From b5236d14c924b68cc7c300754d85366ee91cdf7c Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Mon, 3 May 2021 19:29:58 +0530
Subject: [PATCH] Use bcrypt for password hashing for authentication

---
 monkey/monkey_island/cc/environment/user_creds.py |  7 +++++--
 monkey/monkey_island/cc/resources/auth/auth.py    | 12 +++++-------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/monkey/monkey_island/cc/environment/user_creds.py b/monkey/monkey_island/cc/environment/user_creds.py
index a5c905f70..fac911cdd 100644
--- a/monkey/monkey_island/cc/environment/user_creds.py
+++ b/monkey/monkey_island/cc/environment/user_creds.py
@@ -1,9 +1,10 @@
 from __future__ import annotations
 
 import json
-from hashlib import sha3_512
 from typing import Dict
 
+import bcrypt
+
 from monkey_island.cc.resources.auth.auth_user import User
 
 
@@ -32,7 +33,9 @@ class UserCreds:
         if "user" in data_dict:
             creds.username = data_dict["user"]
         if "password" in data_dict:
-            creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest()
+            creds.password_hash = bcrypt.hashpw(
+                data_dict["password"].encode("utf-8"), bcrypt.gensalt()
+            )
         return creds
 
     @staticmethod
diff --git a/monkey/monkey_island/cc/resources/auth/auth.py b/monkey/monkey_island/cc/resources/auth/auth.py
index 43cbf3b0e..b6221c417 100644
--- a/monkey/monkey_island/cc/resources/auth/auth.py
+++ b/monkey/monkey_island/cc/resources/auth/auth.py
@@ -1,14 +1,13 @@
 import json
 import logging
 from functools import wraps
-from hashlib import sha3_512
 
+import bcrypt
 import flask_jwt_extended
 import flask_restful
 from flask import make_response, request
 from flask_jwt_extended.exceptions import JWTExtendedException
 from jwt import PyJWTError
-from werkzeug.security import safe_str_cmp
 
 import monkey_island.cc.environment.environment_singleton as env_singleton
 import monkey_island.cc.resources.auth.user_store as user_store
@@ -32,9 +31,9 @@ class Authenticate(flask_restful.Resource):
     """
 
     @staticmethod
-    def _authenticate(username, secret):
+    def _authenticate(username, password):
         user = user_store.UserStore.username_table.get(username, None)
-        if user and safe_str_cmp(user.secret.encode('utf-8'), secret.encode('utf-8')):
+        if user and bcrypt.checkpw(password.encode("utf-8"), user.secret.encode("utf-8")):
             return user
 
     def post(self):
@@ -42,16 +41,15 @@ class Authenticate(flask_restful.Resource):
         Example request:
         {
             "username": "my_user",
-            "password": "mypassword...."
+            "password": "my_password"
         }
         """
         credentials = json.loads(request.data)
         # Unpack auth info from request
         username = credentials["username"]
         password = credentials["password"]
-        secret = sha3_512(password.encode("utf-8")).hexdigest()
         # If the user and password have been previously registered
-        if self._authenticate(username, secret):
+        if self._authenticate(username, password):
             access_token = flask_jwt_extended.create_access_token(
                 identity=user_store.UserStore.username_table[username].id
             )