Add functionality to hash passwords on server side

2021-02-20 12:17:05 -08:00 · 2021-02-20 12:17:05 -08:00 · 9363cadb09
parent 7f06ec4034
commit 9363cadb09
3 changed files with 13 additions and 22 deletions
--- a/monkey/monkey_island/cc/environment/user_creds.py
+++ b/monkey/monkey_island/cc/environment/user_creds.py
@ -1,6 +1,7 @@
 from __future__ import annotations

 import json
+from hashlib import sha3_512
 from typing import Dict

 from monkey_island.cc.resources.auth.auth_user import User
@ -30,8 +31,8 @@ class UserCreds:
        creds = UserCreds()
        if "user" in data_dict:
            creds.username = data_dict["user"]
-        if "password_hash" in data_dict:
-            creds.password_hash = data_dict["password_hash"]
+        if "password" in data_dict:
+            creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest()
        return creds

    @staticmethod
--- a/monkey/monkey_island/cc/resources/auth/auth.py
+++ b/monkey/monkey_island/cc/resources/auth/auth.py
@ -1,6 +1,7 @@
 import json
 import logging
 from functools import wraps
+from hashlib import sha3_512

 import flask_jwt_extended
 import flask_restful
@ -25,7 +26,7 @@ def init_jwt(app):

 class Authenticate(flask_restful.Resource):
    """
-    Resource for user authentication. The user provides the username and hashed password and we
+    Resource for user authentication. The user provides the username and password and we
    give them a JWT.
    See `AuthService.js` file for the frontend counterpart for this code.
    """
@ -33,7 +34,7 @@ class Authenticate(flask_restful.Resource):
    @staticmethod
    def _authenticate(username, secret):
        user = user_store.UserStore.username_table.get(username, None)
-        if user and safe_str_cmp(user.secret.encode("utf-8"), secret.encode("utf-8")):
+        if user and safe_str_cmp(user.secret, secret):
            return user

    def post(self):
@ -41,13 +42,14 @@ class Authenticate(flask_restful.Resource):
        Example request:
        {
            "username": "my_user",
-            "password": "343bb87e553b05430e5c44baf99569d4b66..."
+            "password": "mypassword...."
        }
        """
        credentials = json.loads(request.data)
        # Unpack auth info from request
        username = credentials["username"]
-        secret = credentials["password"]
+        password = credentials["password"]
+        secret = sha3_512(password.encode("utf-8")).hexdigest()
        # If the user and password have been previously registered
        if self._authenticate(username, secret):
            access_token = flask_jwt_extended.create_access_token(
--- a/monkey/monkey_island/cc/ui/src/services/AuthService.js
+++ b/monkey/monkey_island/cc/ui/src/services/AuthService.js
@ -2,17 +2,14 @@ import {SHA3} from 'sha3';
 import decode from 'jwt-decode';

 export default class AuthService {
-  // SHA3-512 of '1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()'
-  NO_AUTH_CREDS =
-    '55e97c9dcfd22b8079189ddaeea9bce8125887e3237b800c6176c9afa80d2062' +
-    '8d2c8d0b1538d2208c1444ac66535b764a3d902b35e751df3faec1e477ed3557';
+  NO_AUTH_CREDS = 'loginwithoutpassword';

  SECONDS_BEFORE_JWT_EXPIRES = 20;
  AUTHENTICATION_API_ENDPOINT = '/api/auth';
  REGISTRATION_API_ENDPOINT = '/api/registration';

  login = (username, password) => {
-    return this._login(username, this.hashSha3(password));
+    return this._login(username, password);
  };

  authFetch = (url, options) => {
@ -25,12 +22,6 @@ export default class AuthService {
    }
  };

-  hashSha3(text) {
-    let hash = new SHA3(512);
-    hash.update(text);
-    return this._toHexStr(hash.digest());
-  }
-
  _login = (username, password) => {
    return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, {
      method: 'POST',
@ -52,7 +43,7 @@ export default class AuthService {

  register = (username, password) => {
    if (password !== '') {
-      return this._register(username, this.hashSha3(password));
+      return this._register(username, password);
    } else {
      return this._register(username, password);
    }
@ -63,7 +54,7 @@ export default class AuthService {
      method: 'POST',
      body: JSON.stringify({
        'user': username,
-        'password_hash': password
+        'password': password
      })
    }).then(res => {
      if (res.status === 200) {
@ -156,7 +147,4 @@ export default class AuthService {
    return localStorage.getItem('jwt')
  }

-  _toHexStr(byteArr) {
-    return byteArr.reduce((acc, x) => (acc + ('0' + x.toString(0x10)).slice(-2)), '');
-  }
 }