mirror of
https://github.com/spl0k/supysonic.git
synced 2024-12-23 01:16:18 +00:00
Removed password decoding from UserManager
Decode only when passwords are coming from API query parameters
This commit is contained in:
parent
7effd3aee5
commit
033a86381b
@ -23,6 +23,7 @@ from xml.etree import ElementTree
|
|||||||
from xml.dom import minidom
|
from xml.dom import minidom
|
||||||
import simplejson
|
import simplejson
|
||||||
import uuid
|
import uuid
|
||||||
|
import binascii
|
||||||
|
|
||||||
from supysonic.web import app, store
|
from supysonic.web import app, store
|
||||||
from supysonic.managers.user import UserManager
|
from supysonic.managers.user import UserManager
|
||||||
@ -51,6 +52,15 @@ def set_formatter():
|
|||||||
|
|
||||||
request.error_formatter = lambda code, msg: request.formatter({ 'error': { 'code': code, 'message': msg } }, error = True)
|
request.error_formatter = lambda code, msg: request.formatter({ 'error': { 'code': code, 'message': msg } }, error = True)
|
||||||
|
|
||||||
|
def decode_password(password):
|
||||||
|
if not password.startswith('enc:'):
|
||||||
|
return password
|
||||||
|
|
||||||
|
try:
|
||||||
|
return binascii.unhexlify(password[4:]).decode('utf-8')
|
||||||
|
except:
|
||||||
|
return password
|
||||||
|
|
||||||
@app.before_request
|
@app.before_request
|
||||||
def authorize():
|
def authorize():
|
||||||
if not request.path.startswith('/rest/'):
|
if not request.path.startswith('/rest/'):
|
||||||
@ -69,6 +79,7 @@ def authorize():
|
|||||||
if not username or not password:
|
if not username or not password:
|
||||||
return error
|
return error
|
||||||
|
|
||||||
|
password = decode_password(password)
|
||||||
status, user = UserManager.try_auth(store, username, password)
|
status, user = UserManager.try_auth(store, username, password)
|
||||||
if status != UserManager.SUCCESS:
|
if status != UserManager.SUCCESS:
|
||||||
return error
|
return error
|
||||||
|
@ -22,6 +22,7 @@ from flask import request
|
|||||||
from supysonic.web import app, store
|
from supysonic.web import app, store
|
||||||
from supysonic.db import User
|
from supysonic.db import User
|
||||||
from supysonic.managers.user import UserManager
|
from supysonic.managers.user import UserManager
|
||||||
|
from . import decode_password
|
||||||
|
|
||||||
@app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
|
@app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
|
||||||
def user_info():
|
def user_info():
|
||||||
@ -55,6 +56,7 @@ def user_add():
|
|||||||
return request.error_formatter(10, 'Missing parameter')
|
return request.error_formatter(10, 'Missing parameter')
|
||||||
admin = True if admin in (True, 'True', 'true', 1, '1') else False
|
admin = True if admin in (True, 'True', 'true', 1, '1') else False
|
||||||
|
|
||||||
|
password = decode_password(password)
|
||||||
status = UserManager.add(store, username, password, email, admin)
|
status = UserManager.add(store, username, password, email, admin)
|
||||||
if status == UserManager.NAME_EXISTS:
|
if status == UserManager.NAME_EXISTS:
|
||||||
return request.error_formatter(0, 'There is already a user with that username')
|
return request.error_formatter(0, 'There is already a user with that username')
|
||||||
@ -86,6 +88,7 @@ def user_changepass():
|
|||||||
if username != request.username and not request.user.admin:
|
if username != request.username and not request.user.admin:
|
||||||
return request.error_formatter(50, 'Admin restricted')
|
return request.error_formatter(50, 'Admin restricted')
|
||||||
|
|
||||||
|
password = decode_password(password)
|
||||||
status = UserManager.change_password2(store, username, password)
|
status = UserManager.change_password2(store, username, password)
|
||||||
if status != UserManager.SUCCESS:
|
if status != UserManager.SUCCESS:
|
||||||
return request.error_formatter(0, UserManager.error_str(status))
|
return request.error_formatter(0, UserManager.error_str(status))
|
||||||
|
@ -9,7 +9,6 @@
|
|||||||
#
|
#
|
||||||
# Distributed under terms of the GNU AGPLv3 license.
|
# Distributed under terms of the GNU AGPLv3 license.
|
||||||
|
|
||||||
import binascii
|
|
||||||
import string
|
import string
|
||||||
import random
|
import random
|
||||||
import hashlib
|
import hashlib
|
||||||
@ -49,7 +48,6 @@ class UserManager:
|
|||||||
if store.find(User, User.name == name).one():
|
if store.find(User, User.name == name).one():
|
||||||
return UserManager.NAME_EXISTS
|
return UserManager.NAME_EXISTS
|
||||||
|
|
||||||
password = UserManager.__decode_password(password)
|
|
||||||
crypt, salt = UserManager.__encrypt_password(password)
|
crypt, salt = UserManager.__encrypt_password(password)
|
||||||
|
|
||||||
user = User()
|
user = User()
|
||||||
@ -88,7 +86,6 @@ class UserManager:
|
|||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def try_auth(store, name, password):
|
def try_auth(store, name, password):
|
||||||
password = UserManager.__decode_password(password)
|
|
||||||
user = store.find(User, User.name == name).one()
|
user = store.find(User, User.name == name).one()
|
||||||
if not user:
|
if not user:
|
||||||
return UserManager.NO_SUCH_USER, None
|
return UserManager.NO_SUCH_USER, None
|
||||||
@ -103,9 +100,6 @@ class UserManager:
|
|||||||
if status != UserManager.SUCCESS:
|
if status != UserManager.SUCCESS:
|
||||||
return status
|
return status
|
||||||
|
|
||||||
old_pass = UserManager.__decode_password(old_pass)
|
|
||||||
new_pass = UserManager.__decode_password(new_pass)
|
|
||||||
|
|
||||||
if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
|
if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
|
||||||
return UserManager.WRONG_PASS
|
return UserManager.WRONG_PASS
|
||||||
|
|
||||||
@ -119,7 +113,6 @@ class UserManager:
|
|||||||
if not user:
|
if not user:
|
||||||
return UserManager.NO_SUCH_USER
|
return UserManager.NO_SUCH_USER
|
||||||
|
|
||||||
new_pass = UserManager.__decode_password(new_pass)
|
|
||||||
user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
|
user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
|
||||||
store.commit()
|
store.commit()
|
||||||
return UserManager.SUCCESS
|
return UserManager.SUCCESS
|
||||||
@ -145,12 +138,3 @@ class UserManager:
|
|||||||
salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
|
salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
|
||||||
return hashlib.sha1(salt.encode('utf-8') + password.encode('utf-8')).hexdigest(), salt
|
return hashlib.sha1(salt.encode('utf-8') + password.encode('utf-8')).hexdigest(), salt
|
||||||
|
|
||||||
@staticmethod
|
|
||||||
def __decode_password(password):
|
|
||||||
if not password.startswith('enc:'):
|
|
||||||
return password
|
|
||||||
|
|
||||||
try:
|
|
||||||
return binascii.unhexlify(password[4:]).decode('utf-8')
|
|
||||||
except:
|
|
||||||
return password
|
|
||||||
|
Loading…
Reference in New Issue
Block a user