Add VerifyPassword to API

It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true. Co-authored-by: Alban Seurat <alban.seurat@me.com>

Add VerifyPassword to API
It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true. Co-authored-by: Alban Seurat <alban.seurat@me.com>
dd84e73c · Tyler Cloke · Alban Seurat · 92920c86 · dd84e73c · dd84e73c
Commit dd84e73c authored Aug 06, 2018 by Tyler Cloke Committed by Alban Seurat Jul 22, 2019
6 changed files
--- a/api/api.pb.go
+++ b/api/api.pb.go
--- a/api/api.proto
+++ b/api/api.proto
@@ -148,6 +148,16 @@ message RevokeRefreshResp {
  bool not_found = 1;
 }
+message VerifyPasswordReq {
+  string email = 1;
+  string password = 2;
+}
+message VerifyPasswordResp {
+  bool verified = 1;
+  bool not_found = 2;
+}
 // Dex represents the dex gRPC service.
 service Dex {
  // CreateClient creates a client.
@@ -172,4 +182,6 @@ service Dex {
  //
  // Note that each user-client pair can have only one refresh token at a time.
  rpc RevokeRefresh(RevokeRefreshReq) returns (RevokeRefreshResp) {};
+  // VerifyPassword returns whether a password matches a hash for a specific email or not.
+  rpc VerifyPassword(VerifyPasswordReq) returns (VerifyPasswordResp) {};
 }
--- a/examples/grpc-client/README.md
+++ b/examples/grpc-client/README.md
@@ -48,7 +48,8 @@ Finally run the Dex client providing the CA certificate, client certificate and
 Running the gRPC client will cause the following API calls to be made to the server
 1. CreatePassword
 2. ListPasswords
-3. DeletePassword
+3. VerifyPassword
+4. DeletePassword
 ## Cleaning up

--- a/examples/grpc-client/client.go
+++ b/examples/grpc-client/client.go
@@ -76,6 +76,39 @@ func createPassword(cli api.DexClient) error {
 		log.Printf("%+v", pass)
 	}
+	// Verifying correct and incorrect passwords
+	log.Print("Verifying Password:\n")
+	verifyReq := &api.VerifyPasswordReq{
+		Email:    "test@example.com",
+		Password: "test1",
+	}
+	verifyResp, err := cli.VerifyPassword(context.TODO(), verifyReq)
+	if err != nil {
+		return fmt.Errorf("failed to run VerifyPassword for correct password: %v", err)
+	}
+	if !verifyResp.Verified {
+		return fmt.Errorf("failed to verify correct password: %v", verifyResp)
+	}
+	log.Printf("properly verified correct password: %t\n", verifyResp.Verified)
+	badVerifyReq := &api.VerifyPasswordReq{
+		Email:    "test@example.com",
+		Password: "wrong_password",
+	}
+	badVerifyResp, err := cli.VerifyPassword(context.TODO(), badVerifyReq)
+	if err != nil {
+		return fmt.Errorf("failed to run VerifyPassword for incorrect password: %v", err)
+	}
+	if badVerifyResp.Verified {
+		return fmt.Errorf("verify returned true for incorrect password: %v", badVerifyResp)
+	}
+	log.Printf("properly failed to verify incorrect password: %t\n", badVerifyResp.Verified)
+	log.Print("Listing Passwords:\n")
+	for _, pass := range resp.Passwords {
+		log.Printf("%+v", pass)
+	}
 	deleteReq := &api.DeletePasswordReq{
 		Email: p.Email,
 	}

--- a/server/api.go
+++ b/server/api.go
@@ -254,6 +254,37 @@ func (d dexAPI) ListPasswords(ctx context.Context, req *api.ListPasswordReq) (*a
 }
+func (d dexAPI) VerifyPassword(ctx context.Context, req *api.VerifyPasswordReq) (*api.VerifyPasswordResp, error) {
+	if req.Email == "" {
+		return nil, errors.New("no email supplied")
+	}
+	if req.Password == "" {
+		return nil, errors.New("no password to verify supplied")
+	}
+	password, err := d.s.GetPassword(req.Email)
+	if err != nil {
+		if err == storage.ErrNotFound {
+			return &api.VerifyPasswordResp{
+				NotFound: true,
+			}, nil
+		}
+		d.logger.Errorf("api: there was an error retrieving the password: %v", err)
+		return nil, fmt.Errorf("verify password: %v", err)
+	}
+	if err := bcrypt.CompareHashAndPassword(password.Hash, []byte(req.Password)); err != nil {
+		d.logger.Info("api: password check failed : %v", err)
+		return &api.VerifyPasswordResp{
+			Verified: false,
+		}, nil
+	}
+	return &api.VerifyPasswordResp{
+		Verified: true,
+	}, nil
+}
 func (d dexAPI) ListRefresh(ctx context.Context, req *api.ListRefreshReq) (*api.ListRefreshResp, error) {
 	id := new(internal.IDTokenSubject)
 	if err := internal.Unmarshal(req.UserId, id); err != nil {

--- a/server/api_test.go
+++ b/server/api_test.go
@@ -69,8 +69,9 @@ func TestPassword(t *testing.T) {
 	defer client.Close()
 	ctx := context.Background()
+	email := "test@example.com"
 	p := api.Password{
-		Email: "test@example.com",
+		Email: email,
 		// bcrypt hash of the value "test1" with cost 10
 		Hash:     []byte("$2a$10$XVMN/Fid.Ks4CXgzo8fpR.iU1khOMsP5g9xQeXuBm1wXjRX8pjUtO"),
 		Username: "test",
@@ -93,8 +94,56 @@ func TestPassword(t *testing.T) {
 		t.Fatalf("Created password %s twice", createReq.Password.Email)
 	}
+	// Attempt to verify valid password and email
+	goodVerifyReq := &api.VerifyPasswordReq{
+		Email:    email,
+		Password: "test1",
+	}
+	goodVerifyResp, err := client.VerifyPassword(ctx, goodVerifyReq)
+	if err != nil {
+		t.Fatalf("Unable to run verify password we expected to be valid for correct email: %v", err)
+	}
+	if !goodVerifyResp.Verified {
+		t.Fatalf("verify password failed for password expected to be valid for correct email. expected %t, found %t", true, goodVerifyResp.Verified)
+	}
+	if goodVerifyResp.NotFound {
+		t.Fatalf("verify password failed to return not found response. expected %t, found %t", false, goodVerifyResp.NotFound)
+	}
+	// Check not found response for valid password with wrong email
+	badEmailVerifyReq := &api.VerifyPasswordReq{
+		Email:    "somewrongaddress@email.com",
+		Password: "test1",
+	}
+	badEmailVerifyResp, err := client.VerifyPassword(ctx, badEmailVerifyReq)
+	if err != nil {
+		t.Fatalf("Unable to run verify password for incorrect email: %v", err)
+	}
+	if badEmailVerifyResp.Verified {
+		t.Fatalf("verify password passed for password expected to be not found. expected %t, found %t", false, badEmailVerifyResp.Verified)
+	}
+	if !badEmailVerifyResp.NotFound {
+		t.Fatalf("expected not found response for verify password with bad email. expected %t, found %t", true, badEmailVerifyResp.NotFound)
+	}
+	// Check that wrong password fails
+	badPassVerifyReq := &api.VerifyPasswordReq{
+		Email:    email,
+		Password: "wrong_password",
+	}
+	badPassVerifyResp, err := client.VerifyPassword(ctx, badPassVerifyReq)
+	if err != nil {
+		t.Fatalf("Unable to run verify password for password we expected to be invalid: %v", err)
+	}
+	if badPassVerifyResp.Verified {
+		t.Fatalf("verify password passed for password we expected to fail. expected %t, found %t", false, badPassVerifyResp.Verified)
+	}
+	if badPassVerifyResp.NotFound {
+		t.Fatalf("did not expect expected not found response for verify password with bad email. expected %t, found %t", false, badPassVerifyResp.NotFound)
+	}
 	updateReq := api.UpdatePasswordReq{
-		Email:       "test@example.com",
+		Email:       email,
 		NewUsername: "test1",
 	}