From 9363cadb095a769c70fa75d791ddd1f3743b2da5 Mon Sep 17 00:00:00 2001
From: PrajwalM2212 <prajwalmmath@gmail.com>
Date: Sat, 20 Feb 2021 12:17:05 -0800
Subject: [PATCH] Add functionality to hash passwords on server side

---
 .../cc/environment/user_creds.py              |  5 +++--
 .../monkey_island/cc/resources/auth/auth.py   | 10 ++++++----
 .../cc/ui/src/services/AuthService.js         | 20 ++++---------------
 3 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/monkey/monkey_island/cc/environment/user_creds.py b/monkey/monkey_island/cc/environment/user_creds.py
index 98a23a14a..a5c905f70 100644
--- a/monkey/monkey_island/cc/environment/user_creds.py
+++ b/monkey/monkey_island/cc/environment/user_creds.py
@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import json
+from hashlib import sha3_512
 from typing import Dict
 
 from monkey_island.cc.resources.auth.auth_user import User
@@ -30,8 +31,8 @@ class UserCreds:
         creds = UserCreds()
         if "user" in data_dict:
             creds.username = data_dict["user"]
-        if "password_hash" in data_dict:
-            creds.password_hash = data_dict["password_hash"]
+        if "password" in data_dict:
+            creds.password_hash = sha3_512(data_dict["password"].encode("utf-8")).hexdigest()
         return creds
 
     @staticmethod
diff --git a/monkey/monkey_island/cc/resources/auth/auth.py b/monkey/monkey_island/cc/resources/auth/auth.py
index 29d2d9e89..597c73d60 100644
--- a/monkey/monkey_island/cc/resources/auth/auth.py
+++ b/monkey/monkey_island/cc/resources/auth/auth.py
@@ -1,6 +1,7 @@
 import json
 import logging
 from functools import wraps
+from hashlib import sha3_512
 
 import flask_jwt_extended
 import flask_restful
@@ -25,7 +26,7 @@ def init_jwt(app):
 
 class Authenticate(flask_restful.Resource):
     """
-    Resource for user authentication. The user provides the username and hashed password and we
+    Resource for user authentication. The user provides the username and password and we
     give them a JWT.
     See `AuthService.js` file for the frontend counterpart for this code.
     """
@@ -33,7 +34,7 @@ class Authenticate(flask_restful.Resource):
     @staticmethod
     def _authenticate(username, secret):
         user = user_store.UserStore.username_table.get(username, None)
-        if user and safe_str_cmp(user.secret.encode("utf-8"), secret.encode("utf-8")):
+        if user and safe_str_cmp(user.secret, secret):
             return user
 
     def post(self):
@@ -41,13 +42,14 @@ class Authenticate(flask_restful.Resource):
         Example request:
         {
             "username": "my_user",
-            "password": "343bb87e553b05430e5c44baf99569d4b66..."
+            "password": "mypassword...."
         }
         """
         credentials = json.loads(request.data)
         # Unpack auth info from request
         username = credentials["username"]
-        secret = credentials["password"]
+        password = credentials["password"]
+        secret = sha3_512(password.encode("utf-8")).hexdigest()
         # If the user and password have been previously registered
         if self._authenticate(username, secret):
             access_token = flask_jwt_extended.create_access_token(
diff --git a/monkey/monkey_island/cc/ui/src/services/AuthService.js b/monkey/monkey_island/cc/ui/src/services/AuthService.js
index 52658f5a9..27a8100bd 100644
--- a/monkey/monkey_island/cc/ui/src/services/AuthService.js
+++ b/monkey/monkey_island/cc/ui/src/services/AuthService.js
@@ -2,17 +2,14 @@ import {SHA3} from 'sha3';
 import decode from 'jwt-decode';
 
 export default class AuthService {
-  // SHA3-512 of '1234567890!@#$%^&*()_nothing_up_my_sleeve_1234567890!@#$%^&*()'
-  NO_AUTH_CREDS =
-    '55e97c9dcfd22b8079189ddaeea9bce8125887e3237b800c6176c9afa80d2062' +
-    '8d2c8d0b1538d2208c1444ac66535b764a3d902b35e751df3faec1e477ed3557';
+  NO_AUTH_CREDS = 'loginwithoutpassword';
 
   SECONDS_BEFORE_JWT_EXPIRES = 20;
   AUTHENTICATION_API_ENDPOINT = '/api/auth';
   REGISTRATION_API_ENDPOINT = '/api/registration';
 
   login = (username, password) => {
-    return this._login(username, this.hashSha3(password));
+    return this._login(username, password);
   };
 
   authFetch = (url, options) => {
@@ -25,12 +22,6 @@ export default class AuthService {
     }
   };
 
-  hashSha3(text) {
-    let hash = new SHA3(512);
-    hash.update(text);
-    return this._toHexStr(hash.digest());
-  }
-
   _login = (username, password) => {
     return this._authFetch(this.AUTHENTICATION_API_ENDPOINT, {
       method: 'POST',
@@ -52,7 +43,7 @@ export default class AuthService {
 
   register = (username, password) => {
     if (password !== '') {
-      return this._register(username, this.hashSha3(password));
+      return this._register(username, password);
     } else {
       return this._register(username, password);
     }
@@ -63,7 +54,7 @@ export default class AuthService {
       method: 'POST',
       body: JSON.stringify({
         'user': username,
-        'password_hash': password
+        'password': password
       })
     }).then(res => {
       if (res.status === 200) {
@@ -156,7 +147,4 @@ export default class AuthService {
     return localStorage.getItem('jwt')
   }
 
-  _toHexStr(byteArr) {
-    return byteArr.reduce((acc, x) => (acc + ('0' + x.toString(0x10)).slice(-2)), '');
-  }
 }