p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Add functionality to hash passwords on server side

This commit is contained in:
PrajwalM2212 2021-02-20 12:17:05 -08:00 committed by Shreya
parent 7f06ec4034
commit 9363cadb09
3 changed files with 13 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
monkey/monkey_island/cc/environment/user_creds.py
View File

@ -1,6 +1,7 @@
from __future__ import annotations from __future__ import annotations
import json import json
from hashlib import sha3_512
from typing import Dict from typing import Dict
from monkey_island.cc.resources.auth.auth_user import User from monkey_island.cc.resources.auth.auth_user import User
@ -30,8 +31,8 @@ class UserCreds:
creds = UserCreds() creds = UserCreds()
if "user" in data_dict: if "user" in data_dict:
creds.username = data_dict["user"] creds.username = data_dict["user"]
if "password_hash" in data_dict: if "password" in data_dict:
creds.password_hash = data_dict["password_hash"] creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest()
return creds return creds
@staticmethod @staticmethod

10
monkey/monkey_island/cc/resources/auth/auth.py
View File

@ -1,6 +1,7 @@
import json import json
import logging import logging
from functools import wraps from functools import wraps
from hashlib import sha3_512
import flask_jwt_extended import flask_jwt_extended
import flask_restful import flask_restful
@ -25,7 +26,7 @@ def init_jwt(app):
class Authenticate(flask_restful.Resource): class Authenticate(flask_restful.Resource):
""" """
Resource for user authentication. The user provides the username and hashed password and we Resource for user authentication. The user provides the username and password and we
give them a JWT. give them a JWT.
See `AuthService.js` file for the frontend counterpart for this code. See `AuthService.js` file for the frontend counterpart for this code.
""" """
@ -33,7 +34,7 @@ class Authenticate(flask_restful.Resource):
@staticmethod @staticmethod
def _authenticate(username, secret): def _authenticate(username, secret):
user = user_store.UserStore.username_table.get(username, None) user = user_store.UserStore.username_table.get(username, None)
if user and safe_str_cmp(user.secret.encode("utf-8"), secret.encode("utf-8")): if user and safe_str_cmp(user.secret, secret):
return user return user
def post(self): def post(self):
@ -41,13 +42,14 @@ class Authenticate(flask_restful.Resource):
Example request: Example request:
{ {
"username": "my_user", "username": "my_user",
"password": "343bb87e553b05430e5c44baf99569d4b66..." "password": "mypassword...."
} }
""" """
credentials = json.loads(request.data) credentials = json.loads(request.data)
# Unpack auth info from request # Unpack auth info from request
username = credentials["username"] username = credentials["username"]
secret = credentials["password"] password = credentials["password"]
secret = sha3_512(password.encode("utf-8")).hexdigest()
# If the user and password have been previously registered # If the user and password have been previously registered
if self._authenticate(username, secret): if self._authenticate(username, secret):
access_token = flask_jwt_extended.create_access_token( access_token = flask_jwt_extended.create_access_token(

20
monkey/monkey_island/cc/ui/src/services/AuthService.js
View File

@ -2,17 +2,14 @@ import {SHA3} from 'sha3';
import decode from 'jwt-decode'; import decode from 'jwt-decode';
export default class AuthService { export default class AuthService {
// SHA3-512 of '1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()' NO_AUTH_CREDS = 'loginwithoutpassword';
NO_AUTH_CREDS =
'55e97c9dcfd22b8079189ddaeea9bce8125887e3237b800c6176c9afa80d2062' +
'8d2c8d0b1538d2208c1444ac66535b764a3d902b35e751df3faec1e477ed3557';
SECONDS_BEFORE_JWT_EXPIRES = 20; SECONDS_BEFORE_JWT_EXPIRES = 20;
AUTHENTICATION_API_ENDPOINT = '/api/auth'; AUTHENTICATION_API_ENDPOINT = '/api/auth';
REGISTRATION_API_ENDPOINT = '/api/registration'; REGISTRATION_API_ENDPOINT = '/api/registration';
login = (username, password) => { login = (username, password) => {
return this._login(username, this.hashSha3(password)); return this._login(username, password);
}; };
authFetch = (url, options) => { authFetch = (url, options) => {
@ -25,12 +22,6 @@ export default class AuthService {
} }
}; };
hashSha3(text) {
let hash = new SHA3(512);
hash.update(text);
return this._toHexStr(hash.digest());
}
_login = (username, password) => { _login = (username, password) => {
return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, { return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, {
method: 'POST', method: 'POST',
@ -52,7 +43,7 @@ export default class AuthService {
register = (username, password) => { register = (username, password) => {
if (password !== '') { if (password !== '') {
return this._register(username, this.hashSha3(password)); return this._register(username, password);
} else { } else {
return this._register(username, password); return this._register(username, password);
} }
@ -63,7 +54,7 @@ export default class AuthService {
method: 'POST', method: 'POST',
body: JSON.stringify({ body: JSON.stringify({
'user': username, 'user': username,
'password_hash': password 'password': password
}) })
}).then(res => { }).then(res => {
if (res.status === 200) { if (res.status === 200) {
@ -156,7 +147,4 @@ export default class AuthService {
return localStorage.getItem('jwt') return localStorage.getItem('jwt')
} }
_toHexStr(byteArr) {
return byteArr.reduce((acc, x) => (acc + ('0' + x.toString(0x10)).slice(-2)), '');
}
} }