summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJavier Sánchez Parra <jsanchez@soleta.eu>2022-04-21 17:30:12 +0200
committerJavier Sánchez Parra <jsanchez@soleta.eu>2022-04-22 13:02:30 +0200
commitc7b0024d2405d29e5c36445b6d28af046b2213f1 (patch)
tree4987ac0135c1f264ac90b20c6d479261d45baca7
parent1f9a3d3b4156aef3562efec41da3f2b6cc8ec74b (diff)
Add password hashing
The front-end now hashes passwords before sending them to the back-end. It uses SHA-512. This commit adds a hidden input which sends the password hash to not interfere with browsers' save password functionality. Also change passwords of the template configuration file for their hashed/digested versions.
-rw-r--r--ogcp/cfg/ogcp.json4
-rw-r--r--ogcp/forms/auth.py2
-rw-r--r--ogcp/static/js/ogcp.js24
-rw-r--r--ogcp/templates/auth/login.html10
-rw-r--r--ogcp/views.py2
5 files changed, 38 insertions, 4 deletions
diff --git a/ogcp/cfg/ogcp.json b/ogcp/cfg/ogcp.json
index 0a47a07..7a04890 100644
--- a/ogcp/cfg/ogcp.json
+++ b/ogcp/cfg/ogcp.json
@@ -6,12 +6,12 @@
"USERS": [
{
"USER": "admin",
- "PASS": "pass",
+ "PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25",
"SCOPES": [ ]
},
{
"USER": "user",
- "PASS": "pass",
+ "PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25",
"SCOPES": [
"Unidad Organizativa (Default)"
]
diff --git a/ogcp/forms/auth.py b/ogcp/forms/auth.py
index 15534a6..c02ecc7 100644
--- a/ogcp/forms/auth.py
+++ b/ogcp/forms/auth.py
@@ -21,6 +21,8 @@ class LoginForm(FlaskForm):
)
pwd = PasswordField(
label=_l('Password'),
+ )
+ pwd_hash = HiddenField(
validators=[InputRequired()]
)
submit_btn = SubmitField(
diff --git a/ogcp/static/js/ogcp.js b/ogcp/static/js/ogcp.js
index 86a9282..6a7e625 100644
--- a/ogcp/static/js/ogcp.js
+++ b/ogcp/static/js/ogcp.js
@@ -207,3 +207,27 @@ function RemovePartition(evt) {
});
});
}
+
+async function digestMessage(msg) {
+ const msgUint8 = new TextEncoder().encode(msg);
+ const hashBuffer = await crypto.subtle.digest('SHA-512', msgUint8);
+ const hashArray = Array.from(new Uint8Array(hashBuffer));
+ const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+ return hashHex;
+}
+
+function digestLoginPassword() {
+ const loginForm = $('#login-form')
+ loginForm.one('submit', async function (event) {
+ event.preventDefault()
+
+ const pwdInput = $('#pwd');
+ const pwdHashInput = $('#pwd_hash');
+ const pwdStr = pwdInput.val();
+ const pwdStrHash = await digestMessage(pwdStr);
+
+ pwdInput.prop( "disabled", true );
+ pwdHashInput.val(pwdStrHash);
+ $(this).submit()
+ });
+}
diff --git a/ogcp/templates/auth/login.html b/ogcp/templates/auth/login.html
index ee3f2e3..2b6cce9 100644
--- a/ogcp/templates/auth/login.html
+++ b/ogcp/templates/auth/login.html
@@ -15,7 +15,8 @@
{{ wtf.quick_form(form,
method='post',
form_type='basic',
- button_map={'submit_btn':'primary'}) }}
+ button_map={'submit_btn':'primary'},
+ id='login-form') }}
</div>
<!-- /.login-card-body -->
</div>
@@ -23,5 +24,12 @@
<!-- /.login-box -->
</div>
+<script>
+ document.addEventListener('readystatechange', () => {
+ if (document.readyState === 'complete') {
+ digestLoginPassword()
+ }
+ });
+</script>
{% endblock %}
diff --git a/ogcp/views.py b/ogcp/views.py
index a0d3e44..66e9007 100644
--- a/ogcp/views.py
+++ b/ogcp/views.py
@@ -261,7 +261,7 @@ def login():
form = LoginForm(request.form)
if request.method == 'POST' and form.validate():
form_user = request.form['user']
- pwd = request.form['pwd']
+ pwd = request.form['pwd_hash']
user_dict = authenticate_user(form_user, pwd)
if not user_dict:
return render_template('auth/login.html', form=form)