Enable support for bcrypt'd password hashes in htpasswd

2025-10-19 07:33:21 +00:00 · 2018-02-11 14:54:25 -07:00 · 2018-02-11 14:54:25 -07:00 · 733c8da8fc
commit 733c8da8fc
parent 03958beb57
304 changed files with 74359 additions and 4 deletions
--- a/htpasswd.go
+++ b/htpasswd.go
@ -30,8 +30,11 @@ import (
 	"encoding/csv"
 	"log"
 	"os"
+	"regexp"
 	"sync"
 	"time"
+
+	"golang.org/x/crypto/bcrypt"
 )

 // CheckInterval represents how often we check for changes in htpasswd file.
@ -160,14 +163,23 @@ func (h *HtpasswdFile) Validate(user string, password string) bool {
 	if !exists {
 		return false
 	}
-	if realPassword[:5] == "{SHA}" {
+
+	var shaRe = regexp.MustCompile(`^{SHA}`)
+	var bcrRe = regexp.MustCompile(`^\$2b\$`)
+
+	switch {
+	case shaRe.MatchString(realPassword):
 		d := sha1.New()
 		_, _ = d.Write([]byte(password))
 		if realPassword[5:] == base64.StdEncoding.EncodeToString(d.Sum(nil)) {
 			return true
 		}
-	} else {
-		log.Printf("Invalid htpasswd entry for %s. Must be a SHA entry.", user)
+	case bcrRe.MatchString(realPassword):
+		err := bcrypt.CompareHashAndPassword([]byte(realPassword), []byte(password))
+		if err == nil {
+			return true
+		}
 	}
+	log.Printf("Invalid htpasswd entry for %s.", user)
 	return false
 }