More secure handling for download password, better rate limiting

Author: Forceu

internal/webserver/Webserver.go

@@ -37,6 +37,7 @@ import (
 	"github.com/forceu/gokapi/internal/storage/presign"
 	"github.com/forceu/gokapi/internal/webserver/api"
 	"github.com/forceu/gokapi/internal/webserver/authentication"
+	"github.com/forceu/gokapi/internal/webserver/authentication/downloadPasswordToken"
 	"github.com/forceu/gokapi/internal/webserver/authentication/oauth"
 	"github.com/forceu/gokapi/internal/webserver/authentication/sessionmanager"
 	"github.com/forceu/gokapi/internal/webserver/authentication/tokengeneration"
@@ -579,26 +580,32 @@ func showDownload(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if file.PasswordHash != "" {
+	if file.PasswordHash != "" && !isValidPwCookie(r, file) {
 		_ = r.ParseForm()
 		enteredPassword := r.PostForm.Get("password")
-		if configuration.HashPassword(enteredPassword, true) != file.PasswordHash && !isValidPwCookie(r, file) {
-			if enteredPassword != "" {
-				view.IsFailedLogin = true
-				time.Sleep(1 * time.Second)
-			}
+		if enteredPassword == "" {
 			view.IsPasswordView = true
 			err := templateFolder.ExecuteTemplate(w, "download_password", view)
 			helper.CheckIgnoreTimeout(err)
 			return
 		}
-		if !isValidPwCookie(r, file) {
+
+		ip := logging.GetIpAddress(r)
+		ratelimiter.WaitOnDownloadPassword(ip)
+
+		if configuration.HashPassword(enteredPassword, true) == file.PasswordHash {
 			writeFilePwCookie(w, file)
 			// redirect so that there is no post data to be resent if user refreshes page
 			redirect(w, "d?id="+file.Id)
 			return
 		}
+		view.IsFailedLogin = true
+		view.IsPasswordView = true
+		err := templateFolder.ExecuteTemplate(w, "download_password", view)
+		helper.CheckIgnoreTimeout(err)
+		return
 	}
+
 	err := templateFolder.ExecuteTemplate(w, "download", view)
 	helper.CheckIgnoreTimeout(err)
 }
@@ -1095,23 +1102,21 @@ func newAdminButtonContext(file models.FileApiOutput, user models.User) adminBut
 // Write a cookie if the user has entered a correct password for a password-protected file
 func writeFilePwCookie(w http.ResponseWriter, file models.File) {
 	http.SetCookie(w, &http.Cookie{
-		Name:    "p" + file.Id,
-		Value:   file.PasswordHash,
-		Expires: time.Now().Add(5 * time.Minute),
+		Name:     "p" + file.Id,
+		Value:    downloadPasswordToken.Generate(file.Id),
+		Expires:  time.Now().Add(5 * time.Minute),
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
 	})
 }
 
-// Checks if a cookie contains the correct password hash for a password-protected file
-// If incorrect, a 3-second delay is introduced unless the cookie was empty.
+// Checks if a cookie contains the correct token for a password-protected file
 func isValidPwCookie(r *http.Request, file models.File) bool {
 	cookie, err := r.Cookie("p" + file.Id)
-	if err == nil {
-		if cookie.Value == file.PasswordHash {
-			return true
-		}
-		time.Sleep(3 * time.Second)
+	if err != nil {
+		return false
 	}
-	return false
+	return downloadPasswordToken.IsValid(cookie.Value, file.Id)
 }
 
 // Adds a header to disable external caching

internal/webserver/authentication/downloadPasswordToken/DownloadPasswordToken.go

@@ -0,0 +1,66 @@
+package downloadPasswordToken
+
+import (
+	"sync"
+	"time"
+
+	"github.com/forceu/gokapi/internal/helper"
+)
+
+var tokens = make(map[string]pwToken)
+var mutex sync.Mutex
+var cleanupOnce sync.Once
+
+type pwToken struct {
+	FileId string
+	Expiry int64
+}
+
+const ttl = 5 * time.Minute
+
+func Generate(fileId string) string {
+	token := helper.GenerateRandomString(60)
+	mutex.Lock()
+	tokens[token] = pwToken{
+		FileId: fileId,
+		Expiry: time.Now().Add(ttl).Unix(),
+	}
+	mutex.Unlock()
+
+	cleanupOnce.Do(func() {
+		go cleanup(true)
+	})
+	return token
+}
+
+func IsValid(tokenId, fileId string) bool {
+	mutex.Lock()
+	defer mutex.Unlock()
+	token, ok := tokens[tokenId]
+	if !ok {
+		return false
+	}
+	if token.FileId != fileId {
+		return false
+	}
+	if token.Expiry < time.Now().Unix() {
+		delete(tokens, tokenId)
+		return false
+	}
+	return true
+}
+
+func cleanup(periodic bool) {
+	mutex.Lock()
+	for tokenId, token := range tokens {
+		if token.Expiry < time.Now().Unix() {
+			delete(tokens, tokenId)
+		}
+	}
+	mutex.Unlock()
+	if periodic {
+		time.Sleep(time.Hour)
+		go cleanup(true)
+	}
+
+}

internal/webserver/ratelimiter/RateLimiter.go

@@ -13,6 +13,7 @@ import (
 var newUuidLimiter = newLimiter()
 var failedLoginLimiter = newLimiter()
 var failedIdLimiter = newLimiter()
+var failedDownloadPasswordLimiter = newLimiter()
 
 type limiterEntry struct {
 	limiter  *rate.Limiter
@@ -37,6 +38,12 @@ func WaitOnLogin(ip string) {
 	_ = failedLoginLimiter.Get(ip, 1, 9).WaitN(context.Background(), 3)
 }
 
+// WaitOnDownloadPassword blocks the current goroutine until the rate limiter allows a request
+// Ten attempts without limiting, thereafter one attempt every 2 seconds
+func WaitOnDownloadPassword(ip string) {
+	_ = failedLoginLimiter.Get(ip, 1, 20).WaitN(context.Background(), 2)
+}
+
 // WaitOnFailedId blocks the current goroutine until the rate limiter allows a request
 // Ten failed attempts without limiting, thereafter one attempt every second
 func WaitOnFailedId(r *http.Request) {