Diff to use PDKBF2 instead of SHA1

Anonymous avatarAnonymous created an issue

I attempted to past the diff here, but bitbucket would not let me.

So, in addition to moving your auth extension to pbkdf2, I'd suggest moving to github. I don't have these kind of problems there...

Comments (3)

  1. jabr

    Diff:

    diff --git a/flaskext/auth/init.py b/flaskext/auth/init.py index 0660cef..2737984 100644 --- a/flaskext/auth/init.py +++ b/flaskext/auth/init.py @@ -11,6 +11,6 @@ """

    from flaskext.auth.auth import Auth, AuthUser, login, logout, \ - get_current_user_data, login_required, encrypt + get_current_user_data, login_required from flaskext.auth.permissions import has_permission, permission_required, \ Role, Permission diff --git a/flaskext/auth/auth.py b/flaskext/auth/auth.py index 99c3546..a2af281 100644 --- a/flaskext/auth/auth.py +++ b/flaskext/auth/auth.py @@ -6,8 +6,7 @@ AuthUser base class. import time, hashlib, datetime from functools import partial, wraps from flask import session, abort, current_app, redirect, url_for - -DEFAULT_HASH_ALGORITHM = hashlib.sha1 +from pbkdf2 import crypt

    DEFAULT_USER_TIMEOUT = 3600

    @@ -34,8 +33,6 @@ class Auth(object): url. Otherwise, the default is abort(401). - not_permitted_callback: Function to call when a user tries to access a page for which he doesn't have the permission. Default: abort(401). - - hash_algorithm: Algorithm from the hashlib library used for password - encryption. Default: sha1. - user_timeout: Timeout (in seconds) after which the sesion of the user expires. Default: 3600. A timeout of 0 means it will never expire. - load_role: Function to load a role. Is called with user.role as only @@ -49,7 +46,6 @@ class Auth(object): self.not_logged_in_callback = partial(_redirect_to_login, login_url_name) self.not_permitted_callback = _default_not_authorized - self.hash_algorithm = DEFAULT_HASH_ALGORITHM self.user_timeout = DEFAULT_USER_TIMEOUT self.load_role = lambda _: None if app is not None: @@ -67,33 +63,29 @@ class AuthUser(object): - username: Username of the user. - password: Password of the user. By default not encrypted. The set_and_encrypt_password() method sets and encrypts the password. - - salt: Salt used for the encrytion of the password. - role: Role of this user. """

    role = None

    - def init(self, username=None, password=None, salt=None, role=None): + def init(self, username=None, password=None, role=None): self.username = username

    1. Storing password unmodified. Encryption of the password should
    2. happen explicitly. self.password = password - self.salt = salt self.role = role

    - def set_and_encrypt_password(self, password, salt=str(int(time.time()))): + def set_and_encrypt_password(self, password): """ - Encrypts and sets the password. If no salt is provided, a new - one is generated. + Encrypts and sets the password. A new salt is generated. """ - self.salt = salt - self.password = encrypt(password, self.salt) + self.password = crypt(password)

    def authenticate(self, password): """ Attempts to verify the password and log the user in. Returns true if succesful. """ - if self.password == encrypt(password, self.salt): + if self.password == crypt(password, self.password): login(self) return True return False @@ -123,15 +115,6 @@ class AuthUser(object): user_data = get_current_user_data() return user_data is not None and user_data.get('username') == self.username

    -def encrypt(password, salt=None, hash_algorithm=None): - """Encrypts a password based on the hashing algorithm.""" - to_encrypt = password - if salt is not None: - to_encrypt += salt - if hash_algorithm is not None: - return hash_algorithm(to_encrypt).hexdigest() - return current_app.auth.hash_algorithm(to_encrypt).hexdigest() - def login(user): """ Logs the user in. Note that NO AUTHENTICATION is done by this function. If diff --git a/flaskext/auth/models/gae.py b/flaskext/auth/models/gae.py index edecc5d..a51efcc 100644 --- a/flaskext/auth/models/gae.py +++ b/flaskext/auth/models/gae.py @@ -14,7 +14,6 @@ class User(db.Model, AuthUser): name = db.StringProperty() password = db.StringProperty() stripe_customer_id = db.StringProperty() - salt = db.StringProperty() role = db.StringProperty() created = db.DateTimeProperty(auto_now_add=True) modified = db.DateTimeProperty(auto_now=True) diff --git a/flaskext/auth/models/sa.py b/flaskext/auth/models/sa.py index be30d03..959e42f 100644 --- a/flaskext/auth/models/sa.py +++ b/flaskext/auth/models/sa.py @@ -18,7 +18,6 @@ def get_user_class(declarative_base): id = Column(Integer, primary_key=True) username = Column(String(80), unique=True, nullable=False) password = Column(String(120), nullable=False) - salt = Column(String(80)) role = Column(String(80)) created = Column(DateTime(), default=datetime.datetime.utcnow) modified = Column(DateTime())

  2. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.