From c7b0024d2405d29e5c36445b6d28af046b2213f1 Mon Sep 17 00:00:00 2001 From: Javier Sánchez Parra Date: Thu, 21 Apr 2022 17:30:12 +0200 Subject: Add password hashing The front-end now hashes passwords before sending them to the back-end. It uses SHA-512. This commit adds a hidden input which sends the password hash to not interfere with browsers' save password functionality. Also change passwords of the template configuration file for their hashed/digested versions. --- ogcp/cfg/ogcp.json | 4 ++-- ogcp/forms/auth.py | 2 ++ ogcp/static/js/ogcp.js | 24 ++++++++++++++++++++++++ ogcp/templates/auth/login.html | 10 +++++++++- ogcp/views.py | 2 +- 5 files changed, 38 insertions(+), 4 deletions(-) diff --git a/ogcp/cfg/ogcp.json b/ogcp/cfg/ogcp.json index 0a47a07..7a04890 100644 --- a/ogcp/cfg/ogcp.json +++ b/ogcp/cfg/ogcp.json @@ -6,12 +6,12 @@ "USERS": [ { "USER": "admin", - "PASS": "pass", + "PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25", "SCOPES": [ ] }, { "USER": "user", - "PASS": "pass", + "PASS": "5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25", "SCOPES": [ "Unidad Organizativa (Default)" ] diff --git a/ogcp/forms/auth.py b/ogcp/forms/auth.py index 15534a6..c02ecc7 100644 --- a/ogcp/forms/auth.py +++ b/ogcp/forms/auth.py @@ -21,6 +21,8 @@ class LoginForm(FlaskForm): ) pwd = PasswordField( label=_l('Password'), + ) + pwd_hash = HiddenField( validators=[InputRequired()] ) submit_btn = SubmitField( diff --git a/ogcp/static/js/ogcp.js b/ogcp/static/js/ogcp.js index 86a9282..6a7e625 100644 --- a/ogcp/static/js/ogcp.js +++ b/ogcp/static/js/ogcp.js @@ -207,3 +207,27 @@ function RemovePartition(evt) { }); }); } + +async function digestMessage(msg) { + const msgUint8 = new TextEncoder().encode(msg); + const hashBuffer = await crypto.subtle.digest('SHA-512', msgUint8); + const hashArray = Array.from(new Uint8Array(hashBuffer)); + const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join(''); + return hashHex; +} + +function digestLoginPassword() { + const loginForm = $('#login-form') + loginForm.one('submit', async function (event) { + event.preventDefault() + + const pwdInput = $('#pwd'); + const pwdHashInput = $('#pwd_hash'); + const pwdStr = pwdInput.val(); + const pwdStrHash = await digestMessage(pwdStr); + + pwdInput.prop( "disabled", true ); + pwdHashInput.val(pwdStrHash); + $(this).submit() + }); +} diff --git a/ogcp/templates/auth/login.html b/ogcp/templates/auth/login.html index ee3f2e3..2b6cce9 100644 --- a/ogcp/templates/auth/login.html +++ b/ogcp/templates/auth/login.html @@ -15,7 +15,8 @@ {{ wtf.quick_form(form, method='post', form_type='basic', - button_map={'submit_btn':'primary'}) }} + button_map={'submit_btn':'primary'}, + id='login-form') }} @@ -23,5 +24,12 @@ + {% endblock %} diff --git a/ogcp/views.py b/ogcp/views.py index a0d3e44..66e9007 100644 --- a/ogcp/views.py +++ b/ogcp/views.py @@ -261,7 +261,7 @@ def login(): form = LoginForm(request.form) if request.method == 'POST' and form.validate(): form_user = request.form['user'] - pwd = request.form['pwd'] + pwd = request.form['pwd_hash'] user_dict = authenticate_user(form_user, pwd) if not user_dict: return render_template('auth/login.html', form=form) -- cgit v1.2.3-18-g5258