def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
# TODO: ex2.1
load_breaches(db) # Load here -> load each time
(plaintext_breaches, hashed_breaches,
salted_breaches) = get_breaches(db, username)
for breach in plaintext_breaches:
if breach.password == password:
response.status = 401
error = "Credential is already breached for {} and current password.".format(
username)
break
if not error:
for breach in hashed_breaches:
if breach.hashed_password == hash_sha256(password):
response.status = 401
error = "Credential is already breached for {} and current password.".format(
username)
break
if not error:
for breach in salted_breaches:
if breach.salted_password == hash_pbkdf2(
password, breach.salt):
response.status = 401
error = "Credential is already breached for {} and current password.".format(
username)
break
if not error and user is not None:
response.status = 401
error = "{} is already taken.".format(username)
if not error:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
############## My Code ############################################
else:
p,h,s = get_breaches(db, username)
for i in range(len(p)):
print(i)
if( password == p[i].password):
error = "User/Password Combo Found in Breach"
hp = hash_sha256(password)
for i in range(len(h)):
if(hp == h[i].hashed_password):
error = "User/Password Combo Found in Breach"
for i in range(len(s)):
sp = hash_pbkdf2(password, s[i].salt)
if(sp == s[i].salted_password):
error = "User/Password Combo Found in Breach"
###################### My Code #############################################
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
plaintext_breaches, hashed_breaches, salted_breaches = get_breaches(
db, username)
breached = False
for cred in plaintext_breaches:
if cred.password == password:
breached = True
for cred_h in hashed_breaches:
if cred_h.hashed_password == hash_sha256(password):
breached = True
for cred_s in salted_breaches:
if cred_s.salted_password == hash_pbkdf2(password, cred_s.salt):
breached = True
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
elif breached:
response.status = 401
error = "This username and password pair is breached!"
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
for param, val in request.forms.iteritems():
param_ht.insert(param, val)
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
user = create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
cbc = app.api.encr_decr.Encryption(encryption_key)
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", session.get_id())
# FINDME: admin bytes 0x00 (not admin) or 0x01 (admin) concatentated with plaintext password
admin_cookie_pt = app.api.encr_decr.format_plaintext(
int(user.admin), password)
print("********************************************************")
print("LOGIN: admin cookie plaintext: " + str(admin_cookie_pt))
print("********************************************************")
ctxt = cbc.encrypt(admin_cookie_pt)
response.set_cookie("admin", ctxt.hex())
return redirect("/profile/{}".format(username))
return template("login", login_error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
plaintext_breaches, hashed_breaches, salted_breaches = get_breaches(db, username)
breached = is_plaintext_breached(
password, plaintext_breaches) or is_hashed_breached(password, hashed_breaches) or is_salted_breached(password, salted_breaches)
salted = hash_pbkdf2(password,user.salt)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.salted_password != salted:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
elif breached:
response.status = 401
error = "Password found in a data breach, please use another password."
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
if not is_comprimised_accounts(db, username, password):
create_user(db, username, password)
else:
response.status = 401
error = "Attempted password for {} has been found in breached database .".format(
username)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_logout(db, session):
delete_session(db, session)
response.delete_cookie("session")
return redirect("/login")
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
flag = 0
if (user is not None):
response.status = 401
error = "{} is already taken.".format(username)
else:
if get_breaches(db, username) != ([], [], []):
pb = load_breach(PLAINTEXT_BREACH_PATH)
hb = load_breach(HASHED_BREACH_PATH)
sb = load_breach(SALTED_BREACH_PATH)
hashed = hash_sha256(password)
(p, h, s) = get_breaches(db, username)
print(s)
if p != []:
x = [x for x in pb if username in x][0]
if pb[pb.index(x)][1] == password:
response.status = 401
error = "{}'s password is breached.".format(username)
flag = 1
elif h != []:
x = [x for x in hb if username in x][0]
if hb[hb.index(x)][1] == hashed:
response.status = 401
error = "{}'s password is breached.".format(username)
flag = 1
elif s != []:
x = [x for x in sb if username in x][0]
salted = hash_pbkdf2(password, sb[sb.index(x)][2])
if sb[sb.index(x)][1] == salted:
response.status = 401
error = "{}'s password is breached.".format(username)
flag = 1
if flag != 1:
create_user(db, username, password)
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
#for this elif statement, we change password to be the hashed/salted
#version of the plain text password. We do this by using the hash_pbkdf2
#function from hash.py using the plain text password and the
#random_salt assigned to the user. This allows us to throw an error
#if the hash of the password used to login does not match the hash of
#the password used to register.
elif user.password != hash_pbkdf2(password, user.random_salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
#Within this block of code, we first load in the breaches. Then we have
#several if statements -- the first checks if the username trying to log
#in is in the plain text breach. If it is, it checks if the entered
#password matches the password in the breach -- if it does, it blocks
#the registration and throws an error. If it does not, no error is
#thrown and the next if statement is checked. The same process is
#repeated for the next two if statements (one for the hashed breach and
#one for the salted breach). All 3 of these if statements will be
#executed -- this accounts for cases where a username might be present
#in more than 1 of the breaches. If no errors are thrown, the username
#and password are approved/created.
#To test, we took a username from the plain text breach and tested it
#with the password from the breach -- it was rejected. When we tested
#with a random password, it was approved. We did the same for the
#hashed breach by converting one of the hashes into a plain text
#password -- same results. We also did the same thing for the salted
#breach, using the password we outputed in brute.py -- same results.
#This confirmed that our system catches dangerous pairs from all
#breaches.
else:
load_breaches(db)
breaches = get_breaches(db, username)
if len(breaches[0]) != 0:
if password == breaches[0][0].password:
response.status = 401
error = "This is a dangerous username-password pair. Please choose a different password for {}".format(
username)
if len(breaches[1]) != 0:
pw_hash = hash_sha256(password)
if pw_hash == breaches[1][0].hashed_password:
response.status = 401
error = "This is a dangerous username-password pair. Please choose a different password for {}".format(
username)
if len(breaches[2]) != 0:
pw_salt = hash_pbkdf2(password, breaches[2][0].salt)
if pw_salt == breaches[2][0].salted_password:
response.status = 401
error = "This is a dangerous username-password pair. Please choose a different password for {}".format(
username)
if error == None:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
