dexidp · tylercloke · Aug 6, 2018 · srenatus · Aug 7, 2018 · srenatus
diff --git a/api/api.pb.go b/api/api.pb.go
diff --git a/api/api.proto b/api/api.proto
@@ -134,6 +134,16 @@ message RevokeRefreshResp {
   bool not_found = 1;
 }
 
+message VerifyPasswordReq {
+  string email = 1;
+  string password = 2;
+}
+
+message VerifyPasswordResp {
+  bool verified = 1;
+  bool not_found = 2;
+}
+
 // Dex represents the dex gRPC service.
 service Dex {
   // CreateClient creates a client.
@@ -156,4 +166,6 @@ service Dex {
   //
   // Note that each user-client pair can have only one refresh token at a time.
   rpc RevokeRefresh(RevokeRefreshReq) returns (RevokeRefreshResp) {};
+  // VerifyPassword returns whether a password matches a hash for a specific email or not.
+  rpc VerifyPassword(VerifyPasswordReq) returns (VerifyPasswordResp) {};
 }
diff --git a/examples/grpc-client/README.md b/examples/grpc-client/README.md
@@ -48,7 +48,8 @@ Finally run the Dex client providing the CA certificate, client certificate and
 Running the gRPC client will cause the following API calls to be made to the server
 1. CreatePassword
 2. ListPasswords
-3. DeletePassword
+3. VerifyPassword
+4. DeletePassword
 
 ## Cleaning up
 

diff --git a/examples/grpc-client/client.go b/examples/grpc-client/client.go
@@ -75,6 +75,39 @@ func createPassword(cli api.DexClient) error {
 		log.Printf("%+v", pass)
 	}
 
+	// Verifying correct and incorrect passwords
+	log.Print("Verifying Password:\n")
+	verifyReq := &api.VerifyPasswordReq{
+		Email:    "[email protected]",
+		Password: "test1",
+	}
+	verifyResp, err := cli.VerifyPassword(context.TODO(), verifyReq)
+	if err != nil {
+		return fmt.Errorf("failed to run VerifyPassword for correct password: %v", err)
+	}
+	if !verifyResp.Verified {
+		return fmt.Errorf("failed to verify correct password: %v", verifyResp)
+	}
+	log.Printf("properly verified correct password: %t\n", verifyResp.Verified)
+
+	badVerifyReq := &api.VerifyPasswordReq{
+		Email:    "[email protected]",
+		Password: "wrong_password",
+	}
+	badVerifyResp, err := cli.VerifyPassword(context.TODO(), badVerifyReq)
+	if err != nil {
+		return fmt.Errorf("failed to run VerifyPassword for incorrect password: %v", err)
+	}
+	if badVerifyResp.Verified {
+		return fmt.Errorf("verify returned true for incorrect password: %v", badVerifyResp)
+	}
+	log.Printf("properly failed to verify incorrect password: %t\n", badVerifyResp.Verified)
+
+	log.Print("Listing Passwords:\n")
+	for _, pass := range resp.Passwords {
+		log.Printf("%+v", pass)
+	}
+
 	deleteReq := &api.DeletePasswordReq{
 		Email: p.Email,
 	}

diff --git a/server/api.go b/server/api.go
@@ -223,6 +223,40 @@ func (d dexAPI) ListPasswords(ctx context.Context, req *api.ListPasswordReq) (*a
 
 }
 
+func (d dexAPI) VerifyPassword(ctx context.Context, req *api.VerifyPasswordReq) (*api.VerifyPasswordResp, error) {
+	if req.Email == "" {
+		return nil, errors.New("no email supplied")
+	}
+
+	if req.Password == "" {
+		return nil, errors.New("no passwored to verify supplied")
+	}
+
+	// TODO we can dry this up if https://github.com/coreos/dex/pull/1271/files merges
+	password, err := d.s.GetPassword(req.Email)
+	if err != nil {
+		if err == storage.ErrNotFound {
+			return &api.VerifyPasswordResp{
+				NotFound: true,
+				Verified: false,
+			}, nil
+		}
+		d.logger.Errorf("api: there was an error retrieving the password: %v", err)
+		return nil, fmt.Errorf("verify password: %v", err)
+	}
+
+	resp := &api.VerifyPasswordResp{
+		NotFound: false,
+	}
+
+	if err := bcrypt.CompareHashAndPassword(password.Hash, []byte(req.Password)); err != nil {
+		resp.Verified = false
+		return resp, nil
+	}
+	resp.Verified = true
+	return resp, nil
+}
+
 func (d dexAPI) ListRefresh(ctx context.Context, req *api.ListRefreshReq) (*api.ListRefreshResp, error) {
 	id := new(internal.IDTokenSubject)
 	if err := internal.Unmarshal(req.UserId, id); err != nil {