easywish/backend/internal/utils/security.go

package utils

import (
	"crypto/rand"
	"easywish/config"
	"errors"
	"fmt"
	"io"
	"regexp"
)

func GenerateSecure6DigitNumber() (string, error) {
	// Generate a random number between 0 and 999999 (inclusive)
	// This ensures we get a 6-digit number, including those starting with 0
	max := 1000000 // Upper bound (exclusive)
	b := make([]byte, 4) // A 4-byte slice is sufficient for a 32-bit integer

	if _, err := io.ReadFull(rand.Reader, b); err != nil {
		return "", fmt.Errorf("failed to read random bytes: %w", err)
	}

	// Convert bytes to an integer
	// We use a simple modulo operation to get a number within our desired range.
	// While this introduces a slight bias for very large ranges, for 1,000,000
	// it's negligible and simpler than more complex methods like rejection sampling.
	num := int(uint32(b[0])<<24 | uint32(b[1])<<16 | uint32(b[2])<<8 | uint32(b[3])) % max

	return fmt.Sprintf("%06d", num), nil
}

func ValidatePassword(password string) error {
	cfg := config.GetConfig()
	
	if cfg.PasswordCheckLength {
		passwordLength := len(password); if passwordLength < 8 || passwordLength > 100 {
      return errors.New("Password must be between 8 and 100 characters")
		}  
	}

	if cfg.PasswordCheckNumbers {
		numbersPresent := regexp.MustCompile(`[0-9]`).MatchString(password); if !numbersPresent {
			return errors.New("Password must contain at least 1 number")
		}
	}

	if cfg.PasswordCheckCases {
		differentCasesPresent := regexp.MustCompile(`(?=.*[a-z])(?=.*[A-Z])`).MatchString(password); if !differentCasesPresent {
			return errors.New("Password must have uppercase and lowercase characters")
		}
	}

	if cfg.PasswordCheckSymbols {
		symbolsPresent := regexp.MustCompile(`[.,/;'[\]\-=_+{}:"<>?\/|!@#$%^&*()~]`).MatchString(password); if !symbolsPresent {
			return errors.New("Password must contain at least one special symbol")
		}
	}

	if cfg.PasswordCheckLeaked {
		// TODO: implement checking leaked passwords via rockme.txt
	}

	return nil
}