Add password hashing

The front-end now hashes passwords before sending them to the back-end. It uses SHA-512. This commit adds a hidden input which sends the password hash to not interfere with browsers' save password functionality. Also change passwords of the template configuration file for their hashed/digested versions.
2022-04-21 17:30:12 +02:00 · 2022-04-21 17:30:12 +02:00 · c7b0024d24
parent 1f9a3d3b41
commit c7b0024d24
5 changed files with 38 additions and 4 deletions
--- a/ogcp/cfg/ogcp.json
+++ b/ogcp/cfg/ogcp.json
@ -6,12 +6,12 @@
 	"USERS": [
 		{
 			"USER": "admin",
-			"PASS": "pass",
+			"PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25",
 			"SCOPES": [ ]
 		},
 		{
 			"USER": "user",
-			"PASS": "pass",
+			"PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25",
 			"SCOPES": [
 				"Unidad Organizativa (Default)"
 			]
--- a/ogcp/forms/auth.py
+++ b/ogcp/forms/auth.py
@ -21,6 +21,8 @@ class LoginForm(FlaskForm):
    )
    pwd = PasswordField(
        label=_l('Password'),
+    )
+    pwd_hash = HiddenField(
        validators=[InputRequired()]
    )
    submit_btn = SubmitField(
--- a/ogcp/static/js/ogcp.js
+++ b/ogcp/static/js/ogcp.js
@ -207,3 +207,27 @@ function RemovePartition(evt) {
        });
    });
 }
+
+async function digestMessage(msg) {
+    const msgUint8 = new TextEncoder().encode(msg);
+    const hashBuffer = await crypto.subtle.digest('SHA-512', msgUint8);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+    return hashHex;
+}
+
+function digestLoginPassword() {
+    const loginForm = $('#login-form')
+    loginForm.one('submit', async function (event) {
+        event.preventDefault()
+
+        const pwdInput = $('#pwd');
+        const pwdHashInput = $('#pwd_hash');
+        const pwdStr = pwdInput.val();
+        const pwdStrHash = await digestMessage(pwdStr);
+
+        pwdInput.prop( "disabled", true );
+        pwdHashInput.val(pwdStrHash);
+        $(this).submit()
+    });
+}
--- a/ogcp/templates/auth/login.html
+++ b/ogcp/templates/auth/login.html
@ -15,7 +15,8 @@
          {{ wtf.quick_form(form,
                            method='post',
                            form_type='basic',
-                            button_map={'submit_btn':'primary'}) }}
+                            button_map={'submit_btn':'primary'},
+                            id='login-form') }}
        </div>
        <!-- /.login-card-body -->
      </div>
@ -23,5 +24,12 @@
 <!-- /.login-box -->
 </div>

+<script>
+    document.addEventListener('readystatechange', () => {
+        if (document.readyState === 'complete') {
+            digestLoginPassword()
+        }
+    });
+</script>

 {% endblock %}
--- a/ogcp/views.py
+++ b/ogcp/views.py
@ -261,7 +261,7 @@ def login():
    form = LoginForm(request.form)
    if request.method == 'POST' and form.validate():
        form_user = request.form['user']
-        pwd = request.form['pwd']
+        pwd = request.form['pwd_hash']
        user_dict = authenticate_user(form_user, pwd)
        if not user_dict:
            return render_template('auth/login.html', form=form)