Skip to content
Snippets Groups Projects
Commit a32e8dfe authored by kaiyou's avatar kaiyou
Browse files

Do not check plaintext hashes

parent 70f5f4ff
No related branches found
No related tags found
1 merge request!20Add 'remember me' button
Pipeline #760 passed
......@@ -84,6 +84,10 @@ def claim(service_uuid):
service = models.Service.query.get(service_uuid) or flask.abort(404)
form = forms.ClaimForm()
if form.validate_on_submit():
# A claim may either be a direct claim, ie. the user types in the
# profile username directly, or an indirect claim, ie. the user types
# in one of the profile alternate claim names. Whichever comes first
# wins. Unicity must be handled somewhere else.
claim_names = models.ClaimName.query.filter_by(
service_uuid=service_uuid,
username=form.username.data
......@@ -97,13 +101,20 @@ def claim(service_uuid):
models.Profile.uuid.in_(claim_names_uuid)
)
).first()
# This is used to check the hash against a list of known hash types.
# We explicitely remove plaintext hashes, since all hashes identify to
# plaintext, thus effectively voiding the CryptContext feature.
check = context.CryptContext([
scheme for scheme in dir(hash) if not scheme.startswith('__')
scheme for scheme in dir(hash)
if not scheme.startswith('__') and 'plain' not in scheme
])
if profile and check.verify(form.password.data, profile.extra.get("password")):
profile.user = flask_login.current_user
profile.status = models.Profile.ACTIVE
del profile.extra["password"]
# We explicitely delete every profile alternate claim name once the profile
# is assigned, since we do not want this possibly personal data to lay
# around if we do not need it anymore.
for claim_name in profile.claimnames:
models.db.session.delete(claim_name)
models.db.session.add(profile)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment