From 079e9d2730c5429c2b31f75df9c4ff5b451f6efe Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Sun, 23 Mar 2025 14:25:55 +0800
Subject: Cut half of the cookie, the HMAC is enough

---
 main.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'main.go')

diff --git a/main.go b/main.go
index 4844f48..f5cf141 100644
--- a/main.go
+++ b/main.go
@@ -31,16 +31,16 @@ func main() {
 			}
 		}
 
-		expectedToken := makeSignedToken(request)
+		identifier, expectedMAC := makeSignedToken(request)
 
-		if validateCookie(cookie, expectedToken) {
+		if validateCookie(cookie, expectedMAC) {
 			proxyRequest(writer, request)
 			return
 		}
 
 		authPage := func(message string) {
 			_ = tmpl.Execute(writer, tparams{
-				UnsignedTokenBase64: base64.StdEncoding.EncodeToString(expectedToken[:sha256.Size]),
+				UnsignedTokenBase64: base64.StdEncoding.EncodeToString(identifier),
 				Message:             message,
 				Global:              global,
 			})
@@ -72,7 +72,7 @@ func main() {
 		}
 
 		h := sha256.New()
-		h.Write(expectedToken[:sha256.Size])
+		h.Write(identifier)
 		h.Write(nonce)
 		ck := h.Sum(nil)
 		if !validateBitZeros(ck, global.NeedBits) {
@@ -82,14 +82,14 @@ func main() {
 
 		http.SetCookie(writer, &http.Cookie{
 			Name:  "powxy",
-			Value: base64.StdEncoding.EncodeToString(expectedToken),
+			Value: base64.StdEncoding.EncodeToString(expectedMAC),
 		})
 
 		http.Redirect(writer, request, "", http.StatusSeeOther)
 	})))
 }
 
-func validateCookie(cookie *http.Cookie, expectedToken []byte) bool {
+func validateCookie(cookie *http.Cookie, expectedMAC []byte) bool {
 	if cookie == nil {
 		return false
 	}
@@ -99,7 +99,7 @@ func validateCookie(cookie *http.Cookie, expectedToken []byte) bool {
 		return false
 	}
 
-	return subtle.ConstantTimeCompare(gotToken, expectedToken) == 1
+	return subtle.ConstantTimeCompare(gotToken, expectedMAC) == 1
 }
 
 func getRemoteIP(request *http.Request) (remoteIP string) {
-- 
cgit v1.2.3