Do not check plaintext hashes

hiboo/profile/login.py

@@ -84,6 +84,10 @@ def claim(service_uuid):
     service = models.Service.query.get(service_uuid) or flask.abort(404)
     form = forms.ClaimForm()
     if form.validate_on_submit():
+        # A claim may either be a direct claim, ie. the user types in the
+        # profile username directly, or an indirect claim, ie. the user types
+        # in one of the profile alternate claim names. Whichever comes first
+        # wins. Unicity must be handled somewhere else.
         claim_names = models.ClaimName.query.filter_by(
             service_uuid=service_uuid,
             username=form.username.data
@@ -97,13 +101,20 @@ def claim(service_uuid):
                 models.Profile.uuid.in_(claim_names_uuid)
             )
         ).first()
+        # This is used to check the hash against a list of known hash types.
+        # We explicitely remove plaintext hashes, since all hashes identify to
+        # plaintext, thus effectively voiding the CryptContext feature.
         check = context.CryptContext([
-            scheme for scheme in dir(hash) if not scheme.startswith('__')
+            scheme for scheme in dir(hash)
+            if not scheme.startswith('__') and 'plain' not in scheme
         ])
         if profile and check.verify(form.password.data, profile.extra.get("password")):
             profile.user = flask_login.current_user
             profile.status = models.Profile.ACTIVE
             del profile.extra["password"]
+            # We explicitely delete every profile alternate claim name once the profile
+            # is assigned, since we do not want this possibly personal data to lay
+            # around if we do not need it anymore.
             for claim_name in profile.claimnames:
                 models.db.session.delete(claim_name)
             models.db.session.add(profile)