Commit 787c7175 authored by okhin's avatar okhin 🚴

Hashing password before checking them in database

parent 5d4f5c57
Pipeline #946 passed with stage
in 5 seconds
...@@ -12,6 +12,7 @@ import configparser ...@@ -12,6 +12,7 @@ import configparser
import argparse import argparse
import os.path import os.path
import sys import sys
import hashlib
from operator import itemgetter from operator import itemgetter
import jwt import jwt
...@@ -107,7 +108,7 @@ def authenticated(f): ...@@ -107,7 +108,7 @@ def authenticated(f):
assert len(results) == 1 assert len(results) == 1
token = results[0][0] token = results[0][0]
auth_token = jwt.decode(request.params['token'], token) auth_token = jwt.decode(request.params['token'], token)
assert auth_token['api'] == request.params['api'] assert hashlib.sha256(auth_token['api'].encode()).hexdigest() == request.params['api']
for key in auth_token: for key in auth_token:
request.params[key] = auth_token[key] request.params[key] = auth_token[key]
except (jwt.exceptions.InvalidTokenError, AssertionError) as e: except (jwt.exceptions.InvalidTokenError, AssertionError) as e:
...@@ -495,7 +496,7 @@ def login_admin(user, password): ...@@ -495,7 +496,7 @@ def login_admin(user, password):
if user is None: if user is None:
# user does not exist # user does not exist
return False return False
if password != user[1]: if hashlib.sha256(password.encode()).hexdigest() != user[1]:
# password does not match # password does not match
return False return False
if user[2] == 0: if user[2] == 0:
...@@ -519,7 +520,7 @@ def little_admin(): ...@@ -519,7 +520,7 @@ def little_admin():
def medium_admin(): def medium_admin():
db = sqlite3.connect(config['piphone']['db']) db = sqlite3.connect(config['piphone']['db'])
api = request.forms.get('api') api = request.forms.get('api')
token = request.forms.get('api_token') token = hashlib.sha256(request.forms.get('api_token').encode()).hexdigest()
admin = request.forms.get('admin') admin = request.forms.get('admin')
action = request.forms.get('action') action = request.forms.get('action')
pattern = request.forms.get('pattern') pattern = request.forms.get('pattern')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment