def test_password_hashing(self): correct = hash_password(self.correct) incorrect = hash_password(self.incorrect) self.assertFalse(check_password(self.incorrect, correct)) self.assertTrue(check_password(self.correct, correct)) self.assertFalse(check_password(self.correct, incorrect))
def POST_password(self, uid): user = db.select('users', what='password', where='id=$uid', vars=locals())[0] form = get_password_form(user) i = web.input() if form.validates(i): if ('curr_password' not in form) or auth.check_password(user, i.curr_password): enc_password = auth.encrypt_password(i.password) db.update('users', password=enc_password, verified=True, where='id=$uid', vars=locals()) helpers.set_msg('Password saved.') else: helpers.set_msg('Invalid Password', 'error') raise web.seeother('/%s' % uid) else: return self.GET(uid, password_form=form)
async def login_handler(request): data = util.validate_post_request(request, ['username', 'password']) user = request.app.session.query( model.User).filter_by(username=data['username']).first() # Mitigation of time-attack user = user if user else model.User('', '') if auth.check_password(data['password'], user.password, user.salt): token = await auth.issue_token( {'sub': user.username}, request.app.jwt_secret, exp_time=request.app.cfg.auth_token_timeout) return json({'token': token}) else: raise Unauthorized('Wrong username or password')
def POST_password(self, uid): user = db.select('users', what='password', where='id=$uid', vars=locals())[0] form = get_password_form(user) set_passwd_form = 'curr_password' not in [inp.name for inp in list(form.inputs)] i = web.input() if form.validates(i): if set_passwd_form or auth.check_password(user, i.curr_password): enc_password = auth.encrypt_password(i.password) db.update('users', password=enc_password, verified=True, where='id=$uid', vars=locals()) helpers.set_msg('Password %s.' % ('saved' if set_passwd_form else 'changed')) raise web.seeother('/%s/preferences' % uid) else: helpers.set_msg('Invalid Password', 'error') form.note = 'Current Password invalid.' form.valid = False return self.GET(uid, password_form=form)
def POST_password(self, uid): user = db.select("users", what="password", where="id=$uid", vars=locals())[0] form = get_password_form(user) set_passwd_form = "curr_password" not in [inp.name for inp in list(form.inputs)] i = web.input() if form.validates(i): if set_passwd_form or auth.check_password(user, i.curr_password): enc_password = auth.encrypt_password(i.password) db.update("users", password=enc_password, verified=True, where="id=$uid", vars=locals()) helpers.set_msg("Password %s." % ("saved" if set_passwd_form else "changed")) raise web.seeother("/%s/preferences" % uid) else: helpers.set_msg("Invalid Password", "error") form.note = "Current Password invalid." form.valid = False return self.GET(uid, password_form=form)
def _auth(self, req, resp): username = req.get_param('username') password = req.get_param('password') try: challenge = session.query(model.User).filter( model.User.email == username, model.User.enabled).first() if username and password and challenge and auth.check_password(password, challenge.password): req.context['result'] = auth.OAuth2Token(challenge.id).data else: req.context['result'] = {'error': Error.UNAUTHORIZED_CLIENT} resp.status = falcon.HTTP_400 except SQLAlchemyError: session.rollback() raise
def do_post(self): # log in user if self.session: # user already logged in self.response = Response(status=400) return try: credentials = self.request.body if not credentials['login'] or not credentials[ 'password']: # malformed credential payload self.response = Response(status=400) return except: # malformed credential payload self.response = Response(status=400) return if '@' in credentials['login']: # log in with email address lookup = self.tables['email'].get_item( hash_key=credentials['login']) else: # log in with username lookup = self.tables['username'].get_item( hash_key=credentials['login']) user = self.tables['user'].get_item(hash_key=lookup['user']) if not user: # no such user self.response = Response(status=400) return if not check_password(credentials['password'], user['password']): # incorrect password self.response = Response(status=401) return # create session session_id = generate_key() attrs = { 'timestamp': timestamp(), 'user': user['id'], 'email': user['email'], 'username': user['username'] } session = self.tables['session'].new_item(hash_key=session_id, attrs=attrs) session.put() # return session id self.response = Response(status=200, headers={'Set-Cookie': cookie(session_id)})
def update_user(user): old_user = get_user(user.id) if not auth.check_password(old_user, user.password_clear): raise Unauthorized("Users password does not match!") password_hash = old_user.pwd_salty_hash if not user.newPassword is None: password_hash = auth.get_hashed_password( user.newPassword.encode('utf-8')) with sql.connect(current_app.config['SQL_FILE']) as connection: cur = connection.cursor() val = (user.name, user.privilege, password_hash, user.id) cur.execute( '''UPDATE User SET name=?, privilege=?, password=? WHERE id=?''', val) connection.close()
def post(self): json_data = request.get_json(force=True) if 'name' not in json_data: LOGGER.info('Access denied: No username given.') return _make_jsonapi_error( "Username missing.", "A username is needed to successfuly log in", 1001), 400 elif 'password' not in json_data: LOGGER.info('Access denied: No password given.') return _make_jsonapi_error( "Password missing.", "A password is needed to successfuly log in", 1002), 400 try: user_name = json_data['name'] password = json_data['password'] if not auth.check_password( auth.model.get_user_with_name(user_name), password): LOGGER.info('Access denied: wrong password.') return _make_jsonapi_error( "Wrong username or password", "The given username password combination does not match.", 1003), 400 except LookupError: LOGGER.info('Access denied: User not found. {}'.format(user_name)) return _make_jsonapi_error( "Wrong username or password", "The given username password combination does not match.", 1003), 400 except Exception as e: LOGGER.error('Access denied: unknown error: {}'.format(e)) return _make_jsonapi_error( "Unkown error occoured", "There was an error which could not be classified.", 1004), 500 LOGGER.info('User {0} logged in.'.format(json_data['name'])) token = auth.create_token( auth.model.get_user_with_name(json_data['name'])) body_json = {'token': token} return body_json, 200
def on_post(self, req, resp): user = req.context['user'] if not user.is_logged_in(): resp.status = falcon.HTTP_400 return try: user = session.query(model.User).get(user.id) except SQLAlchemyError: session.rollback() raise data = json.loads(req.stream.read().decode('utf-8')) if not auth.check_password(data['old_password'], user.password): resp.status = falcon.HTTP_401 req.context['result'] = {'result': 'error'} return if data['new_password'] != data['new_password2']: req.context['result'] = {'result': 'error'} return user.password = auth.get_hashed_password(data['new_password']) try: session.add(user) session.commit() except SQLAlchemyError: session.rollback() raise finally: session.close() req.context['result'] = {'result': 'ok'}
def do_post(self): # log in user if self.session: # user already logged in self.response = Response(status=400) return try: credentials = self.request.body if not credentials['login'] or not credentials['password']: # malformed credential payload self.response = Response(status=400) return except: # malformed credential payload self.response = Response(status=400) return if '@' in credentials['login']: # log in with email address lookup = self.tables['email'].get_item(hash_key=credentials['login']) else: # log in with username lookup = self.tables['username'].get_item(hash_key=credentials['login']) user = self.tables['user'].get_item(hash_key=lookup['user']) if not user: # no such user self.response = Response(status=400) return if not check_password(credentials['password'], user['password']): # incorrect password self.response = Response(status=401) return # create session session_id = generate_key() attrs = { 'timestamp': timestamp(), 'user': user['id'], 'email': user['email'], 'username': user['username'] } session = self.tables['session'].new_item(hash_key=session_id, attrs=attrs) session.put() # return session id self.response = Response(status=200, headers={'Set-Cookie': cookie(session_id) })
def on_post(self, req, resp): user = req.context['user'] if not user.is_logged_in(): resp.status = falcon.HTTP_400 return try: user = session.query(model.User).get(user.id) except SQLAlchemyError: session.rollback() raise data = json.loads(req.stream.read()) if not auth.check_password(data['old_password'], user.password): resp.status = falcon.HTTP_401 req.context['result'] = { 'result': 'error' } return if data['new_password'] != data['new_password2']: req.context['result'] = { 'result': 'error' } return user.password = auth.get_hashed_password(data['new_password']) try: session.add(user) session.commit() except SQLAlchemyError: session.rollback() raise finally: session.close() req.context['result'] = { 'result': 'ok' }
def check_password(self, password): return auth.check_password(password, self.password)
def check_password(self): auth.authenticate(self.username.data, self.password.data) return auth.check_password()