feat(password): Password hashing with bcrypt (#290)

* feat(password): add configurable password hashing with md5 and bcrypt * docs: add password hashing algorithm configuration (bcrypt/md5) * feat(password): better bcrypt fallback and minor refactoring * feat(password): handle errors in password encryption and verification * feat(password): remove password hashing algorithm configuration
2025-12-02 01:53:16 +00:00 · 2025-06-24 12:23:36 +03:00
parent aa04b225b9
commit 9d2b589faa
6 changed files with 116 additions and 15 deletions
--- a/http/controller/admin/user.go
+++ b/http/controller/admin/user.go
@@ -8,6 +8,7 @@ import (
 	adResp "github.com/lejianwen/rustdesk-api/v2/http/response/admin"
 	"github.com/lejianwen/rustdesk-api/v2/model"
 	"github.com/lejianwen/rustdesk-api/v2/service"
+	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"gorm.io/gorm"
 	"strconv"
 )
@@ -243,11 +244,10 @@ func (ct *User) ChangeCurPwd(c *gin.Context) {
 		return
 	}
 	u := service.AllService.UserService.CurUser(c)
-	// If the password is not empty, the old password is verified
-	// otherwise, the old password is not verified
+	// Verify the old password only when the account already has one set
 	if !service.AllService.UserService.IsPasswordEmptyByUser(u) {
-		oldPwd := service.AllService.UserService.EncryptPassword(f.OldPassword)
-		if u.Password != oldPwd {
+		ok, _, err := utils.VerifyPassword(u.Password, f.OldPassword)
+		if err != nil || !ok {
 			response.Fail(c, 101, response.TranslateMsg(c, "OldPasswordError"))
 			return
 		}