dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

feat: jwt_generate, jwt_validate, password_hash, password_verify

Browse Source 
Fase 2 del issue 0010 — auth core:
- jwt_generate/validate: HS256 manual con crypto/hmac + crypto/sha256
- password_hash/verify: wrappers de golang.org/x/crypto/bcrypt (cost 12 default)
- JWT rechaza alg != HS256 para mitigar ataque 'alg=none'
- hmac.Equal para comparacion constant-time de firmas
This commit is contained in:
Egutierrez
2026-04-18 17:39:00 +02:00
parent 4bc6d1bced
commit 07341aa89f
14 changed files with 517 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
functions/infra/password_verify.md
+47
View File
@@ -0,0 +1,47 @@
---
name: password_verify
kind: function
lang: go
domain: infra
version: "1.0.0"
purity: impure
signature: "func PasswordVerify(password string, hash string) error"
description: "Verifica un password en texto plano contra un hash bcrypt. Retorna nil si hacen match, error si no coinciden o si el hash es invalido."
tags: [password, verify, bcrypt, auth, infra]
uses_functions: []
uses_types: []
returns: []
returns_optional: false
error_type: error_go_core
imports: [golang.org/x/crypto/bcrypt]
params:
- name: password
desc: "password en texto plano a verificar"
- name: hash
desc: "hash bcrypt obtenido previamente de PasswordHash (guardado en BD)"
output: "nil si el password coincide con el hash; error si no coincide o hash invalido"
tested: true
tests: ["verifica password correcto", "rechaza password incorrecto", "rechaza hash malformado"]
test_file_path: "functions/infra/password_verify_test.go"
file_path: "functions/infra/password_verify.go"
---
## Ejemplo
```go
row := db.QueryRow("SELECT password_hash FROM users WHERE email = ?", email)
var stored string
if err := row.Scan(&stored); err != nil {
HTTPErrorResponse(w, HTTPError{Status: 401, Code: "invalid_credentials", Message: "email o password incorrectos"})
return
}
if err := PasswordVerify(input, stored); err != nil {
HTTPErrorResponse(w, HTTPError{Status: 401, Code: "invalid_credentials", Message: "email o password incorrectos"})
return
}
// OK, emitir token
```
## Notas
Impura — bcrypt.CompareHashAndPassword es constant-time internamente (mitiga timing attacks). En respuestas HTTP al usuario NO distinguir entre "email no existe" y "password incorrecto": ambos casos deben retornar el mismo mensaje generico para no filtrar existencia de cuentas. El error real se puede loguear internamente con log_info/log_warn sin problema.