cista-storage/cista/auth.py

import hmac
import re
from time import time
from unicodedata import normalize

import argon2
import msgspec
from html5tagger import Document
from sanic import Blueprint, html, json, redirect

from . import session
from .config import User, config

_argon = argon2.PasswordHasher()
_droppyhash = re.compile(r'^([a-f0-9]{64})\$([a-f0-9]{8})$')

def _pwnorm(password):
    return normalize('NFC', password).strip().encode()

def login(username: str, password: str):
    un = _pwnorm(username)
    pw = _pwnorm(password)
    try:
        u = config.users[un.decode()]
    except KeyError:
        raise ValueError("Invalid username")
    # Verify password
    need_rehash = False
    if not u.hash:
        raise ValueError("Account disabled")
    if (m := _droppyhash.match(u.hash)) is not None:
        h, s = m.groups()
        h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()
        if not hmac.compare_digest(h, h2):
            raise ValueError("Invalid password")
        # Droppy hashes are weak, do a hash update
        need_rehash = True
    else:
        try:
            _argon.verify(u.hash, pw)
        except Exception:
            raise ValueError("Invalid password")
        if _argon.check_needs_rehash(u.hash):
            need_rehash = True
    # Login successful
    if need_rehash:
        u.set_password(password)
    now = int(time())
    u.lastSeen = now
    return u

def set_password(user: User, password: str):
    user.hash = _argon.hash(_pwnorm(password))

class LoginResponse(msgspec.Struct):
    user: str = ""
    privileged: bool = False
    error: str = ""

authbp = Blueprint("auth")

@authbp.get("/login")
async def login_page(request):
    doc = Document("Cista Login")
    with doc.div(id="login"):
        with doc.form(method="POST", autocomplete="on"):
            doc.h1("Login")
            doc.input(name="username", placeholder="Username", autocomplete="username").br
            doc.input(type="password", name="password", placeholder="Password", autocomplete="current-password").br
            doc.input(type="submit", value="Login")
        s = session.get(request)
        if s:
            name = s["username"]
            with doc.form(method="POST", action="/logout"):
                doc.input(type="submit", value=f"Logout {name}")
    flash = request.cookies.flash
    if flash:
        doc.p(flash)
    res = html(doc)
    if flash:
        res.cookies.delete_cookie("flash")
    if s is False:
        session.delete(res)
    return res

@authbp.post("/login")
async def login_post(request):
    json_format = request.headers.content_type == "application/json"
    if json_format:
        username = request.json["username"]
        password = request.json["password"]
    else:
        print(request.form)
        username = request.form["username"][0]
        password = request.form["password"][0]
    if not username or not password:
        raise ValueError("Missing username or password")
    user = login(username, password)

    if json_format:
        res = json({
            "status": "authenticated",
            "user": username,
            "privileged": user.privileged,
        })
    else:
        res = redirect("/")
        res.cookies.add_cookie("flash", "Logged in",     host_prefix=True, max_age=5)
    session.create(res, username)
    return res

@authbp.post("/logout")
async def logout_post(request):
    res = redirect("/")
    session.delete(res)
    res.cookies.add_cookie("flash", "Logged out",host_prefix=True, max_age=5)
    return res
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`import hmac`
			`import re`
			`from time import time`
			`from unicodedata import normalize`

			`import argon2`
			`import msgspec`
			`from html5tagger import Document`
			`from sanic import Blueprint, html, json, redirect`

			`from . import session`
			`from .config import User, config`

			`_argon = argon2.PasswordHasher()`
			`_droppyhash = re.compile(r'^([a-f0-9]{64})\$([a-f0-9]{8})$')`

			`def _pwnorm(password):`
			`return normalize('NFC', password).strip().encode()`

			`def login(username: str, password: str):`
			`un = _pwnorm(username)`
			`pw = _pwnorm(password)`
			`try:`
			`u = config.users[un.decode()]`
			`except KeyError:`
			`raise ValueError("Invalid username")`
			`# Verify password`
			`need_rehash = False`
			`if not u.hash:`
			`raise ValueError("Account disabled")`
			`if (m := _droppyhash.match(u.hash)) is not None:`
			`h, s = m.groups()`
			`h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()`
			`if not hmac.compare_digest(h, h2):`
			`raise ValueError("Invalid password")`
			`# Droppy hashes are weak, do a hash update`
			`need_rehash = True`
			`else:`
			`try:`
			`_argon.verify(u.hash, pw)`
			`except Exception:`
			`raise ValueError("Invalid password")`
			`if _argon.check_needs_rehash(u.hash):`
			`need_rehash = True`
			`# Login successful`
			`if need_rehash:`
			`u.set_password(password)`
			`now = int(time())`
			`u.lastSeen = now`
			`return u`

			`def set_password(user: User, password: str):`
			`user.hash = _argon.hash(_pwnorm(password))`

			`class LoginResponse(msgspec.Struct):`
			`user: str = ""`
			`privileged: bool = False`
			`error: str = ""`

			`authbp = Blueprint("auth")`

			`@authbp.get("/login")`
			`async def login_page(request):`
			`doc = Document("Cista Login")`
			`with doc.div(id="login"):`
			`with doc.form(method="POST", autocomplete="on"):`
			`doc.h1("Login")`
			`doc.input(name="username", placeholder="Username", autocomplete="username").br`
			`doc.input(type="password", name="password", placeholder="Password", autocomplete="current-password").br`
			`doc.input(type="submit", value="Login")`
			`s = session.get(request)`
			`if s:`
			`name = s["username"]`
			`with doc.form(method="POST", action="/logout"):`
			`doc.input(type="submit", value=f"Logout {name}")`
			`flash = request.cookies.flash`
			`if flash:`
			`doc.p(flash)`
			`res = html(doc)`
			`if flash:`
			`res.cookies.delete_cookie("flash")`
			`if s is False:`
			`session.delete(res)`
			`return res`

			`@authbp.post("/login")`
			`async def login_post(request):`
			`json_format = request.headers.content_type == "application/json"`
			`if json_format:`
			`username = request.json["username"]`
			`password = request.json["password"]`
			`else:`
			`print(request.form)`
			`username = request.form["username"][0]`
			`password = request.form["password"][0]`
			`if not username or not password:`
			`raise ValueError("Missing username or password")`
			`user = login(username, password)`

			`if json_format:`
			`res = json({`
			`"status": "authenticated",`
			`"user": username,`
			`"privileged": user.privileged,`
			`})`
			`else:`
			`res = redirect("/")`
			`res.cookies.add_cookie("flash", "Logged in", host_prefix=True, max_age=5)`
			`session.create(res, username)`
			`return res`

			`@authbp.post("/logout")`
			`async def logout_post(request):`
			`res = redirect("/")`
			`session.delete(res)`
			`res.cookies.add_cookie("flash", "Logged out",host_prefix=True, max_age=5)`
			`return res`