diff options
author | Javier Sánchez Parra <jsanchez@soleta.eu> | 2022-04-21 17:30:12 +0200 |
---|---|---|
committer | Javier Sánchez Parra <jsanchez@soleta.eu> | 2022-04-22 13:02:30 +0200 |
commit | c7b0024d2405d29e5c36445b6d28af046b2213f1 (patch) | |
tree | 4987ac0135c1f264ac90b20c6d479261d45baca7 | |
parent | 1f9a3d3b4156aef3562efec41da3f2b6cc8ec74b (diff) |
Add password hashing
The front-end now hashes passwords before sending them to the back-end.
It uses SHA-512.
This commit adds a hidden input which sends the password hash to not
interfere with browsers' save password functionality.
Also change passwords of the template configuration file for their
hashed/digested versions.
-rw-r--r-- | ogcp/cfg/ogcp.json | 4 | ||||
-rw-r--r-- | ogcp/forms/auth.py | 2 | ||||
-rw-r--r-- | ogcp/static/js/ogcp.js | 24 | ||||
-rw-r--r-- | ogcp/templates/auth/login.html | 10 | ||||
-rw-r--r-- | ogcp/views.py | 2 |
5 files changed, 38 insertions, 4 deletions
diff --git a/ogcp/cfg/ogcp.json b/ogcp/cfg/ogcp.json index 0a47a07..7a04890 100644 --- a/ogcp/cfg/ogcp.json +++ b/ogcp/cfg/ogcp.json @@ -6,12 +6,12 @@ "USERS": [ { "USER": "admin", - "PASS": "pass", + "PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25", "SCOPES": [ ] }, { "USER": "user", - "PASS": "pass", + "PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25", "SCOPES": [ "Unidad Organizativa (Default)" ] diff --git a/ogcp/forms/auth.py b/ogcp/forms/auth.py index 15534a6..c02ecc7 100644 --- a/ogcp/forms/auth.py +++ b/ogcp/forms/auth.py @@ -21,6 +21,8 @@ class LoginForm(FlaskForm): ) pwd = PasswordField( label=_l('Password'), + ) + pwd_hash = HiddenField( validators=[InputRequired()] ) submit_btn = SubmitField( diff --git a/ogcp/static/js/ogcp.js b/ogcp/static/js/ogcp.js index 86a9282..6a7e625 100644 --- a/ogcp/static/js/ogcp.js +++ b/ogcp/static/js/ogcp.js @@ -207,3 +207,27 @@ function RemovePartition(evt) { }); }); } + +async function digestMessage(msg) { + const msgUint8 = new TextEncoder().encode(msg); + const hashBuffer = await crypto.subtle.digest('SHA-512', msgUint8); + const hashArray = Array.from(new Uint8Array(hashBuffer)); + const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join(''); + return hashHex; +} + +function digestLoginPassword() { + const loginForm = $('#login-form') + loginForm.one('submit', async function (event) { + event.preventDefault() + + const pwdInput = $('#pwd'); + const pwdHashInput = $('#pwd_hash'); + const pwdStr = pwdInput.val(); + const pwdStrHash = await digestMessage(pwdStr); + + pwdInput.prop( "disabled", true ); + pwdHashInput.val(pwdStrHash); + $(this).submit() + }); +} diff --git a/ogcp/templates/auth/login.html b/ogcp/templates/auth/login.html index ee3f2e3..2b6cce9 100644 --- a/ogcp/templates/auth/login.html +++ b/ogcp/templates/auth/login.html @@ -15,7 +15,8 @@ {{ wtf.quick_form(form, method='post', form_type='basic', - button_map={'submit_btn':'primary'}) }} + button_map={'submit_btn':'primary'}, + id='login-form') }} </div> <!-- /.login-card-body --> </div> @@ -23,5 +24,12 @@ <!-- /.login-box --> </div> +<script> + document.addEventListener('readystatechange', () => { + if (document.readyState === 'complete') { + digestLoginPassword() + } + }); +</script> {% endblock %} diff --git a/ogcp/views.py b/ogcp/views.py index a0d3e44..66e9007 100644 --- a/ogcp/views.py +++ b/ogcp/views.py @@ -261,7 +261,7 @@ def login(): form = LoginForm(request.form) if request.method == 'POST' and form.validate(): form_user = request.form['user'] - pwd = request.form['pwd'] + pwd = request.form['pwd_hash'] user_dict = authenticate_user(form_user, pwd) if not user_dict: return render_template('auth/login.html', form=form) |