Add basic auth timing attack prevention

Author: AmirAbrams

https/rest/basicauth.go

@@ -15,14 +15,22 @@ func BasicAuth(admins map[string]string) gin.HandlerFunc {
 		if ok {
 			expectedHash := admins[username]
 			if len(expectedHash) > 0 {
+				// add username salt to slow down brute force password hash cracking
+				// ToDo: consider using a better password hash algorithm like Argon2i
 				hash := sha256.Sum256([]byte(username + password))
 				exHash, err := base64.StdEncoding.DecodeString(expectedHash)
 				if err == nil {
+					// To prevent timing attacks based on error length
 					hashMatch := (subtle.ConstantTimeCompare(hash[:], exHash[:]) == 1)
 					if hashMatch {
 						return
 					}
 				}
+			} else {
+				// Hash, decode and compare to prevent timing attacks based on username not found
+				hash := sha256.Sum256([]byte(username + password))
+				exHash, _ := base64.StdEncoding.DecodeString("u9cYLNDulUiPGh5vP+DY+U7Q0U5NsdznE/6CoyMcUj0=")
+				subtle.ConstantTimeCompare(hash[:], exHash[:])
 			}
 		}
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})

https/rest/router.go

@@ -41,6 +41,7 @@ var runner WebProxy
 
 // TODO: Add rate limitor
 // TODO: Add custom logging
+// TODO: Add admin username and password commands
 
 // StartWebServiceRouter is used to setup the Rest server routes
 func StartWebServiceRouter(c *settings.Configuration, d *dynamic.Dynamicd, a *AppShutdown, m string) {

util/randomrange.go

@@ -0,0 +1,13 @@
+package util
+
+import (
+	"math/rand"
+	"time"
+)
+
+func RandomUIntRange(umin, umax uint) uint {
+	rand.Seed(time.Now().UnixNano())
+	min := int(umin)
+	max := int(umax)
+	return uint(rand.Intn(max-min+1) + min)
+}