diff --git a/monkey/monkey_island/cc/environment/user_creds.py b/monkey/monkey_island/cc/environment/user_creds.py index 98a23a14a..a5c905f70 100644 --- a/monkey/monkey_island/cc/environment/user_creds.py +++ b/monkey/monkey_island/cc/environment/user_creds.py @@ -1,6 +1,7 @@ from __future__ import annotations import json +from hashlib import sha3_512 from typing import Dict from monkey_island.cc.resources.auth.auth_user import User @@ -30,8 +31,8 @@ class UserCreds: creds = UserCreds() if "user" in data_dict: creds.username = data_dict["user"] - if "password_hash" in data_dict: - creds.password_hash = data_dict["password_hash"] + if "password" in data_dict: + creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest() return creds @staticmethod diff --git a/monkey/monkey_island/cc/resources/auth/auth.py b/monkey/monkey_island/cc/resources/auth/auth.py index 29d2d9e89..597c73d60 100644 --- a/monkey/monkey_island/cc/resources/auth/auth.py +++ b/monkey/monkey_island/cc/resources/auth/auth.py @@ -1,6 +1,7 @@ import json import logging from functools import wraps +from hashlib import sha3_512 import flask_jwt_extended import flask_restful @@ -25,7 +26,7 @@ def init_jwt(app): class Authenticate(flask_restful.Resource): """ - Resource for user authentication. The user provides the username and hashed password and we + Resource for user authentication. The user provides the username and password and we give them a JWT. See `AuthService.js` file for the frontend counterpart for this code. """ @@ -33,7 +34,7 @@ class Authenticate(flask_restful.Resource): @staticmethod def _authenticate(username, secret): user = user_store.UserStore.username_table.get(username, None) - if user and safe_str_cmp(user.secret.encode("utf-8"), secret.encode("utf-8")): + if user and safe_str_cmp(user.secret, secret): return user def post(self): @@ -41,13 +42,14 @@ class Authenticate(flask_restful.Resource): Example request: { "username": "my_user", - "password": "343bb87e553b05430e5c44baf99569d4b66..." + "password": "mypassword...." } """ credentials = json.loads(request.data) # Unpack auth info from request username = credentials["username"] - secret = credentials["password"] + password = credentials["password"] + secret = sha3_512(password.encode("utf-8")).hexdigest() # If the user and password have been previously registered if self._authenticate(username, secret): access_token = flask_jwt_extended.create_access_token( diff --git a/monkey/monkey_island/cc/ui/src/services/AuthService.js b/monkey/monkey_island/cc/ui/src/services/AuthService.js index 52658f5a9..27a8100bd 100644 --- a/monkey/monkey_island/cc/ui/src/services/AuthService.js +++ b/monkey/monkey_island/cc/ui/src/services/AuthService.js @@ -2,17 +2,14 @@ import {SHA3} from 'sha3'; import decode from 'jwt-decode'; export default class AuthService { - // SHA3-512 of '1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()' - NO_AUTH_CREDS = - '55e97c9dcfd22b8079189ddaeea9bce8125887e3237b800c6176c9afa80d2062' + - '8d2c8d0b1538d2208c1444ac66535b764a3d902b35e751df3faec1e477ed3557'; + NO_AUTH_CREDS = 'loginwithoutpassword'; SECONDS_BEFORE_JWT_EXPIRES = 20; AUTHENTICATION_API_ENDPOINT = '/api/auth'; REGISTRATION_API_ENDPOINT = '/api/registration'; login = (username, password) => { - return this._login(username, this.hashSha3(password)); + return this._login(username, password); }; authFetch = (url, options) => { @@ -25,12 +22,6 @@ export default class AuthService { } }; - hashSha3(text) { - let hash = new SHA3(512); - hash.update(text); - return this._toHexStr(hash.digest()); - } - _login = (username, password) => { return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, { method: 'POST', @@ -52,7 +43,7 @@ export default class AuthService { register = (username, password) => { if (password !== '') { - return this._register(username, this.hashSha3(password)); + return this._register(username, password); } else { return this._register(username, password); } @@ -63,7 +54,7 @@ export default class AuthService { method: 'POST', body: JSON.stringify({ 'user': username, - 'password_hash': password + 'password': password }) }).then(res => { if (res.status === 200) { @@ -156,7 +147,4 @@ export default class AuthService { return localStorage.getItem('jwt') } - _toHexStr(byteArr) { - return byteArr.reduce((acc, x) => (acc + ('0' + x.toString(0x10)).slice(-2)), ''); - } }