1
0
mirror of https://github.com/spl0k/supysonic.git synced 2024-12-23 01:16:18 +00:00

Removed password decoding from UserManager

Decode only when passwords are coming from API query parameters
This commit is contained in:
spl0k 2017-10-28 12:41:34 +02:00
parent 7effd3aee5
commit 033a86381b
3 changed files with 14 additions and 16 deletions

View File

@ -23,6 +23,7 @@ from xml.etree import ElementTree
from xml.dom import minidom from xml.dom import minidom
import simplejson import simplejson
import uuid import uuid
import binascii
from supysonic.web import app, store from supysonic.web import app, store
from supysonic.managers.user import UserManager from supysonic.managers.user import UserManager
@ -51,6 +52,15 @@ def set_formatter():
request.error_formatter = lambda code, msg: request.formatter({ 'error': { 'code': code, 'message': msg } }, error = True) request.error_formatter = lambda code, msg: request.formatter({ 'error': { 'code': code, 'message': msg } }, error = True)
def decode_password(password):
if not password.startswith('enc:'):
return password
try:
return binascii.unhexlify(password[4:]).decode('utf-8')
except:
return password
@app.before_request @app.before_request
def authorize(): def authorize():
if not request.path.startswith('/rest/'): if not request.path.startswith('/rest/'):
@ -69,6 +79,7 @@ def authorize():
if not username or not password: if not username or not password:
return error return error
password = decode_password(password)
status, user = UserManager.try_auth(store, username, password) status, user = UserManager.try_auth(store, username, password)
if status != UserManager.SUCCESS: if status != UserManager.SUCCESS:
return error return error

View File

@ -22,6 +22,7 @@ from flask import request
from supysonic.web import app, store from supysonic.web import app, store
from supysonic.db import User from supysonic.db import User
from supysonic.managers.user import UserManager from supysonic.managers.user import UserManager
from . import decode_password
@app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ]) @app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
def user_info(): def user_info():
@ -55,6 +56,7 @@ def user_add():
return request.error_formatter(10, 'Missing parameter') return request.error_formatter(10, 'Missing parameter')
admin = True if admin in (True, 'True', 'true', 1, '1') else False admin = True if admin in (True, 'True', 'true', 1, '1') else False
password = decode_password(password)
status = UserManager.add(store, username, password, email, admin) status = UserManager.add(store, username, password, email, admin)
if status == UserManager.NAME_EXISTS: if status == UserManager.NAME_EXISTS:
return request.error_formatter(0, 'There is already a user with that username') return request.error_formatter(0, 'There is already a user with that username')
@ -86,6 +88,7 @@ def user_changepass():
if username != request.username and not request.user.admin: if username != request.username and not request.user.admin:
return request.error_formatter(50, 'Admin restricted') return request.error_formatter(50, 'Admin restricted')
password = decode_password(password)
status = UserManager.change_password2(store, username, password) status = UserManager.change_password2(store, username, password)
if status != UserManager.SUCCESS: if status != UserManager.SUCCESS:
return request.error_formatter(0, UserManager.error_str(status)) return request.error_formatter(0, UserManager.error_str(status))

View File

@ -9,7 +9,6 @@
# #
# Distributed under terms of the GNU AGPLv3 license. # Distributed under terms of the GNU AGPLv3 license.
import binascii
import string import string
import random import random
import hashlib import hashlib
@ -49,7 +48,6 @@ class UserManager:
if store.find(User, User.name == name).one(): if store.find(User, User.name == name).one():
return UserManager.NAME_EXISTS return UserManager.NAME_EXISTS
password = UserManager.__decode_password(password)
crypt, salt = UserManager.__encrypt_password(password) crypt, salt = UserManager.__encrypt_password(password)
user = User() user = User()
@ -88,7 +86,6 @@ class UserManager:
@staticmethod @staticmethod
def try_auth(store, name, password): def try_auth(store, name, password):
password = UserManager.__decode_password(password)
user = store.find(User, User.name == name).one() user = store.find(User, User.name == name).one()
if not user: if not user:
return UserManager.NO_SUCH_USER, None return UserManager.NO_SUCH_USER, None
@ -103,9 +100,6 @@ class UserManager:
if status != UserManager.SUCCESS: if status != UserManager.SUCCESS:
return status return status
old_pass = UserManager.__decode_password(old_pass)
new_pass = UserManager.__decode_password(new_pass)
if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password: if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
return UserManager.WRONG_PASS return UserManager.WRONG_PASS
@ -119,7 +113,6 @@ class UserManager:
if not user: if not user:
return UserManager.NO_SUCH_USER return UserManager.NO_SUCH_USER
new_pass = UserManager.__decode_password(new_pass)
user.password = UserManager.__encrypt_password(new_pass, user.salt)[0] user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
store.commit() store.commit()
return UserManager.SUCCESS return UserManager.SUCCESS
@ -145,12 +138,3 @@ class UserManager:
salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6)) salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
return hashlib.sha1(salt.encode('utf-8') + password.encode('utf-8')).hexdigest(), salt return hashlib.sha1(salt.encode('utf-8') + password.encode('utf-8')).hexdigest(), salt
@staticmethod
def __decode_password(password):
if not password.startswith('enc:'):
return password
try:
return binascii.unhexlify(password[4:]).decode('utf-8')
except:
return password