Session), "session")
+			if err == nil {
+				curUser.Session = string(decryptedSession)
+			}
+		}
+	}
+
 	return curUser, nil
 }
 

shared.go

@@ -3562,10 +3562,22 @@ func HandleApiAuthentication(resp http.ResponseWriter, request *http.Request) (U
 
 		uuidRegex := regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
 
-		// Encrypt API key if it's plain UUID
-		if uuidRegex.MatchString(user.ApiKey) {
-			log.Printf("[AUDIT] API key is a UUID: %s", user.ApiKey)
+		// since GetSessionNew returns encrypted values
+		plainApiKey := user.ApiKey
+		if len(plainApiKey) > 0 && !uuidRegex.MatchString(plainApiKey) {
+			if decrypted, err := HandleKeyDecryption([]byte(plainApiKey), "apikey"); err == nil {
+				plainApiKey = string(decrypted)
+			}
+		}
+		plainSession := user.Session
+		if len(plainSession) > 0 && !uuidRegex.MatchString(plainSession) {
+			if decrypted, err := HandleKeyDecryption([]byte(plainSession), "session"); err == nil {
+				plainSession = string(decrypted)
+			}
+		}
 
+		// save encrypted to just db
+		if uuidRegex.MatchString(user.ApiKey) {
 			encryptedKey, err := HandleKeyEncryption([]byte(user.ApiKey), "apikey", true)
 			if err == nil {
 				user.ApiKey = string(encryptedKey)
@@ -3574,19 +3586,19 @@ func HandleApiAuthentication(resp http.ResponseWriter, request *http.Request) (U
 			}
 		}
 
-		// Encrypt session if matched on plain
 		if user.Session == sessionToken && uuidRegex.MatchString(sessionToken) {
-			log.Printf("[AUDIT] Encrypting session")
 			encryptedSession, err := HandleKeyEncryption([]byte(sessionToken), "session", true)
 			if err == nil {
 				user.Session = string(encryptedSession)
 				SetSession(ctx, user, user.Session)
-			} else {
-				log.Printf("[ERROR] Failed to encrypt session: %v", err)
 			}
 		}
 
-		// Means session exists, but
+		// we use user.Apikey throughout the codebase
+		// from the returned function value. Trying to keep the usage consistent.
+		user.ApiKey = plainApiKey
+		user.Session = plainSession
+
 		return user, nil
 	}