From b19a2b9a662fc8036fb1483c1efba9142ad30f6b Mon Sep 17 00:00:00 2001 From: elraphty Date: Fri, 5 Apr 2024 16:59:01 +0100 Subject: [PATCH 1/2] added mutex lock on Ask function to avoid race condition --- db/store.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/db/store.go b/db/store.go index f27874682..924ff0eb5 100644 --- a/db/store.go +++ b/db/store.go @@ -8,6 +8,7 @@ import ( "io" "net/http" "strconv" + "sync" "time" "github.com/go-chi/chi" @@ -132,9 +133,12 @@ func (s StoreData) GetChallengeCache(key string) (string, error) { } func Ask(w http.ResponseWriter, r *http.Request) { + var m sync.Mutex + m.Lock() + ts := strconv.Itoa(int(time.Now().Unix())) h := []byte(ts) - // h := blake2b.Sum256([]byte(ts)) + challenge := base64.URLEncoding.EncodeToString(h[:]) Store.SetChallengeCache(challenge, ts) @@ -144,6 +148,8 @@ func Ask(w http.ResponseWriter, r *http.Request) { "challenge": challenge, "ts": ts, }) + + m.Unlock() } type VerifyPayload struct { From b780c61d533dd0ed74e24a027477b5db75d7579a Mon Sep 17 00:00:00 2001 From: elraphty Date: Fri, 5 Apr 2024 18:13:14 +0100 Subject: [PATCH 2/2] changed sign in challenge generation to uuid --- db/db.go | 6 +++--- db/store.go | 7 ++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/db/db.go b/db/db.go index fb79a6919..cdc056d8b 100644 --- a/db/db.go +++ b/db/db.go @@ -1778,13 +1778,13 @@ func (db database) GetOrganizationStatusBudget(org_uuid string) StatusBudget { orgBudget := db.GetOrganizationBudget(org_uuid) var openBudget uint - db.db.Model(&Bounty{}).Where("assignee = '' ").Select("SUM(price)").Row().Scan(&openBudget) + db.db.Model(&Bounty{}).Where("assignee = '' ").Where("paid != true").Select("SUM(price)").Row().Scan(&openBudget) var assignedBudget uint - db.db.Model(&Bounty{}).Where("assignee != '' ").Select("SUM(price)").Row().Scan(&assignedBudget) + db.db.Model(&Bounty{}).Where("assignee != '' ").Where("paid != true").Select("SUM(price)").Row().Scan(&assignedBudget) var completedBudget uint - db.db.Model(&Bounty{}).Where("completed = true ").Select("SUM(price)").Row().Scan(&completedBudget) + db.db.Model(&Bounty{}).Where("completed = true ").Where("paid != true").Select("SUM(price)").Row().Scan(&completedBudget) statusBudget := StatusBudget{ OrgUuid: org_uuid, diff --git a/db/store.go b/db/store.go index 924ff0eb5..b9461af5e 100644 --- a/db/store.go +++ b/db/store.go @@ -1,7 +1,6 @@ package db import ( - "encoding/base64" "encoding/json" "errors" "fmt" @@ -13,6 +12,7 @@ import ( "github.com/go-chi/chi" "github.com/patrickmn/go-cache" + "github.com/rs/xid" "github.com/stakwork/sphinx-tribes/auth" "github.com/stakwork/sphinx-tribes/config" ) @@ -137,9 +137,7 @@ func Ask(w http.ResponseWriter, r *http.Request) { m.Lock() ts := strconv.Itoa(int(time.Now().Unix())) - h := []byte(ts) - - challenge := base64.URLEncoding.EncodeToString(h[:]) + challenge := xid.New().String() Store.SetChallengeCache(challenge, ts) @@ -148,7 +146,6 @@ func Ask(w http.ResponseWriter, r *http.Request) { "challenge": challenge, "ts": ts, }) - m.Unlock() }