From 8b044d712bb3aa7893b670a343dbddfa2e75489d Mon Sep 17 00:00:00 2001
From: Albert S <mail@quitesimple.org>
Date: Sun, 3 Oct 2021 17:01:03 +0200
Subject: [PATCH] Authenticator: Introduce AUTH_DEFAULT_SALT_SIZE

---
 authenticator.cpp                | 5 +++--
 authenticator.h                  | 1 +
 handlers/handlerusersettings.cpp | 7 ++++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/authenticator.cpp b/authenticator.cpp
index 9a01f71..ee355fa 100644
--- a/authenticator.cpp
+++ b/authenticator.cpp
@@ -42,11 +42,12 @@ std::vector<char> Authenticator::pbkdf5(std::string password, const std::vector<
 	unsigned char hash[32];
 	const EVP_MD *sha256 = EVP_sha256();
 	const unsigned char *rawsalt = reinterpret_cast<const unsigned char *>(salt.data());
-	int ret = PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
+	int ret =
+		PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
 	if(ret != 1)
 	{
 		Logger::error() << "Authenticator: pbkdf5: Failed to create hash";
-		return { };
+		return {};
 	}
 	std::vector<char> result;
 
diff --git a/authenticator.h b/authenticator.h
index 8620964..07322c1 100644
--- a/authenticator.h
+++ b/authenticator.h
@@ -3,6 +3,7 @@
 #include <variant>
 #include "database/userdao.h"
 
+#define AUTH_DEFAULT_SALT_SIZE 32
 enum AuthenticationError
 {
 	UserNotFound,
diff --git a/handlers/handlerusersettings.cpp b/handlers/handlerusersettings.cpp
index e8d63ec..6957c23 100644
--- a/handlers/handlerusersettings.cpp
+++ b/handlers/handlerusersettings.cpp
@@ -15,19 +15,20 @@ Response HandlerUserSettings::handleRequest(const Request &r)
 
 			if(newpassword != newpasswordconfirm)
 			{
-				//TODO: is not nice, users has to hit the back button...
+				// TODO: is not nice, users has to hit the back button...
 				return this->errorResponse("Passwords don't match", "The entered new passwords don't match");
 			}
 			auto userDao = this->database->createUserDao();
 			Authenticator authenticator(*userDao);
 
-			std::variant<User, AuthenticationError> authresult = authenticator.authenticate(this->userSession->user.login, oldpassword);
+			std::variant<User, AuthenticationError> authresult =
+				authenticator.authenticate(this->userSession->user.login, oldpassword);
 			if(std::holds_alternative<AuthenticationError>(authresult))
 			{
 				return this->errorResponse("Invalid current password", "The old password you entered is invalid");
 			}
 			Random r;
-			std::vector<char> salt = r.getRandom(23);
+			std::vector<char> salt = r.getRandom(AUTH_DEFAULT_SALT_SIZE);
 			User user = std::get<User>(authresult);
 			user.salt = salt;
 			user.password = authenticator.hash(newpassword, user.salt);