Admin passwords are stored hashed. Safety third!

master
Marek Baczynski 6 years ago
parent b213966b2d
commit 944d16bfe4

@ -1 +1 @@
{"secret_key":"aihsasodhngfkuabsfh", "marek":{"password":"marek"},"notmarek":{"password":"notmarek"}} {"secret_key":"aihsasodhngfkuabsfh", "secret_cookie":"IPreferSeaSaltCarmelIceCreamOverAnyLameCookies", "marek":{"password":"kYazQA/Q+o1Uw2p4lY7xqLqUAtV71jUQhKRhg/KRzi4="},"notmarek":{"password":"notmarek"}}

@ -0,0 +1,16 @@
import base64, hashlib
secret_cookie = "IPreferSeaSaltCarmelIceCreamOverAnyLameCookies"
username = input("username: ")
password = input("password: ")
if input("retype password: ") != password:
print ("passwords do not match up! Lern 2 spel your password plz!")
exit()
hasher = hashlib.sha256()
hasher.update(password.encode('utf-8'))
hasher.update(secret_cookie.encode('utf-8'))
hashedpassword = base64.b64encode(hasher.digest()).decode('utf-8')
print ('"{}":{{"password":"{}"}}'.format(username,hashedpassword))

@ -3,7 +3,7 @@ from flask_login import LoginManager, UserMixin, login_required, login_user, log
from PIL import Image, ImageFont, ImageDraw from PIL import Image, ImageFont, ImageDraw
import qrcode import qrcode
from io import BytesIO from io import BytesIO
import json, random, re, string import json, random, re, string, hashlib, base64
app = Flask(__name__) app = Flask(__name__)
systemURL = 'http://192.168.0.11:5000/' #FULL URL with a '/' at the end systemURL = 'http://192.168.0.11:5000/' #FULL URL with a '/' at the end
@ -30,6 +30,8 @@ with open('admins.json', 'r') as infile:
for key, value in adminfile.items(): for key, value in adminfile.items():
if key=='secret_key': if key=='secret_key':
app.secret_key = value app.secret_key = value
elif key=='secret_cookie':
secret_cookie = value.encode('utf-8')
else: else:
a = Admin(key, value['password']) a = Admin(key, value['password'])
@ -119,7 +121,11 @@ def login():
if request.method == 'POST': if request.method == 'POST':
username = request.form['username'] username = request.form['username']
password = request.form['password'] password = request.form['password']
if admins[username].password == password: hasher = hashlib.sha256()
hasher.update(password.encode('utf-8'))
hasher.update(secret_cookie)
hashedpassword = base64.b64encode(hasher.digest()).decode('utf-8')
if admins[username].password == hashedpassword:
login_user(admins[username]) login_user(admins[username])
return redirect(request.args.get("next")) return redirect(request.args.get("next"))
return abort(401) return abort(401)

Loading…
Cancel
Save