From 35d069654013e50f76d8033d7e3892b8470fa194 Mon Sep 17 00:00:00 2001
From: Robert Goldmann <deadlocker@gmx.de>
Date: Wed, 26 Apr 2017 19:38:27 +0200
Subject: [PATCH] Fixed #86 - hash password in client settings.json

---
 src/de/deadlocker8/budgetmaster/logic/Helpers.java          | 1 +
 src/de/deadlocker8/budgetmaster/ui/SettingsController.java  | 6 ++++--
 .../deadlocker8/budgetmasterserver/server/SparkServer.java  | 4 +++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/de/deadlocker8/budgetmaster/logic/Helpers.java b/src/de/deadlocker8/budgetmaster/logic/Helpers.java
index a3761e796..46cbd7e69 100644
--- a/src/de/deadlocker8/budgetmaster/logic/Helpers.java
+++ b/src/de/deadlocker8/budgetmaster/logic/Helpers.java
@@ -9,6 +9,7 @@ import java.time.format.DateTimeFormatter;
 public class Helpers
 {
 	public static final DecimalFormat NUMBER_FORMAT = new DecimalFormat("0.00");
+	public static final String SALT = "ny9/Y+G|WrJ,82|oIYQQ X %i-sq#4,uA-qKPtwFPnw+s(k2`rV)^-a1|t{D3Z>S";
 	
 	public static String getURLEncodedString(String input)
 	{
diff --git a/src/de/deadlocker8/budgetmaster/ui/SettingsController.java b/src/de/deadlocker8/budgetmaster/ui/SettingsController.java
index c477c8574..b59ac2ded 100644
--- a/src/de/deadlocker8/budgetmaster/ui/SettingsController.java
+++ b/src/de/deadlocker8/budgetmaster/ui/SettingsController.java
@@ -4,6 +4,7 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Optional;
 
+import de.deadlocker8.budgetmaster.logic.Helpers;
 import de.deadlocker8.budgetmaster.logic.ServerConnection;
 import de.deadlocker8.budgetmaster.logic.Settings;
 import de.deadlocker8.budgetmaster.logic.Utils;
@@ -27,6 +28,7 @@ import logger.Logger;
 import tools.AlertGenerator;
 import tools.BASE58Type;
 import tools.ConvertTo;
+import tools.HashUtils;
 import tools.RandomCreations;
 import tools.Worker;
 
@@ -128,7 +130,7 @@ public class SettingsController
 					if(controller.getSettings() != null)
 					{
 						controller.getSettings().setUrl(url);
-						controller.getSettings().setSecret(secret);
+						controller.getSettings().setSecret(HashUtils.hash(secret, Helpers.SALT));
 						controller.getSettings().setCurrency(currency);
 						controller.getSettings().setRestActivated(radioButtonRestActivated.isSelected());
 						controller.getSettings().setTrustedHosts(trustedHosts);
@@ -137,7 +139,7 @@ public class SettingsController
 					{
 						Settings settings = new Settings();
 						settings.setUrl(url);
-						settings.setSecret(secret);
+						settings.setSecret(HashUtils.hash(secret, Helpers.SALT));
 						settings.setCurrency(currency);
 						settings.setRestActivated(radioButtonRestActivated.isSelected());
 						settings.setTrustedHosts(trustedHosts);
diff --git a/src/de/deadlocker8/budgetmasterserver/server/SparkServer.java b/src/de/deadlocker8/budgetmasterserver/server/SparkServer.java
index 62aea0bf8..0b47774b2 100644
--- a/src/de/deadlocker8/budgetmasterserver/server/SparkServer.java
+++ b/src/de/deadlocker8/budgetmasterserver/server/SparkServer.java
@@ -17,6 +17,7 @@ import org.joda.time.DateTime;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 
+import de.deadlocker8.budgetmaster.logic.Helpers;
 import de.deadlocker8.budgetmasterserver.main.DatabaseHandler;
 import de.deadlocker8.budgetmasterserver.main.Settings;
 import de.deadlocker8.budgetmasterserver.server.category.CategoryAdd;
@@ -39,6 +40,7 @@ import de.deadlocker8.budgetmasterserver.server.updater.RepeatingPaymentUpdater;
 import logger.Logger;
 import spark.Spark;
 import spark.route.RouteOverview;
+import tools.HashUtils;
 
 public class SparkServer
 {	
@@ -78,7 +80,7 @@ public class SparkServer
 
 			String clientSecret = request.queryMap("secret").value();
 
-			if(clientSecret == null || !clientSecret.equals(settings.getServerSecret()))
+			if(clientSecret == null || !clientSecret.equals(HashUtils.hash(settings.getServerSecret(), Helpers.SALT)))
 			{
 				halt(401, "Unauthorized");
 			}
-- 
GitLab