-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuserRecord.sql
77 lines (65 loc) · 2.44 KB
/
userRecord.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
DROP PROCEDURE IF EXISTS createUser;
-- Creates a User entry with a provided password and hash.
DELIMITER @@
CREATE PROCEDURE createUser(
IN _username varchar(100),
IN _password varchar(100),
IN _salt varchar(64),
IN _role CHAR(1))
BEGIN
INSERT INTO User (username, salt, hash, role)
VALUES (_username, _salt, SHA2(CONCAT(_password, _salt), 256), _role);
END @@
DELIMITER ;
DROP PROCEDURE IF EXISTS authenticate;
-- Authenticates a login attemp with a given username and password.
-- If the username/password combo matches, valid is set to 1. Otherwise, 0.
DELIMITER @@
CREATE PROCEDURE authenticate(
IN _username varchar(100),
IN _password varchar(100),
OUT valid BOOLEAN)
BEGIN
-- Generate salted hash from attempted password
DECLARE userSalt varchar(64) DEFAULT null;
DECLARE testHash varchar(64) DEFAULT null;
-- If the salt doesn't exist, it's not a big deal, since
-- we'll end up just hashing with null. The validity check below
-- will handle the fact that the user doesn't exist for us.
SELECT Salt INTO userSalt FROM User WHERE username = _username;
SET testHash = SHA2(CONCAT(_password, userSalt), 256);
IF EXISTS(SELECT 1 FROM User WHERE username = _username AND hash = testHash) THEN
SET valid = 1;
ELSE
SET valid = 0;
END IF;
END @@
DELIMITER ;
DROP PROCEDURE IF EXISTS changePassword;
-- Attempts to change the password of a user.
-- If the user's old password matches, success
-- is set to 1, otherwise 0.
DELIMITER @@
CREATE PROCEDURE changePassword(
IN _username varchar(100),
IN _oldPassword varchar(100),
IN _newPassword varchar(100),
IN _salt varchar(64),
OUT success BOOLEAN)
BEGIN
-- Generate salted hash from old password
DECLARE userSalt varchar(64) DEFAULT null;
DECLARE testHash varchar(64) DEFAULT null;
-- If the salt doesn't exist, it's not a big deal, since
-- we'll end up just hashing with null. The validity check below
-- will handle the fact that the user doesn't exist for us.
SELECT Salt INTO userSalt FROM User WHERE username = _username;
SET testHash = SHA2(CONCAT(_oldPassword, userSalt), 256);
IF EXISTS(SELECT 1 FROM User WHERE username = _username AND hash = testHash) THEN
UPDATE User SET salt = _salt, hash = SHA2(CONCAT(_newPassword, _salt), 256) WHERE username = _username;
SET success = 1;
ELSE
SET success = 0;
END IF;
END @@
DELIMITER ;