def test_password_hashing(self):
correct = hash_password(self.correct)
incorrect = hash_password(self.incorrect)
self.assertFalse(check_password(self.incorrect, correct))
self.assertTrue(check_password(self.correct, correct))
self.assertFalse(check_password(self.correct, incorrect))
def POST_password(self, uid):
user = db.select('users', what='password', where='id=$uid', vars=locals())[0]
form = get_password_form(user)
i = web.input()
if form.validates(i):
if ('curr_password' not in form) or auth.check_password(user, i.curr_password):
enc_password = auth.encrypt_password(i.password)
db.update('users', password=enc_password, verified=True, where='id=$uid', vars=locals())
helpers.set_msg('Password saved.')
else:
helpers.set_msg('Invalid Password', 'error')
raise web.seeother('/%s' % uid)
else:
return self.GET(uid, password_form=form)
async def login_handler(request):
data = util.validate_post_request(request, ['username', 'password'])
user = request.app.session.query(
model.User).filter_by(username=data['username']).first()
# Mitigation of time-attack
user = user if user else model.User('', '')
if auth.check_password(data['password'], user.password, user.salt):
token = await auth.issue_token(
{'sub': user.username},
request.app.jwt_secret,
exp_time=request.app.cfg.auth_token_timeout)
return json({'token': token})
else:
raise Unauthorized('Wrong username or password')
def POST_password(self, uid):
user = db.select('users', what='password', where='id=$uid', vars=locals())[0]
form = get_password_form(user)
set_passwd_form = 'curr_password' not in [inp.name for inp in list(form.inputs)]
i = web.input()
if form.validates(i):
if set_passwd_form or auth.check_password(user, i.curr_password):
enc_password = auth.encrypt_password(i.password)
db.update('users', password=enc_password, verified=True, where='id=$uid', vars=locals())
helpers.set_msg('Password %s.' % ('saved' if set_passwd_form else 'changed'))
raise web.seeother('/%s/preferences' % uid)
else:
helpers.set_msg('Invalid Password', 'error')
form.note = 'Current Password invalid.'
form.valid = False
return self.GET(uid, password_form=form)
def POST_password(self, uid):
user = db.select("users", what="password", where="id=$uid", vars=locals())[0]
form = get_password_form(user)
set_passwd_form = "curr_password" not in [inp.name for inp in list(form.inputs)]
i = web.input()
if form.validates(i):
if set_passwd_form or auth.check_password(user, i.curr_password):
enc_password = auth.encrypt_password(i.password)
db.update("users", password=enc_password, verified=True, where="id=$uid", vars=locals())
helpers.set_msg("Password %s." % ("saved" if set_passwd_form else "changed"))
raise web.seeother("/%s/preferences" % uid)
else:
helpers.set_msg("Invalid Password", "error")
form.note = "Current Password invalid."
form.valid = False
return self.GET(uid, password_form=form)
def _auth(self, req, resp):
username = req.get_param('username')
password = req.get_param('password')
try:
challenge = session.query(model.User).filter(
model.User.email == username, model.User.enabled).first()
if username and password and challenge and auth.check_password(password, challenge.password):
req.context['result'] = auth.OAuth2Token(challenge.id).data
else:
req.context['result'] = {'error': Error.UNAUTHORIZED_CLIENT}
resp.status = falcon.HTTP_400
except SQLAlchemyError:
session.rollback()
raise
def do_post(self): # log in user
if self.session: # user already logged in
self.response = Response(status=400)
return
try:
credentials = self.request.body
if not credentials['login'] or not credentials[
'password']: # malformed credential payload
self.response = Response(status=400)
return
except: # malformed credential payload
self.response = Response(status=400)
return
if '@' in credentials['login']: # log in with email address
lookup = self.tables['email'].get_item(
hash_key=credentials['login'])
else: # log in with username
lookup = self.tables['username'].get_item(
hash_key=credentials['login'])
user = self.tables['user'].get_item(hash_key=lookup['user'])
if not user: # no such user
self.response = Response(status=400)
return
if not check_password(credentials['password'],
user['password']): # incorrect password
self.response = Response(status=401)
return
# create session
session_id = generate_key()
attrs = {
'timestamp': timestamp(),
'user': user['id'],
'email': user['email'],
'username': user['username']
}
session = self.tables['session'].new_item(hash_key=session_id,
attrs=attrs)
session.put()
# return session id
self.response = Response(status=200,
headers={'Set-Cookie': cookie(session_id)})
def update_user(user):
old_user = get_user(user.id)
if not auth.check_password(old_user, user.password_clear):
raise Unauthorized("Users password does not match!")
password_hash = old_user.pwd_salty_hash
if not user.newPassword is None:
password_hash = auth.get_hashed_password(
user.newPassword.encode('utf-8'))
with sql.connect(current_app.config['SQL_FILE']) as connection:
cur = connection.cursor()
val = (user.name, user.privilege, password_hash, user.id)
cur.execute(
'''UPDATE User
SET name=?, privilege=?, password=?
WHERE id=?''', val)
connection.close()
def post(self):
json_data = request.get_json(force=True)
if 'name' not in json_data:
LOGGER.info('Access denied: No username given.')
return _make_jsonapi_error(
"Username missing.",
"A username is needed to successfuly log in", 1001), 400
elif 'password' not in json_data:
LOGGER.info('Access denied: No password given.')
return _make_jsonapi_error(
"Password missing.",
"A password is needed to successfuly log in", 1002), 400
try:
user_name = json_data['name']
password = json_data['password']
if not auth.check_password(
auth.model.get_user_with_name(user_name), password):
LOGGER.info('Access denied: wrong password.')
return _make_jsonapi_error(
"Wrong username or password",
"The given username password combination does not match.",
1003), 400
except LookupError:
LOGGER.info('Access denied: User not found. {}'.format(user_name))
return _make_jsonapi_error(
"Wrong username or password",
"The given username password combination does not match.",
1003), 400
except Exception as e:
LOGGER.error('Access denied: unknown error: {}'.format(e))
return _make_jsonapi_error(
"Unkown error occoured",
"There was an error which could not be classified.", 1004), 500
LOGGER.info('User {0} logged in.'.format(json_data['name']))
token = auth.create_token(
auth.model.get_user_with_name(json_data['name']))
body_json = {'token': token}
return body_json, 200
def on_post(self, req, resp):
user = req.context['user']
if not user.is_logged_in():
resp.status = falcon.HTTP_400
return
try:
user = session.query(model.User).get(user.id)
except SQLAlchemyError:
session.rollback()
raise
data = json.loads(req.stream.read().decode('utf-8'))
if not auth.check_password(data['old_password'], user.password):
resp.status = falcon.HTTP_401
req.context['result'] = {'result': 'error'}
return
if data['new_password'] != data['new_password2']:
req.context['result'] = {'result': 'error'}
return
user.password = auth.get_hashed_password(data['new_password'])
try:
session.add(user)
session.commit()
except SQLAlchemyError:
session.rollback()
raise
finally:
session.close()
req.context['result'] = {'result': 'ok'}
def do_post(self): # log in user
if self.session: # user already logged in
self.response = Response(status=400)
return
try:
credentials = self.request.body
if not credentials['login'] or not credentials['password']: # malformed credential payload
self.response = Response(status=400)
return
except: # malformed credential payload
self.response = Response(status=400)
return
if '@' in credentials['login']: # log in with email address
lookup = self.tables['email'].get_item(hash_key=credentials['login'])
else: # log in with username
lookup = self.tables['username'].get_item(hash_key=credentials['login'])
user = self.tables['user'].get_item(hash_key=lookup['user'])
if not user: # no such user
self.response = Response(status=400)
return
if not check_password(credentials['password'], user['password']): # incorrect password
self.response = Response(status=401)
return
# create session
session_id = generate_key()
attrs = { 'timestamp': timestamp(), 'user': user['id'], 'email': user['email'], 'username': user['username'] }
session = self.tables['session'].new_item(hash_key=session_id, attrs=attrs)
session.put()
# return session id
self.response = Response(status=200, headers={'Set-Cookie': cookie(session_id) })
def on_post(self, req, resp):
user = req.context['user']
if not user.is_logged_in():
resp.status = falcon.HTTP_400
return
try:
user = session.query(model.User).get(user.id)
except SQLAlchemyError:
session.rollback()
raise
data = json.loads(req.stream.read())
if not auth.check_password(data['old_password'], user.password):
resp.status = falcon.HTTP_401
req.context['result'] = { 'result': 'error' }
return
if data['new_password'] != data['new_password2']:
req.context['result'] = { 'result': 'error' }
return
user.password = auth.get_hashed_password(data['new_password'])
try:
session.add(user)
session.commit()
except SQLAlchemyError:
session.rollback()
raise
finally:
session.close()
req.context['result'] = { 'result': 'ok' }
def check_password(self, password):
return auth.check_password(password, self.password)
def check_password(self, password):
return auth.check_password(password, self.password)
def check_password(self):
auth.authenticate(self.username.data, self.password.data)
return auth.check_password()
