p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use bcrypt for password hashing for authentication

This commit is contained in:
Shreya 2021-05-03 19:29:58 +05:30
parent 2ee6315bb8
commit b5236d14c9
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
monkey/monkey_island/cc/environment/user_creds.py
View File

@ -1,9 +1,10 @@
from __future__ import annotations from __future__ import annotations
import json import json
from hashlib import sha3_512
from typing import Dict from typing import Dict
import bcrypt
from monkey_island.cc.resources.auth.auth_user import User from monkey_island.cc.resources.auth.auth_user import User
@ -32,7 +33,9 @@ class UserCreds:
if "user" in data_dict: if "user" in data_dict:
creds.username = data_dict["user"] creds.username = data_dict["user"]
if "password" in data_dict: if "password" in data_dict:
creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest() creds.password_hash = bcrypt.hashpw(
data_dict["password"].encode("utf-8"), bcrypt.gensalt()
)
return creds return creds
@staticmethod @staticmethod

12
monkey/monkey_island/cc/resources/auth/auth.py
View File

@ -1,14 +1,13 @@
import json import json
import logging import logging
from functools import wraps from functools import wraps
from hashlib import sha3_512
import bcrypt
import flask_jwt_extended import flask_jwt_extended
import flask_restful import flask_restful
from flask import make_response, request from flask import make_response, request
from flask_jwt_extended.exceptions import JWTExtendedException from flask_jwt_extended.exceptions import JWTExtendedException
from jwt import PyJWTError from jwt import PyJWTError
from werkzeug.security import safe_str_cmp
import monkey_island.cc.environment.environment_singleton as env_singleton import monkey_island.cc.environment.environment_singleton as env_singleton
import monkey_island.cc.resources.auth.user_store as user_store import monkey_island.cc.resources.auth.user_store as user_store
@ -32,9 +31,9 @@ class Authenticate(flask_restful.Resource):
""" """
@staticmethod @staticmethod
def _authenticate(username, secret): def _authenticate(username, password):
user = user_store.UserStore.username_table.get(username, None) user = user_store.UserStore.username_table.get(username, None)
if user and safe_str_cmp(user.secret.encode('utf-8'), secret.encode('utf-8')): if user and bcrypt.checkpw(password.encode("utf-8"), user.secret.encode("utf-8")):
return user return user
def post(self): def post(self):
@ -42,16 +41,15 @@ class Authenticate(flask_restful.Resource):
Example request: Example request:
{ {
"username": "my_user", "username": "my_user",
"password": "mypassword...." "password": "my_password"
} }
""" """
credentials = json.loads(request.data) credentials = json.loads(request.data)
# Unpack auth info from request # Unpack auth info from request
username = credentials["username"] username = credentials["username"]
password = credentials["password"] password = credentials["password"]
secret = sha3_512(password.encode("utf-8")).hexdigest()
# If the user and password have been previously registered # If the user and password have been previously registered
if self._authenticate(username, secret): if self._authenticate(username, password):
access_token = flask_jwt_extended.create_access_token( access_token = flask_jwt_extended.create_access_token(
identity=user_store.UserStore.username_table[username].id identity=user_store.UserStore.username_table[username].id
) )