forked from p34709852/monkey
Add functionality to hash passwords on server side
This commit is contained in:
parent
7f06ec4034
commit
9363cadb09
|
@ -1,6 +1,7 @@
|
||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
import json
|
import json
|
||||||
|
from hashlib import sha3_512
|
||||||
from typing import Dict
|
from typing import Dict
|
||||||
|
|
||||||
from monkey_island.cc.resources.auth.auth_user import User
|
from monkey_island.cc.resources.auth.auth_user import User
|
||||||
|
@ -30,8 +31,8 @@ class UserCreds:
|
||||||
creds = UserCreds()
|
creds = UserCreds()
|
||||||
if "user" in data_dict:
|
if "user" in data_dict:
|
||||||
creds.username = data_dict["user"]
|
creds.username = data_dict["user"]
|
||||||
if "password_hash" in data_dict:
|
if "password" in data_dict:
|
||||||
creds.password_hash = data_dict["password_hash"]
|
creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest()
|
||||||
return creds
|
return creds
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
from functools import wraps
|
from functools import wraps
|
||||||
|
from hashlib import sha3_512
|
||||||
|
|
||||||
import flask_jwt_extended
|
import flask_jwt_extended
|
||||||
import flask_restful
|
import flask_restful
|
||||||
|
@ -25,7 +26,7 @@ def init_jwt(app):
|
||||||
|
|
||||||
class Authenticate(flask_restful.Resource):
|
class Authenticate(flask_restful.Resource):
|
||||||
"""
|
"""
|
||||||
Resource for user authentication. The user provides the username and hashed password and we
|
Resource for user authentication. The user provides the username and password and we
|
||||||
give them a JWT.
|
give them a JWT.
|
||||||
See `AuthService.js` file for the frontend counterpart for this code.
|
See `AuthService.js` file for the frontend counterpart for this code.
|
||||||
"""
|
"""
|
||||||
|
@ -33,7 +34,7 @@ class Authenticate(flask_restful.Resource):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _authenticate(username, secret):
|
def _authenticate(username, secret):
|
||||||
user = user_store.UserStore.username_table.get(username, None)
|
user = user_store.UserStore.username_table.get(username, None)
|
||||||
if user and safe_str_cmp(user.secret.encode("utf-8"), secret.encode("utf-8")):
|
if user and safe_str_cmp(user.secret, secret):
|
||||||
return user
|
return user
|
||||||
|
|
||||||
def post(self):
|
def post(self):
|
||||||
|
@ -41,13 +42,14 @@ class Authenticate(flask_restful.Resource):
|
||||||
Example request:
|
Example request:
|
||||||
{
|
{
|
||||||
"username": "my_user",
|
"username": "my_user",
|
||||||
"password": "343bb87e553b05430e5c44baf99569d4b66..."
|
"password": "mypassword...."
|
||||||
}
|
}
|
||||||
"""
|
"""
|
||||||
credentials = json.loads(request.data)
|
credentials = json.loads(request.data)
|
||||||
# Unpack auth info from request
|
# Unpack auth info from request
|
||||||
username = credentials["username"]
|
username = credentials["username"]
|
||||||
secret = credentials["password"]
|
password = credentials["password"]
|
||||||
|
secret = sha3_512(password.encode("utf-8")).hexdigest()
|
||||||
# If the user and password have been previously registered
|
# If the user and password have been previously registered
|
||||||
if self._authenticate(username, secret):
|
if self._authenticate(username, secret):
|
||||||
access_token = flask_jwt_extended.create_access_token(
|
access_token = flask_jwt_extended.create_access_token(
|
||||||
|
|
|
@ -2,17 +2,14 @@ import {SHA3} from 'sha3';
|
||||||
import decode from 'jwt-decode';
|
import decode from 'jwt-decode';
|
||||||
|
|
||||||
export default class AuthService {
|
export default class AuthService {
|
||||||
// SHA3-512 of '1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()'
|
NO_AUTH_CREDS = 'loginwithoutpassword';
|
||||||
NO_AUTH_CREDS =
|
|
||||||
'55e97c9dcfd22b8079189ddaeea9bce8125887e3237b800c6176c9afa80d2062' +
|
|
||||||
'8d2c8d0b1538d2208c1444ac66535b764a3d902b35e751df3faec1e477ed3557';
|
|
||||||
|
|
||||||
SECONDS_BEFORE_JWT_EXPIRES = 20;
|
SECONDS_BEFORE_JWT_EXPIRES = 20;
|
||||||
AUTHENTICATION_API_ENDPOINT = '/api/auth';
|
AUTHENTICATION_API_ENDPOINT = '/api/auth';
|
||||||
REGISTRATION_API_ENDPOINT = '/api/registration';
|
REGISTRATION_API_ENDPOINT = '/api/registration';
|
||||||
|
|
||||||
login = (username, password) => {
|
login = (username, password) => {
|
||||||
return this._login(username, this.hashSha3(password));
|
return this._login(username, password);
|
||||||
};
|
};
|
||||||
|
|
||||||
authFetch = (url, options) => {
|
authFetch = (url, options) => {
|
||||||
|
@ -25,12 +22,6 @@ export default class AuthService {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
hashSha3(text) {
|
|
||||||
let hash = new SHA3(512);
|
|
||||||
hash.update(text);
|
|
||||||
return this._toHexStr(hash.digest());
|
|
||||||
}
|
|
||||||
|
|
||||||
_login = (username, password) => {
|
_login = (username, password) => {
|
||||||
return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, {
|
return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
|
@ -52,7 +43,7 @@ export default class AuthService {
|
||||||
|
|
||||||
register = (username, password) => {
|
register = (username, password) => {
|
||||||
if (password !== '') {
|
if (password !== '') {
|
||||||
return this._register(username, this.hashSha3(password));
|
return this._register(username, password);
|
||||||
} else {
|
} else {
|
||||||
return this._register(username, password);
|
return this._register(username, password);
|
||||||
}
|
}
|
||||||
|
@ -63,7 +54,7 @@ export default class AuthService {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
body: JSON.stringify({
|
body: JSON.stringify({
|
||||||
'user': username,
|
'user': username,
|
||||||
'password_hash': password
|
'password': password
|
||||||
})
|
})
|
||||||
}).then(res => {
|
}).then(res => {
|
||||||
if (res.status === 200) {
|
if (res.status === 200) {
|
||||||
|
@ -156,7 +147,4 @@ export default class AuthService {
|
||||||
return localStorage.getItem('jwt')
|
return localStorage.getItem('jwt')
|
||||||
}
|
}
|
||||||
|
|
||||||
_toHexStr(byteArr) {
|
|
||||||
return byteArr.reduce((acc, x) => (acc + ('0' + x.toString(0x10)).slice(-2)), '');
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue