Commits

Justin Venezuela committed da60283 Draft

Hash passwords + salt

Comments (0)

Files changed (2)

 
 __author__ = 'Justin Venezuela (jven@mit.edu)'
 
+from common import password
 from model.meeting import Meeting
 from model.member import Member
 
-def new_member(name, email, password):
+def new_member(name, email, raw_pass):
   """
   Creates a member with the given e-mail. No member must exist with this
   e-mail.
   """
-  # TODO(jven): Don't store plaintext passwords.
   assert get_member(email) is None
   new_member = Member()
   new_member.email = email
-  new_member.password = password
+  salt = password.get_random_salt()
+  new_member.salt = salt
+  hashpass = password.get_salted_hash(raw_pass, salt)
+  new_member.password = hashpass
   new_member.name = name
   new_member.bio = ''
   new_member.put()
   query = Member.all()
   return query.fetch(limit = None)
 
-def login_member(email, password):
+def login_member(email, raw_pass):
   """
   Returns the member with the given e-mail address and password or None if none
   exists.
   """
   query = Member.all()
   query.filter('email =', email)
-  query.filter('password =', password)
   num_users = query.count()
   assert num_users == 0 or num_users == 1, (
       '%d users with e-mail address $s and same password.'
       % (num_users, email))
-  return query.fetch(1)[0] if num_users == 1 else None
+  if num_users == 0:
+    return None
+  member = query.fetch(1)[0]
+  hashpass = password.get_salted_hash(raw_pass, member.salt)
+  return member if hashpass == member.password else None
 
 def set_bio(email, bio):
   """
 class Member(db.Model):
   # TODO(jven): Validators?
   email = db.EmailProperty()
-  password = db.StringProperty()
+  password = db.ByteStringProperty()
+  salt = db.StringProperty()
   name = db.StringProperty()
   bio = db.StringProperty(multiline = True)
   officer = db.BooleanProperty(default = False)