def authenticate(request):
#TODO timing attack to discover usernames
username = str(request.POST["username"])
password = str(request.POST["password"])
if not re.match("^\w{3,16}$", username):
return HttpResponseForbidden("username needs to have between 3-16 alphanumeric or underscore characters")
#print str(username)
bylogin = Person.objects.filter(login = str(username))
badluck = HttpResponseForbidden("wrong username/password")
if bylogin:
if len(bylogin) == 1:
userrecord = bylogin[0]
observed = hmachash(password, userrecord.salt)
expected = userrecord.hashedPassword
if observed != expected:
return badluck
else:
randombytes = rand256hex()
token = Tokena(value = randombytes, active = True, belongs_to = userrecord, created=datetime.datetime.utcnow())
token.save()
response = HttpResponse(status = 200)
response.set_cookie("tokena", value=randombytes, httponly=True)
return response
else:
return HttpResponseServerError("couldn't authenticate the user, username non-ambiguous.")
else:
return badluck
def magic(request):
p1 = Person(login = "******", hashedPassword = "******")
p1.save()
k1 = Tokena(value = "please come in", active = True, belongs_to = p1, created=datetime.datetime.utcnow())
k1.save()
k2 = Tokena(value = "you're not welcome", active = False, belongs_to = p1, created=datetime.datetime.utcnow())
k2.save()
print k1
print k2
return HttpResponse("nice", RequestContext(request))
