Fixes #5, check the password is correct even if already logged

sdpython · Jan 14, 2019 · 9443e3b · 9443e3b
1 parent e080f82
commit 9443e3b
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 8 deletions.
diff --git a/src/mathenjeu/apps/common/auth_app.py b/src/mathenjeu/apps/common/auth_app.py
@@ -3,6 +3,7 @@
 @file
 @brief Starts an application.
 """
+import hashlib
 from starlette.responses import HTMLResponse, RedirectResponse
 from itsdangerous import URLSafeTimedSerializer
 import ujson
@@ -54,6 +55,8 @@ def __init__(self, app,
         self.secure = secure
         self.signer = URLSafeTimedSerializer(self.cookie_key)
         self.userpwd = userpwd
+        self.hashed_userpwd = None if userpwd is None else self.hash_pwd(
+            userpwd)
         self._get_page_context = page_context
         app._get_session = self.get_session
         for method in ['log_event', 'log_any']:
@@ -71,6 +74,17 @@ async def login(self, request):
                                   **self._get_page_context())
         return HTMLResponse(content)
 
+    def hash_pwd(self, pwd):
+        """
+        Hashes a password.
+
+        @param      pwd     password
+        @return             hashed password in hexadecimal format
+        """
+        m = hashlib.sha256()
+        m.update(pwd.encode("utf-8"))
+        return m.hexdigest()
+
     async def authenticate(self, request):
         """
         Authentification.
@@ -93,7 +107,7 @@ async def authenticate(self, request):
                               request=request)
         if res is not None:
             return res
-        data = dict(alias=fo['alias'])
+        data = dict(alias=fo['alias'], hashpwd=self.hash_pwd(fo['pwd']))
         returnto = ps.get('returnto', '/')
         response = RedirectResponse(url=returnto)
         self.save_session(response, data)
@@ -134,7 +148,13 @@ def get_session(self, request, notnone=False):
         if cook is not None:
             unsigned = self.signer.loads(cook)
             data = unsigned[0]
-            return ujson.loads(data)  # pylint: disable=E1101
+            jsdata = ujson.loads(data)  # pylint: disable=E1101
+            # We check the hashed password is still good.
+            hashpwd = jsdata.get('hashpwd', '')
+            if not self.authentify_user(jsdata.get('alias', ''), hashpwd, False):
+                # We cancel the authentification.
+                return {}
+            return jsdata
         else:
             return {} if notnone else None
 
@@ -155,15 +175,25 @@ def is_allowed(self, alias, pwd, request):
             return HTMLResponse(content)
         return None
 
-    def authentify_user(self, alias, pwd):
+    def authentify_user(self, alias, pwd, hash_before=True):
         """
         Overwrites this method to allow or reject users.
 
         @param      alias       alias or user
         @param      pwd         password
+        @param      hash_before hashes the password before comparing, otherwise,
+                                the function assumes it is already hashed
         @return                 boolean
 
-        The current behavior is to allow anybody if the alias is not
-        empty whatever the password.
+        The current behavior is to allow anybody if the alias is longer
+        than 3 characters.
         """
-        return pwd == self.userpwd
+        if alias is None or len(alias.strip()) <= 3:
+            return False
+        if self.hashed_userpwd is None:
+            return True
+        if hash_before:
+            hashed_pwd = self.hash_pwd(pwd)
+            return hashed_pwd == self.hashed_userpwd
+        else:
+            return pwd == self.hashed_userpwd
diff --git a/src/mathenjeu/apps/qcm/templates/notauthorized.html b/src/mathenjeu/apps/qcm/templates/notauthorized.html
@@ -6,7 +6,8 @@
   <div class="jumbotron">
     <div class="container">
       <h1 class="display-4">Impossible de se connecter</h1>
-      <p>L'alias '{{alias}}' n'est pas reconnu ou le mot de passe est erroné.</p>
+      <p>L'alias '{{alias}}' n'est pas reconnu (il doit être de plus de 4 caractères)
+      ou le mot de passe est erroné.</p>
     </div>    
   </div>
 

diff --git a/src/mathenjeu/apps/staticapp/templates/notauthorized.html b/src/mathenjeu/apps/staticapp/templates/notauthorized.html
@@ -6,7 +6,8 @@
   <div class="jumbotron">
     <div class="container">
       <h1 class="display-4">Impossible de se connecter</h1>
-      <p>L'alias '{{alias}}' n'est pas reconnu ou le mot de passe est erroné.</p>
+      <p>L'alias '{{alias}}' n'est pas reconnu (il doit être de plus de 4 caractères)
+      ou le mot de passe est erroné.</p>
     </div>    
   </div>