Fixing authentication

mmaker · Aug 13, 2012 · 2107234 · 2107234
1 parent 567e940
commit 2107234
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 7 deletions.
diff --git a/apaf/panel/handlers/base.py b/apaf/panel/handlers/base.py
@@ -1,21 +1,40 @@
+from hashlib import sha256
+
 from cyclone import web
 
 from apaf import config
+from apaf.utils import hashing
 
 class PanelHandler(web.RequestHandler):
     """
     The most basic handler, for all handlers.
     """
-    def get_current_user(self, passwd=None):
+    def get_current_user(self):
         """
         Return the current user authenticated.
         """
-        if passwd: return passwd == config.custom['passwd']
-        else: return any((
-            self.get_secure_cookie('auth') == config.custom['passwd'],
-            self.request.remote_ip == '127.0.0.1',
+        return any((
+            self._check_pass(self.get_secure_cookie('auth') or ''),
+            #self.request.host == '127.0.0.1',
         ))
 
+    def _check_pass(self, passwd):
+        """
+        Return true if passwd is valid, false otherwise.
+        """
+        assert isinstance(passwd, str)
+        assert len(config.custom['passwd']) >= 32
+
+        return hashing.hash(passwd) == config.custom['passwd']
+
+    def auth_login(self, passwd):
+        if not self._check_pass(passwd):
+            return False
+        else:
+            self.set_secure_cookie('auth', passwd)
+            return True
+
+
 
 class IndexHandler(PanelHandler):
     def get(self):

diff --git a/apaf/panel/handlers/html.py b/apaf/panel/handlers/html.py
@@ -4,6 +4,7 @@
 from twisted.internet import defer
 from twisted.python import failure
 from cyclone.escape import json_encode, json_decode
+from cyclone import web
 
 import apaf
 from apaf import config
@@ -70,6 +71,7 @@ def get(self):
 
 class LoginHandler(PanelHandler):
     REDIRECT = '/'
+
     def get(self):
         if not self.get_current_user():
             return self.render('login.html')
@@ -78,9 +80,8 @@ def get(self):
     def post(self):
         request = dict(x.split('=', 1) for x in self.request.body.split('&'))
 
-        if not self.get_current_user(request['passwd']):
+        if not self.auth_login(request['passwd']):
             raise web.HTTPAuthenticationRequired
         else:
-            self.set_secure_cookie('auth', request['passwd'])
             return self.redirect(self.REDIRECT)
 
diff --git a/apaf/utils/hashing.py b/apaf/utils/hashing.py
@@ -0,0 +1,4 @@
+from hashlib import sha256
+
+def hash(string):
+    return sha256(string).hexdigest()