github/supysonic
1
0
Fork 0
mirror of https://github.com/spl0k/supysonic.git synced 2024-09-19 19:01:03 +00:00
Code Issues Releases Wiki Activity

Removed password decoding from UserManager

Browse Source 
Decode only when passwords are coming from API query parameters
This commit is contained in:
spl0k 2017-10-28 12:41:34 +02:00
parent 7effd3aee5
commit 033a86381b
3 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
supysonic/api/__init__.py
View File

@ -23,6 +23,7 @@ from xml.etree import ElementTree
from xml.dom import minidom
import simplejson
import uuid
import binascii
from supysonic.web import app, store
from supysonic.managers.user import UserManager
@ -51,6 +52,15 @@ def set_formatter():
request.error_formatter = lambda code, msg: request.formatter({ 'error': { 'code': code, 'message': msg } }, error = True)
def decode_password(password):
if not password.startswith('enc:'):
return password
try:
return binascii.unhexlify(password[4:]).decode('utf-8')
except:
return password
@app.before_request
def authorize():
if not request.path.startswith('/rest/'):
@ -69,6 +79,7 @@ def authorize():
if not username or not password:
return error
password = decode_password(password)
status, user = UserManager.try_auth(store, username, password)
if status != UserManager.SUCCESS:
return error

3
supysonic/api/user.py
View File

@ -22,6 +22,7 @@ from flask import request
from supysonic.web import app, store
from supysonic.db import User
from supysonic.managers.user import UserManager
from . import decode_password
@app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
def user_info():
@ -55,6 +56,7 @@ def user_add():
return request.error_formatter(10, 'Missing parameter')
admin = True if admin in (True, 'True', 'true', 1, '1') else False
password = decode_password(password)
status = UserManager.add(store, username, password, email, admin)
if status == UserManager.NAME_EXISTS:
return request.error_formatter(0, 'There is already a user with that username')
@ -86,6 +88,7 @@ def user_changepass():
if username != request.username and not request.user.admin:
return request.error_formatter(50, 'Admin restricted')
password = decode_password(password)
status = UserManager.change_password2(store, username, password)
if status != UserManager.SUCCESS:
return request.error_formatter(0, UserManager.error_str(status))

16
supysonic/managers/user.py
View File

@ -9,7 +9,6 @@
#
# Distributed under terms of the GNU AGPLv3 license.
import binascii
import string
import random
import hashlib
@ -49,7 +48,6 @@ class UserManager:
if store.find(User, User.name == name).one():
return UserManager.NAME_EXISTS
password = UserManager.__decode_password(password)
crypt, salt = UserManager.__encrypt_password(password)
user = User()
@ -88,7 +86,6 @@ class UserManager:
@staticmethod
def try_auth(store, name, password):
password = UserManager.__decode_password(password)
user = store.find(User, User.name == name).one()
if not user:
return UserManager.NO_SUCH_USER, None
@ -103,9 +100,6 @@ class UserManager:
if status != UserManager.SUCCESS:
return status
old_pass = UserManager.__decode_password(old_pass)
new_pass = UserManager.__decode_password(new_pass)
if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
return UserManager.WRONG_PASS
@ -119,7 +113,6 @@ class UserManager:
if not user:
return UserManager.NO_SUCH_USER
new_pass = UserManager.__decode_password(new_pass)
user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
store.commit()
return UserManager.SUCCESS
@ -145,12 +138,3 @@ class UserManager:
salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
return hashlib.sha1(salt.encode('utf-8') + password.encode('utf-8')).hexdigest(), salt
@staticmethod
def __decode_password(password):
if not password.startswith('enc:'):
return password
try:
return binascii.unhexlify(password[4:]).decode('utf-8')
except:
return password