1
0
mirror of https://github.com/spl0k/supysonic.git synced 2024-12-22 17:06:17 +00:00

Moving password decoding to UserManager class

This commit is contained in:
spl0k 2013-06-18 16:40:41 +02:00
parent 7042634a89
commit 08b9b1b293
3 changed files with 21 additions and 20 deletions

View File

@ -46,14 +46,11 @@ def authorize():
request.user = user request.user = user
return return
(username, decoded_pass) = map(request.args.get, [ 'u', 'p' ]) (username, password) = map(request.args.get, [ 'u', 'p' ])
if not username or not decoded_pass: if not username or not password:
return error return error
if decoded_pass.startswith('enc:'): status, user = UserManager.try_auth(username, password)
decoded_pass = hexdecode(decoded_pass[4:])
status, user = UserManager.try_auth(username, decoded_pass)
if status != UserManager.SUCCESS: if status != UserManager.SUCCESS:
return error return error
@ -188,13 +185,6 @@ class ResponseHelper:
return ret.replace('"True"', '"true"').replace('"False"', '"false"') return ret.replace('"True"', '"true"').replace('"False"', '"false"')
def hexdecode(enc):
ret = ''
while enc:
ret = ret + chr(int(enc[:2], 16))
enc = enc[2:]
return ret
def get_entity(req, ent, param = 'id'): def get_entity(req, ent, param = 'id'):
eid = req.args.get(param) eid = req.args.get(param)
if not eid: if not eid:

View File

@ -3,7 +3,6 @@
from flask import request from flask import request
from web import app from web import app
from db import User from db import User
from . import hexdecode
from user_manager import UserManager from user_manager import UserManager
@app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ]) @app.route('/rest/getUser.view', methods = [ 'GET', 'POST' ])
@ -38,9 +37,6 @@ def user_add():
return request.error_formatter(10, 'Missing parameter') return request.error_formatter(10, 'Missing parameter')
admin = True if admin in (True, 'True', 'true', 1, '1') else False admin = True if admin in (True, 'True', 'true', 1, '1') else False
if password.startswith('enc:'):
password = hexdecode(password[4:])
status = UserManager.add(username, password, email, admin) status = UserManager.add(username, password, email, admin)
if status == UserManager.NAME_EXISTS: if status == UserManager.NAME_EXISTS:
return request.error_formatter(0, 'There is already a user with that username') return request.error_formatter(0, 'There is already a user with that username')
@ -72,9 +68,6 @@ def user_changepass():
if username != request.username and not request.user.admin: if username != request.username and not request.user.admin:
return request.error_formatter(50, 'Admin restricted') return request.error_formatter(50, 'Admin restricted')
if password.startswith('enc:'):
password = hexdecode(password[4:])
status = UserManager.change_password2(username, password) status = UserManager.change_password2(username, password)
if status != UserManager.SUCCESS: if status != UserManager.SUCCESS:
return request.error_formatter(0, UserManager.error_str(status)) return request.error_formatter(0, UserManager.error_str(status))

View File

@ -35,6 +35,7 @@ class UserManager:
if User.query.filter(User.name == name).first(): if User.query.filter(User.name == name).first():
return UserManager.NAME_EXISTS return UserManager.NAME_EXISTS
password = UserManager.__decode_password(password)
crypt, salt = UserManager.__encrypt_password(password) crypt, salt = UserManager.__encrypt_password(password)
user = User(name = name, mail = mail, password = crypt, salt = salt, admin = admin) user = User(name = name, mail = mail, password = crypt, salt = salt, admin = admin)
session.add(user) session.add(user)
@ -55,6 +56,7 @@ class UserManager:
@staticmethod @staticmethod
def try_auth(name, password): def try_auth(name, password):
password = UserManager.__decode_password(password)
user = User.query.filter(User.name == name).first() user = User.query.filter(User.name == name).first()
if not user: if not user:
return UserManager.NO_SUCH_USER, None return UserManager.NO_SUCH_USER, None
@ -69,6 +71,9 @@ class UserManager:
if status != UserManager.SUCCESS: if status != UserManager.SUCCESS:
return status return status
old_pass = UserManager.__decode_password(old_pass)
new_pass = UserManager.__decode_password(new_pass)
if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password: if UserManager.__encrypt_password(old_pass, user.salt)[0] != user.password:
return UserManager.WRONG_PASS return UserManager.WRONG_PASS
@ -82,6 +87,7 @@ class UserManager:
if not user: if not user:
return UserManager.NO_SUCH_USER return UserManager.NO_SUCH_USER
new_pass = UserManager.__decode_password(new_pass)
user.password = UserManager.__encrypt_password(new_pass, user.salt)[0] user.password = UserManager.__encrypt_password(new_pass, user.salt)[0]
session.commit() session.commit()
return UserManager.SUCCESS return UserManager.SUCCESS
@ -107,3 +113,15 @@ class UserManager:
salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6)) salt = ''.join(random.choice(string.printable.strip()) for i in xrange(6))
return hashlib.sha1(salt + password).hexdigest(), salt return hashlib.sha1(salt + password).hexdigest(), salt
@staticmethod
def __decode_password(password):
if not password.startswith('enc:'):
return password
enc = password[4:]
ret = ''
while enc:
ret = ret + chr(int(enc[:2], 16))
enc = enc[2:]
return ret