2023-10-17 23:06:27 +01:00
|
|
|
import hmac
|
|
|
|
import re
|
|
|
|
from time import time
|
|
|
|
from unicodedata import normalize
|
|
|
|
|
|
|
|
import argon2
|
|
|
|
import msgspec
|
|
|
|
from html5tagger import Document
|
|
|
|
from sanic import Blueprint, html, json, redirect
|
|
|
|
|
2023-10-19 00:06:14 +01:00
|
|
|
from . import config, session
|
2023-10-17 23:06:27 +01:00
|
|
|
|
|
|
|
_argon = argon2.PasswordHasher()
|
|
|
|
_droppyhash = re.compile(r'^([a-f0-9]{64})\$([a-f0-9]{8})$')
|
|
|
|
|
|
|
|
def _pwnorm(password):
|
|
|
|
return normalize('NFC', password).strip().encode()
|
|
|
|
|
|
|
|
def login(username: str, password: str):
|
|
|
|
un = _pwnorm(username)
|
|
|
|
pw = _pwnorm(password)
|
|
|
|
try:
|
2023-10-19 00:06:14 +01:00
|
|
|
u = config.config.users[un.decode()]
|
2023-10-17 23:06:27 +01:00
|
|
|
except KeyError:
|
|
|
|
raise ValueError("Invalid username")
|
|
|
|
# Verify password
|
|
|
|
need_rehash = False
|
|
|
|
if not u.hash:
|
|
|
|
raise ValueError("Account disabled")
|
|
|
|
if (m := _droppyhash.match(u.hash)) is not None:
|
|
|
|
h, s = m.groups()
|
|
|
|
h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()
|
|
|
|
if not hmac.compare_digest(h, h2):
|
|
|
|
raise ValueError("Invalid password")
|
|
|
|
# Droppy hashes are weak, do a hash update
|
|
|
|
need_rehash = True
|
|
|
|
else:
|
|
|
|
try:
|
|
|
|
_argon.verify(u.hash, pw)
|
|
|
|
except Exception:
|
|
|
|
raise ValueError("Invalid password")
|
|
|
|
if _argon.check_needs_rehash(u.hash):
|
|
|
|
need_rehash = True
|
|
|
|
# Login successful
|
|
|
|
if need_rehash:
|
2023-10-19 00:06:14 +01:00
|
|
|
set_password(u, password)
|
2023-10-17 23:06:27 +01:00
|
|
|
now = int(time())
|
|
|
|
u.lastSeen = now
|
|
|
|
return u
|
|
|
|
|
2023-10-19 00:06:14 +01:00
|
|
|
def set_password(user: config.User, password: str):
|
2023-10-17 23:06:27 +01:00
|
|
|
user.hash = _argon.hash(_pwnorm(password))
|
|
|
|
|
|
|
|
class LoginResponse(msgspec.Struct):
|
|
|
|
user: str = ""
|
|
|
|
privileged: bool = False
|
|
|
|
error: str = ""
|
|
|
|
|
|
|
|
authbp = Blueprint("auth")
|
|
|
|
|
|
|
|
@authbp.get("/login")
|
|
|
|
async def login_page(request):
|
|
|
|
doc = Document("Cista Login")
|
|
|
|
with doc.div(id="login"):
|
|
|
|
with doc.form(method="POST", autocomplete="on"):
|
|
|
|
doc.h1("Login")
|
|
|
|
doc.input(name="username", placeholder="Username", autocomplete="username").br
|
|
|
|
doc.input(type="password", name="password", placeholder="Password", autocomplete="current-password").br
|
|
|
|
doc.input(type="submit", value="Login")
|
|
|
|
s = session.get(request)
|
|
|
|
if s:
|
|
|
|
name = s["username"]
|
|
|
|
with doc.form(method="POST", action="/logout"):
|
|
|
|
doc.input(type="submit", value=f"Logout {name}")
|
|
|
|
flash = request.cookies.flash
|
|
|
|
if flash:
|
|
|
|
doc.p(flash)
|
|
|
|
res = html(doc)
|
|
|
|
if flash:
|
|
|
|
res.cookies.delete_cookie("flash")
|
|
|
|
if s is False:
|
|
|
|
session.delete(res)
|
|
|
|
return res
|
|
|
|
|
|
|
|
@authbp.post("/login")
|
|
|
|
async def login_post(request):
|
|
|
|
json_format = request.headers.content_type == "application/json"
|
|
|
|
if json_format:
|
|
|
|
username = request.json["username"]
|
|
|
|
password = request.json["password"]
|
|
|
|
else:
|
|
|
|
username = request.form["username"][0]
|
|
|
|
password = request.form["password"][0]
|
|
|
|
if not username or not password:
|
|
|
|
raise ValueError("Missing username or password")
|
|
|
|
user = login(username, password)
|
|
|
|
|
|
|
|
if json_format:
|
|
|
|
res = json({
|
|
|
|
"status": "authenticated",
|
|
|
|
"user": username,
|
|
|
|
"privileged": user.privileged,
|
|
|
|
})
|
|
|
|
else:
|
|
|
|
res = redirect("/")
|
2023-10-19 00:06:14 +01:00
|
|
|
res.cookies.add_cookie("flash", "Logged in", host_prefix=True, max_age=5)
|
2023-10-17 23:06:27 +01:00
|
|
|
session.create(res, username)
|
|
|
|
return res
|
|
|
|
|
|
|
|
@authbp.post("/logout")
|
|
|
|
async def logout_post(request):
|
|
|
|
res = redirect("/")
|
|
|
|
session.delete(res)
|
2023-10-19 00:06:14 +01:00
|
|
|
res.cookies.add_cookie("flash", "Logged out", host_prefix=True, max_age=5)
|
2023-10-17 23:06:27 +01:00
|
|
|
return res
|