Make IMAP and SMTP sessions check for passwords

internal/store/store.go

@@ -20,6 +20,7 @@ type Interface interface {
 
 	CreateAccount(*Account) error
 	FindAccount(string) (*Account, error)
+	FindAccountWithPassword(string, string) (*Account, error)
 
 	io.Closer
 }
@@ -141,14 +142,30 @@ func (c *concrete) SetTLS(certPEM, keyPEM []byte) error {
 	return nil
 }
 
-func (c *concrete) CreateAccount(a *Account) error {
-	return c.storm.Save(a)
+func (c *concrete) CreateAccount(account *Account) error {
+	return c.storm.Save(account)
 }
 
 func (c *concrete) FindAccount(username string) (*Account, error) {
-	var a Account
+	var account Account
 
-	return &a, c.storm.One("Username", username, &a)
+	return &account, c.storm.One("Username", username, &account)
+}
+
+func (c *concrete) FindAccountWithPassword(username, password string) (*Account, error) {
+	account, err := c.FindAccount(username)
+
+	if err != nil {
+		// Always do a bcrypt check to avoid timing attacks
+		_ = CheckPassword("", "")
+		return nil, err
+	}
+
+	if !CheckPassword(account.PasswordHash, password) {
+		return nil, fmt.Errorf("bad password")
+	}
+
+	return account, nil
 }
 
 func (c *concrete) Close() error {