Move password hashing to the backend

This patch moves login password hashing from the frontend/javascript to the backend/flask. This patch moves password hashing of login and user management forms. Related commits: * c7b0024 ("Add password hashing") * 661254b ("Add 'Add user' to Users section")
2022-06-28 12:31:59 +02:00 · 2022-06-28 12:31:59 +02:00 · 61bd6bc4ba
parent 06bcbe40a3
commit 61bd6bc4ba
5 changed files with 19 additions and 77 deletions
--- a/ogcp/forms/auth.py
+++ b/ogcp/forms/auth.py
@ -21,8 +21,6 @@ class LoginForm(FlaskForm):
    )
    pwd = PasswordField(
        label=_l('Password'),
-    )
-    pwd_hash = HiddenField(
        validators=[InputRequired()]
    )
    submit_btn = SubmitField(
@ -37,15 +35,11 @@ class UserForm(FlaskForm):
    )
    pwd = PasswordField(
        label=_l('Password'),
-    )
-    pwd_hash = HiddenField(
-        validators=[InputRequired()]
+        validators=[InputRequired()],
    )
    pwd_confirm = PasswordField(
        label=_l('Repeat password'),
-    )
-    pwd_hash_confirm = HiddenField(
-        validators=[InputRequired()]
+        validators=[InputRequired()],
    )
    admin = BooleanField(
        label=_l('Administrator'),
--- a/ogcp/static/js/ogcp.js
+++ b/ogcp/static/js/ogcp.js
@ -242,48 +242,3 @@ function RemovePartition(evt) {
    });
 }

-async function digestMessage(msg) {
-    const msgUint8 = new TextEncoder().encode(msg);
-    const hashBuffer = await crypto.subtle.digest('SHA-512', msgUint8);
-    const hashArray = Array.from(new Uint8Array(hashBuffer));
-    const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
-    return hashHex;
-}
-
-function digestLoginPassword() {
-    const loginForm = $('#login-form')
-    loginForm.one('submit', async function (event) {
-        event.preventDefault()
-
-        const pwdInput = $('#pwd');
-        const pwdHashInput = $('#pwd_hash');
-        const pwdStr = pwdInput.val();
-        const pwdStrHash = await digestMessage(pwdStr);
-
-        pwdInput.prop( "disabled", true );
-        pwdHashInput.val(pwdStrHash);
-        $(this).submit()
-    });
-}
-
-function digestUserFormPassword() {
-    const loginForm = $('#user-form')
-    loginForm.one('submit', async function (event) {
-        event.preventDefault()
-
-        const pwdInput = $('#pwd');
-        const pwdHashInput = $('#pwd_hash');
-        const pwdStr = pwdInput.val();
-        const pwdStrHash = await digestMessage(pwdStr);
-
-        const pwdConfirmInput = $('#pwd_confirm');
-        const pwdHashConfirmInput = $('#pwd_hash_confirm');
-        const pwdConfirmStr = pwdConfirmInput.val();
-        const pwdConfirmStrHash = await digestMessage(pwdConfirmStr);
-
-        pwdInput.prop( "disabled", true );
-        pwdHashInput.val(pwdStrHash);
-        pwdHashConfirmInput.val(pwdConfirmStrHash);
-        $(this).submit()
-    });
-}
--- a/ogcp/templates/auth/add_user.html
+++ b/ogcp/templates/auth/add_user.html
@ -12,15 +12,6 @@
 {{ wtf.quick_form(form,
                  action=url_for('user_add_post'),
                  method='post',
-                  button_map={'submit_btn':'primary'},
-                  id='user-form') }}
-
-<script>
-    document.addEventListener('readystatechange', () => {
-        if (document.readyState === 'complete') {
-            digestUserFormPassword()
-        }
-    });
-</script>
+                  button_map={'submit_btn':'primary'}) }}

 {% endblock %}
--- a/ogcp/templates/auth/login.html
+++ b/ogcp/templates/auth/login.html
@ -15,8 +15,7 @@
          {{ wtf.quick_form(form,
                            method='post',
                            form_type='basic',
-                            button_map={'submit_btn':'primary'},
-                            id='login-form') }}
+                            button_map={'submit_btn':'primary'}) }}
        </div>
        <!-- /.login-card-body -->
      </div>
@ -24,12 +23,4 @@
 <!-- /.login-box -->
 </div>

-<script>
-    document.addEventListener('readystatechange', () => {
-        if (document.readyState === 'complete') {
-            digestLoginPassword()
-        }
-    });
-</script>
-
 {% endblock %}
--- a/ogcp/views.py
+++ b/ogcp/views.py
@ -30,6 +30,7 @@ from flask_babel import _
 from ogcp import app
 import requests
 import datetime
+import hashlib
 import json
 import os
 import re
@ -187,6 +188,15 @@ def get_scopes(ips=set()):

    return scopes, clients

+
+def hash_password(pwd):
+    sha = hashlib.sha512()
+    sha.update(pwd.encode())
+    pwd_hash = sha.hexdigest()
+
+    return pwd_hash
+
+
 def authenticate_user(username, pwd):
    for user in app.config['USERS']:
        if user.get("USER") == username:
@ -280,8 +290,9 @@ def login():
    form = LoginForm(request.form)
    if request.method == 'POST' and form.validate():
        form_user = request.form['user']
-        pwd = request.form['pwd_hash']
-        user_dict = authenticate_user(form_user, pwd)
+        pwd = request.form['pwd']
+        pwd_hash = hash_password(pwd)
+        user_dict = authenticate_user(form_user, pwd_hash)
        if not user_dict:
            return render_template('auth/login.html', form=form)
        user = User(form_user, user_dict.get('SCOPES'), user_dict.get('ADMIN'))
@ -1245,8 +1256,8 @@ def get_available_scopes():
 def save_user(form):
    username = form.username.data

-    pwd_hash = form.pwd_hash.data
-    pwd_hash_confirm = form.pwd_hash_confirm.data
+    pwd_hash = hash_password(form.pwd.data)
+    pwd_hash_confirm = hash_password(form.pwd_confirm.data)
    if not pwd_hash == pwd_hash_confirm:
        flash(_('Passwords do not match'), category='error')
        return redirect(url_for('users'))