From 944d16bfe408f4d64f16c66da686a019ef331751 Mon Sep 17 00:00:00 2001
From: Marek Baczynski <marekba@kth.se>
Date: Thu, 18 Oct 2018 14:07:13 +0200
Subject: [PATCH] Admin passwords are stored hashed. Safety third!

---
 admins.json  |  2 +-
 hasher.py    | 16 ++++++++++++++++
 qr-labels.py | 10 ++++++++--
 3 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 hasher.py

diff --git a/admins.json b/admins.json
index 52ad0a2..8ba3584 100644
--- a/admins.json
+++ b/admins.json
@@ -1 +1 @@
-{"secret_key":"aihsasodhngfkuabsfh", "marek":{"password":"marek"},"notmarek":{"password":"notmarek"}}
\ No newline at end of file
+{"secret_key":"aihsasodhngfkuabsfh", "secret_cookie":"IPreferSeaSaltCarmelIceCreamOverAnyLameCookies", "marek":{"password":"kYazQA/Q+o1Uw2p4lY7xqLqUAtV71jUQhKRhg/KRzi4="},"notmarek":{"password":"notmarek"}}
\ No newline at end of file
diff --git a/hasher.py b/hasher.py
new file mode 100644
index 0000000..2431e5c
--- /dev/null
+++ b/hasher.py
@@ -0,0 +1,16 @@
+import base64, hashlib
+
+secret_cookie = "IPreferSeaSaltCarmelIceCreamOverAnyLameCookies"
+
+username = input("username: ")
+password = input("password: ")
+if input("retype password: ") != password:
+	print ("passwords do not match up! Lern 2 spel your password plz!")
+	exit()
+
+hasher = hashlib.sha256()
+hasher.update(password.encode('utf-8'))
+hasher.update(secret_cookie.encode('utf-8'))
+hashedpassword = base64.b64encode(hasher.digest()).decode('utf-8')
+
+print ('"{}":{{"password":"{}"}}'.format(username,hashedpassword))
\ No newline at end of file
diff --git a/qr-labels.py b/qr-labels.py
index f529eb5..708784d 100644
--- a/qr-labels.py
+++ b/qr-labels.py
@@ -3,7 +3,7 @@ from flask_login import LoginManager, UserMixin, login_required, login_user, log
 from PIL import Image, ImageFont, ImageDraw
 import qrcode
 from io import BytesIO
-import json, random, re, string
+import json, random, re, string, hashlib, base64
 
 app = Flask(__name__)
 systemURL = 'http://192.168.0.11:5000/' #FULL URL with a '/' at the end
@@ -30,6 +30,8 @@ with open('admins.json', 'r') as infile:
 	for key, value in adminfile.items():
 		if key=='secret_key':
 			app.secret_key = value
+		elif key=='secret_cookie':
+			secret_cookie = value.encode('utf-8')
 		else:
 			a = Admin(key, value['password'])
 
@@ -119,7 +121,11 @@ def login():
 	if request.method == 'POST':
 		username = request.form['username']
 		password = request.form['password']
-		if admins[username].password == password:
+		hasher = hashlib.sha256()
+		hasher.update(password.encode('utf-8'))
+		hasher.update(secret_cookie)
+		hashedpassword = base64.b64encode(hasher.digest()).decode('utf-8')
+		if admins[username].password == hashedpassword:
 			login_user(admins[username])
 			return redirect(request.args.get("next"))
 		return abort(401)