verifying password with hash on the backend to make sure we don't decrypt garbage and also to make sure that everything is encrypted with same password/key

2026-01-07 13:29:48 -06:00 · 2017-09-05 21:22:16 -04:00
parent 53d327e435
commit 87c1a95ccc
4 changed files with 80 additions and 10 deletions
--- a/src/app.py
+++ b/src/app.py
@@ -1,6 +1,7 @@
 import os

-import bcrypt
+import binascii
+import scrypt
 import configparser
 from flask import Flask, request, send_from_directory
 from flask import render_template, redirect
@@ -11,6 +12,7 @@ from notes_api import notes_api
 from sql import connect
 from tree_api import tree_api
 from notes_move_api import notes_move_api
+from password_api import password_api

 config = configparser.ConfigParser()
 config.read('config.ini')
@@ -20,6 +22,7 @@ app.secret_key = config['Security']['flaskSecretKey']
 app.register_blueprint(tree_api)
 app.register_blueprint(notes_api)
 app.register_blueprint(notes_move_api)
+app.register_blueprint(password_api)

 class User(UserMixin):
    pass
@@ -53,11 +56,26 @@ connect(documentPath)

 hashedPassword = config['Login']['password-hash'].encode('utf-8')

+
+def verify_password(hex_hashed_password, guessed_password):
+    hashed_password = binascii.unhexlify(hex_hashed_password)
+
+    salt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6"
+
+    hashed = scrypt.hash(password=guessed_password,
+                         salt=salt,
+                         N=16384,
+                         r=16,
+                         p=1,
+                         buflen=32)
+
+    return hashed == hashed_password
+
@app.route('/login', methods=['POST'])
 def login_post():
    inputPassword = request.form['password'].encode('utf-8')

-    if request.form['username'] == user.id and bcrypt.hashpw(inputPassword, hashedPassword) == hashedPassword:
+    if request.form['username'] == user.id and verify_password(hashedPassword, inputPassword):
        rememberMe = True if 'remember-me' in request.form else False

        login_user(user, remember=rememberMe)
--- a/src/password_api.py
+++ b/src/password_api.py
@@ -0,0 +1,28 @@
+from flask import Blueprint, jsonify, request
+from flask_login import login_required
+import hashlib
+import configparser
+import binascii
+
+password_api = Blueprint('password_api', __name__)
+
+@password_api.route('/password/verify', methods = ['POST'])
+@login_required
+def verifyPassword():
+    req = request.get_json(force=True)
+
+    config = configparser.ConfigParser()
+    config.read('config.ini')
+
+    hashedPassword = config['Login']['password-hash'].encode('utf-8')
+    hashedPasswordBytes = binascii.unhexlify(hashedPassword)
+    hashedPasswordSha = hashlib.sha256(hashedPasswordBytes).hexdigest()
+
+    print(req['password'])
+    print(hashedPasswordSha)
+
+    isValid = req['password'] == hashedPasswordSha
+
+    return jsonify({
+        'valid': isValid
+    })