fix nil pointer and timing vulnerability

cmd/mgmt/route.go

@@ -162,6 +162,12 @@ func routeAll() chi.Router {
 			r.Post("/{otp}", func(w http.ResponseWriter, r *http.Request) {
 				sharedKey := chi.URLParam(r, "otp")
 				original, err := store.Get(sharedKey)
+				if nil != err {
+					msg := `{"error":"not found"}`
+					log.Printf("/api/register-device/\n")
+					log.Println(err)
+					http.Error(w, msg, http.StatusNotFound)
+				}
 				if "" != original.MachinePPID {
 					msg := `{"error":"the presented key has already been used"}`
 					log.Printf("/api/register-device/\n")

mgmt/authstore/authstore_test.go

@@ -27,10 +27,11 @@ func TestStore(t *testing.T) {
 
 	num := "8"
 	slug := num + "-xxx-client"
-	pubkey := num + "-somehash"
+	secret := "3-xxxx-zzzz-yyyy"
+	pubkey := ToPublicKeyString(secret)
 	auth1 := &Authorization{
 		Slug:      slug,
-		SharedKey: "3-xxxx-zzzz-yyyy",
+		SharedKey: secret,
 		PublicKey: pubkey,
 	}
 	err = store.Add(auth1)
@@ -64,7 +65,7 @@ func TestStore(t *testing.T) {
 		return
 	}
 
-	auth, err := store.Get(slug)
+	auth, err = store.Get(slug)
 	if nil == err {
 		t.Fatal("should get nothing back")
 		return

mgmt/authstore/postgresql.go

@@ -203,9 +203,15 @@ func (s *PGStore) Get(id string) (*Authorization, error) {
 	query := `
 		SELECT * FROM authorizations
 		WHERE deleted_at = '1970-01-01 00:00:00'
-		  AND (slug = $1 OR public_key = $1 OR shared_key = $1)
+		  AND (slug = $1 OR public_key = $1 OR public_key = $2)
 	`
-	row := s.dbx.QueryRowxContext(ctx, query, id)
+	// if the id is actually the secret, we want the public form
+	// (we do this to protect against a timing attack)
+	pubby := ToPublicKeyString(id)
+	if len(id) > 24 {
+		id = id[:24]
+	}
+	row := s.dbx.QueryRowxContext(ctx, query, id, pubby)
 	if nil != row {
 		auth := &Authorization{}
 		if err := row.StructScan(auth); nil != err {