Source: Allow cached password comparison

oxzi · oxzi · commit de9b8248b893 · 2025-09-05T17:04:49.000+02:00
Move the bcrypt password comparison up to the Source and introduce a
cache there. This reduces the expensive bcrypt calls by a lot, reducing
the authorization delay from round about two seconds to single-digit
milliseconds on my machine.

On a similar note, we should consider changing the API to allow creating
some token after an initial password authorization instead of passing
the authentication data all the time.
diff --git a/internal/config/runtime.go b/internal/config/runtime.go
@@ -221,14 +221,7 @@ func (r *RuntimeConfig) GetSourceFromCredentials(user, pass string, logger *logg
 		return nil
 	}
 
-	if !src.ListenerPasswordHash.Valid {
-		logger.Debugw("Cannot check credentials for source without a listener_password_hash", zap.Int64("id", sourceId))
-		return nil
-	}
-
-	// If either PHP's PASSWORD_DEFAULT changes or Icinga Web 2 starts using something else, e.g., Argon2id, this will
-	// return a descriptive error as the identifier does no longer match the bcrypt "$2y$".
-	err = bcrypt.CompareHashAndPassword([]byte(src.ListenerPasswordHash.String), []byte(pass))
+	err = src.PasswordCompare([]byte(pass))
 	if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
 		logger.Debugw("Invalid password for this source", zap.Int64("id", sourceId))
 		return nil
diff --git a/internal/config/source.go b/internal/config/source.go
@@ -1,9 +1,12 @@
 package config
 
 import (
-	"github.com/icinga/icinga-go-library/types"
+	"crypto/subtle"
+	"fmt"
 	"github.com/icinga/icinga-notifications/internal/config/baseconf"
 	"go.uber.org/zap/zapcore"
+	"golang.org/x/crypto/bcrypt"
+	"sync"
 )
 
 // Source entry within the ConfigSet to describe a source.
@@ -13,7 +16,9 @@ type Source struct {
 	Type string `db:"type"`
 	Name string `db:"name"`
 
-	ListenerPasswordHash types.String `db:"listener_password_hash"`
+	ListenerPasswordHash  string `db:"listener_password_hash"`
+	listenerPassword      []byte `db:"-"`
+	listenerPasswordMutex sync.Mutex
 }
 
 // MarshalLogObject implements the zapcore.ObjectMarshaler interface.
@@ -24,6 +29,45 @@ func (source *Source) MarshalLogObject(encoder zapcore.ObjectEncoder) error {
 	return nil
 }
 
+// PasswordCompare checks if a password matches this Source's password with a cache.
+//
+// This method returns nil if the password is correct, [bcrypt.ErrMismatchedHashAndPassword] in case of an invalid
+// password and another error if something else went wrong.
+//
+// This cache might be necessary as, for the moment, bcrypt is used to hash the passwords. By design, bcrypt is
+// expensive, resulting in unnecessary delays when excessively using the API.
+//
+// If either PHP's PASSWORD_DEFAULT changes or Icinga Web 2 starts using something else, e.g., Argon2id, this will
+// return a descriptive error as the identifier does no longer match the bcrypt "$2y$".
+//
+// If a Source changes, it will be recreated - RuntimeConfig.applyPendingSources has a nil updateFn - and the cache is
+// automatically purged.
+func (source *Source) PasswordCompare(password []byte) error {
+	if source.ListenerPasswordHash == "" {
+		return fmt.Errorf("source has no password hash to compare")
+	}
+
+	source.listenerPasswordMutex.Lock()
+	defer source.listenerPasswordMutex.Unlock()
+
+	if source.listenerPassword != nil {
+		if subtle.ConstantTimeCompare(source.listenerPassword, password) != 1 {
+			return bcrypt.ErrMismatchedHashAndPassword
+		}
+
+		return nil
+	}
+
+	err := bcrypt.CompareHashAndPassword([]byte(source.ListenerPasswordHash), password)
+	if err != nil {
+		return err
+	}
+
+	source.listenerPassword = password
+
+	return nil
+}
+
 // applyPendingSources synchronizes changed sources.
 func (r *RuntimeConfig) applyPendingSources() {
 	incrementalApplyPending(
diff --git a/internal/incident/incidents_test.go b/internal/incident/incidents_test.go
@@ -23,10 +23,10 @@ func TestLoadOpenIncidents(t *testing.T) {
 	db := testutils.GetTestDB(ctx, t)
 
 	// Insert a dummy source for our test cases!
-	source := config.Source{
+	source := &config.Source{
 		Type:                 "notifications",
 		Name:                 "Icinga Notifications",
-		ListenerPasswordHash: types.MakeString("$2y$"), // Needed to pass the database constraint.
+		ListenerPasswordHash: "$2y$", // Needed to pass the database constraint.
 	}
 	source.ChangedAt = types.UnixMilli(time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC))
 	source.Deleted = types.Bool{Bool: false, Valid: true}
diff --git a/internal/listener/listener.go b/internal/listener/listener.go
@@ -96,9 +96,9 @@ func (l *Listener) sourceFromAuthOrAbort(w http.ResponseWriter, r *http.Request)
 		}
 	}
 
-	w.Header().Set("WWW-Authenticate", `Basic realm="icinga-notifications"`)
+	w.Header().Set("WWW-Authenticate", `Basic realm="icinga-notifications source"`)
 	w.WriteHeader(http.StatusUnauthorized)
-	_, _ = fmt.Fprintln(w, "please provide the debug-password as basic auth credentials (user is ignored)")
+	_, _ = fmt.Fprintln(w, "expected valid icinga-notifications source basic auth credentials")
 	return nil, false
 }
 

Original file line number	Diff line number	Diff line change
`@@ -96,9 +96,9 @@ func (l Listener) sourceFromAuthOrAbort(w http.ResponseWriter, r http.Request)`
`96`	`96`	`}`
`97`	`97`	`}`
`98`	`98`
`99`		- w.Header().Set("WWW-Authenticate", `Basic realm="icinga-notifications"`)
	`99`	+ w.Header().Set("WWW-Authenticate", `Basic realm="icinga-notifications source"`)
`100`	`100`	`w.WriteHeader(http.StatusUnauthorized)`
`101`		`- _, _ = fmt.Fprintln(w, "please provide the debug-password as basic auth credentials (user is ignored)")`
	`101`	`+ _, _ = fmt.Fprintln(w, "expected valid icinga-notifications source basic auth credentials")`
`102`	`102`	`return nil, false`
`103`	`103`	`}`
`104`	`104`