2023-10-17 23:06:27 +01:00
|
|
|
import hmac
|
|
|
|
import re
|
|
|
|
from time import time
|
|
|
|
from unicodedata import normalize
|
|
|
|
|
|
|
|
import argon2
|
|
|
|
import msgspec
|
|
|
|
from html5tagger import Document
|
2023-10-23 02:51:39 +01:00
|
|
|
from sanic import Blueprint, html, json, redirect
|
|
|
|
from sanic.exceptions import BadRequest, Forbidden, Unauthorized
|
2023-10-17 23:06:27 +01:00
|
|
|
|
2023-10-21 17:17:09 +01:00
|
|
|
from cista import config, session
|
2023-10-17 23:06:27 +01:00
|
|
|
|
|
|
|
_argon = argon2.PasswordHasher()
|
2023-10-26 15:18:59 +01:00
|
|
|
_droppyhash = re.compile(r"^([a-f0-9]{64})\$([a-f0-9]{8})$")
|
|
|
|
|
2023-10-17 23:06:27 +01:00
|
|
|
|
|
|
|
def _pwnorm(password):
|
2023-10-26 15:18:59 +01:00
|
|
|
return normalize("NFC", password).strip().encode()
|
|
|
|
|
2023-10-17 23:06:27 +01:00
|
|
|
|
|
|
|
def login(username: str, password: str):
|
|
|
|
un = _pwnorm(username)
|
|
|
|
pw = _pwnorm(password)
|
|
|
|
try:
|
2023-10-19 00:06:14 +01:00
|
|
|
u = config.config.users[un.decode()]
|
2023-10-17 23:06:27 +01:00
|
|
|
except KeyError:
|
2023-11-08 20:38:40 +00:00
|
|
|
raise ValueError("Invalid username") from None
|
2023-10-17 23:06:27 +01:00
|
|
|
# Verify password
|
|
|
|
need_rehash = False
|
|
|
|
if not u.hash:
|
|
|
|
raise ValueError("Account disabled")
|
|
|
|
if (m := _droppyhash.match(u.hash)) is not None:
|
|
|
|
h, s = m.groups()
|
|
|
|
h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()
|
|
|
|
if not hmac.compare_digest(h, h2):
|
|
|
|
raise ValueError("Invalid password")
|
|
|
|
# Droppy hashes are weak, do a hash update
|
|
|
|
need_rehash = True
|
|
|
|
else:
|
|
|
|
try:
|
|
|
|
_argon.verify(u.hash, pw)
|
|
|
|
except Exception:
|
2023-11-08 20:38:40 +00:00
|
|
|
raise ValueError("Invalid password") from None
|
2023-10-17 23:06:27 +01:00
|
|
|
if _argon.check_needs_rehash(u.hash):
|
|
|
|
need_rehash = True
|
|
|
|
# Login successful
|
|
|
|
if need_rehash:
|
2023-10-19 00:06:14 +01:00
|
|
|
set_password(u, password)
|
2023-10-17 23:06:27 +01:00
|
|
|
now = int(time())
|
|
|
|
u.lastSeen = now
|
|
|
|
return u
|
|
|
|
|
2023-10-26 15:18:59 +01:00
|
|
|
|
2023-10-19 00:06:14 +01:00
|
|
|
def set_password(user: config.User, password: str):
|
2023-10-17 23:06:27 +01:00
|
|
|
user.hash = _argon.hash(_pwnorm(password))
|
|
|
|
|
2023-10-26 15:18:59 +01:00
|
|
|
|
2023-10-17 23:06:27 +01:00
|
|
|
class LoginResponse(msgspec.Struct):
|
|
|
|
user: str = ""
|
|
|
|
privileged: bool = False
|
|
|
|
error: str = ""
|
|
|
|
|
2023-10-26 15:18:59 +01:00
|
|
|
|
2023-11-08 20:38:40 +00:00
|
|
|
def verify(request, *, privileged=False):
|
2023-10-23 02:51:39 +01:00
|
|
|
"""Raise Unauthorized or Forbidden if the request is not authorized"""
|
|
|
|
if privileged:
|
|
|
|
if request.ctx.user:
|
2023-10-26 15:18:59 +01:00
|
|
|
if request.ctx.user.privileged:
|
|
|
|
return
|
2023-11-12 23:20:40 +00:00
|
|
|
raise Forbidden("Access Forbidden: Only for privileged users", quiet=True)
|
2023-10-26 15:18:59 +01:00
|
|
|
elif config.config.public or request.ctx.user:
|
|
|
|
return
|
2023-11-12 23:20:40 +00:00
|
|
|
raise Unauthorized("Login required", "cookie", quiet=True)
|
2023-11-08 20:38:40 +00:00
|
|
|
|
2023-10-17 23:06:27 +01:00
|
|
|
|
2023-10-23 02:51:39 +01:00
|
|
|
bp = Blueprint("auth")
|
|
|
|
|
2023-10-26 15:18:59 +01:00
|
|
|
|
2023-10-23 02:51:39 +01:00
|
|
|
@bp.get("/login")
|
2023-10-17 23:06:27 +01:00
|
|
|
async def login_page(request):
|
|
|
|
doc = Document("Cista Login")
|
|
|
|
with doc.div(id="login"):
|
|
|
|
with doc.form(method="POST", autocomplete="on"):
|
|
|
|
doc.h1("Login")
|
2023-10-26 15:18:59 +01:00
|
|
|
doc.input(
|
|
|
|
name="username",
|
|
|
|
placeholder="Username",
|
|
|
|
autocomplete="username",
|
|
|
|
required=True,
|
|
|
|
).br
|
|
|
|
doc.input(
|
|
|
|
type="password",
|
|
|
|
name="password",
|
|
|
|
placeholder="Password",
|
|
|
|
autocomplete="current-password",
|
|
|
|
required=True,
|
|
|
|
).br
|
2023-10-17 23:06:27 +01:00
|
|
|
doc.input(type="submit", value="Login")
|
|
|
|
s = session.get(request)
|
|
|
|
if s:
|
|
|
|
name = s["username"]
|
|
|
|
with doc.form(method="POST", action="/logout"):
|
|
|
|
doc.input(type="submit", value=f"Logout {name}")
|
2023-10-21 02:44:43 +01:00
|
|
|
flash = request.cookies.message
|
2023-10-17 23:06:27 +01:00
|
|
|
if flash:
|
2023-10-26 15:18:59 +01:00
|
|
|
doc.dialog(
|
|
|
|
flash,
|
|
|
|
id="flash",
|
|
|
|
open=True,
|
|
|
|
style="position: fixed; top: 0; left: 0; width: 100%; opacity: .8",
|
|
|
|
)
|
2023-10-17 23:06:27 +01:00
|
|
|
res = html(doc)
|
|
|
|
if flash:
|
|
|
|
res.cookies.delete_cookie("flash")
|
|
|
|
if s is False:
|
|
|
|
session.delete(res)
|
|
|
|
return res
|
|
|
|
|
2023-10-26 15:18:59 +01:00
|
|
|
|
2023-10-23 02:51:39 +01:00
|
|
|
@bp.post("/login")
|
2023-10-17 23:06:27 +01:00
|
|
|
async def login_post(request):
|
2023-10-19 17:55:59 +01:00
|
|
|
try:
|
2023-10-21 02:44:43 +01:00
|
|
|
if request.headers.content_type == "application/json":
|
2023-10-19 17:55:59 +01:00
|
|
|
username = request.json["username"]
|
|
|
|
password = request.json["password"]
|
|
|
|
else:
|
|
|
|
username = request.form["username"][0]
|
|
|
|
password = request.form["password"][0]
|
|
|
|
if not username or not password:
|
|
|
|
raise KeyError
|
|
|
|
except KeyError:
|
2023-11-08 20:38:40 +00:00
|
|
|
raise BadRequest(
|
|
|
|
"Missing username or password",
|
|
|
|
context={"redirect": "/login"},
|
|
|
|
) from None
|
2023-10-19 17:55:59 +01:00
|
|
|
try:
|
|
|
|
user = login(username, password)
|
|
|
|
except ValueError as e:
|
2023-11-08 20:38:40 +00:00
|
|
|
raise Forbidden(str(e), context={"redirect": "/login"}) from e
|
2023-10-17 23:06:27 +01:00
|
|
|
|
2023-10-21 02:44:43 +01:00
|
|
|
if "text/html" in request.headers.accept:
|
2023-10-17 23:06:27 +01:00
|
|
|
res = redirect("/")
|
2023-10-21 02:44:43 +01:00
|
|
|
session.flash(res, "Logged in")
|
|
|
|
else:
|
|
|
|
res = json({"data": {"username": username, "privileged": user.privileged}})
|
2023-10-17 23:06:27 +01:00
|
|
|
session.create(res, username)
|
|
|
|
return res
|
|
|
|
|
2023-10-26 15:18:59 +01:00
|
|
|
|
2023-10-23 02:51:39 +01:00
|
|
|
@bp.post("/logout")
|
2023-10-17 23:06:27 +01:00
|
|
|
async def logout_post(request):
|
2023-10-21 02:44:43 +01:00
|
|
|
s = request.ctx.session
|
|
|
|
msg = "Logged out" if s else "Not logged in"
|
|
|
|
if "text/html" in request.headers.accept:
|
|
|
|
res = redirect("/login")
|
|
|
|
res.cookies.add_cookie("flash", msg, max_age=5)
|
|
|
|
else:
|
|
|
|
res = json({"message": msg})
|
2023-10-17 23:06:27 +01:00
|
|
|
session.delete(res)
|
|
|
|
return res
|