Use bcrypt for password hashing for authentication

2021-05-03 19:29:58 +05:30 · 2021-05-03 19:29:58 +05:30 · b5236d14c9
parent 2ee6315bb8
commit b5236d14c9
2 changed files with 10 additions and 9 deletions
--- a/monkey/monkey_island/cc/environment/user_creds.py
+++ b/monkey/monkey_island/cc/environment/user_creds.py
@ -1,9 +1,10 @@
 from __future__ import annotations

 import json
-from hashlib import sha3_512
 from typing import Dict

+import bcrypt
+
 from monkey_island.cc.resources.auth.auth_user import User


@ -32,7 +33,9 @@ class UserCreds:
        if "user" in data_dict:
            creds.username = data_dict["user"]
        if "password" in data_dict:
-            creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest()
+            creds.password_hash = bcrypt.hashpw(
+                data_dict["password"].encode("utf-8"), bcrypt.gensalt()
+            )
        return creds

    @staticmethod
--- a/monkey/monkey_island/cc/resources/auth/auth.py
+++ b/monkey/monkey_island/cc/resources/auth/auth.py
@ -1,14 +1,13 @@
 import json
 import logging
 from functools import wraps
-from hashlib import sha3_512

+import bcrypt
 import flask_jwt_extended
 import flask_restful
 from flask import make_response, request
 from flask_jwt_extended.exceptions import JWTExtendedException
 from jwt import PyJWTError
-from werkzeug.security import safe_str_cmp

 import monkey_island.cc.environment.environment_singleton as env_singleton
 import monkey_island.cc.resources.auth.user_store as user_store
@ -32,9 +31,9 @@ class Authenticate(flask_restful.Resource):
    """

    @staticmethod
-    def _authenticate(username, secret):
+    def _authenticate(username, password):
        user = user_store.UserStore.username_table.get(username, None)
-        if user and safe_str_cmp(user.secret.encode('utf-8'), secret.encode('utf-8')):
+        if user and bcrypt.checkpw(password.encode("utf-8"), user.secret.encode("utf-8")):
            return user

    def post(self):
@ -42,16 +41,15 @@ class Authenticate(flask_restful.Resource):
        Example request:
        {
            "username": "my_user",
-            "password": "mypassword...."
+            "password": "my_password"
        }
        """
        credentials = json.loads(request.data)
        # Unpack auth info from request
        username = credentials["username"]
        password = credentials["password"]
-        secret = sha3_512(password.encode("utf-8")).hexdigest()
        # If the user and password have been previously registered
-        if self._authenticate(username, secret):
+        if self._authenticate(username, password):
            access_token = flask_jwt_extended.create_access_token(
                identity=user_store.UserStore.username_table[username].id
            )