incomplete authentication system (lecture is over)

2017-10-17 16:35:38 +02:00 · 2017-10-17 16:35:38 +02:00 · dc44f6334d
parent 5c9efaadb4
commit dc44f6334d
4 changed files with 71 additions and 19 deletions
--- a/add_user.py
+++ b/add_user.py
@ -0,0 +1,16 @@
+# This is probably false advertising because it doesn't actually add a user for you.
+# It only generates a string that you can copy-paste into users.py
+
+from pyshare_receiver import salthash
+import sys
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 3:
+        print('''
+    Usage:
+        $ python add_user.py <username> <password>
+        ''')
+        sys.exit(0)
+    else:
+        print()
--- a/pyshare-receiver.py
+++ b/pyshare-receiver.py
@ -1,19 +0,0 @@
-# this file can be run on a server to act as the endpoint of the script.
-# I mainly want to test whether this is faster than sftp
-
-from flask import Flask, request
-from werkzeug.utils import secure_filename
-
-app = Flask(__name__)
-
-@app.route('/', methods=['POST'])
-def receive_file() -> tuple:
-    if 'file' in request.files:
-        file = request.files.get('file')
-        filename = secure_filename(file.filename)
-        file.save(filename)
-        return filename, 201
-    return 'you\'re doing this wrong', 418
-
-if __name__ == "__main__":
-    app.run(ssl_context='adhoc')
--- a/pyshare_receiver.py
+++ b/pyshare_receiver.py
@ -0,0 +1,43 @@
+# this file can be run on a server to act as the endpoint of the script.
+# I mainly want to test whether this is faster than sftp
+
+from flask import Flask, request
+from werkzeug.utils import secure_filename
+from hashlib import sha3_256
+from users import users
+
+app = Flask(__name__)
+
+
+def salthash(password, salt):
+    return sha3_256((password + salt).encode('utf8')).hexdigest()
+
+
+def authenticate(request):
+    print(request.form)
+    if 'name' not in request.form or 'passwd' not in request.form:
+        return False
+    name = request.form.get('name')
+    passwd = request.form.get('passwd')
+    if name in users:
+        user = users.get(name)
+        if salthash(passwd, user[1]) == user[0]:
+            return True
+    return False
+
+
+@app.route('/', methods=['POST'])
+def receive_file() -> tuple:
+    if 'file' in request.files:
+        if authenticate(request) is True:
+            file = request.files.get('file')
+            filename = secure_filename(file.filename)
+            file.save(filename)
+            return filename, 201
+        else:
+            return 'Wrong or no credentials', 403
+    return 'you\'re doing this wrong', 418
+
+
+if __name__ == "__main__":
+    app.run(ssl_context='adhoc')
--- a/users.py
+++ b/users.py
@ -0,0 +1,12 @@
+# Add credentials for your own users here.
+# Since I'll only have very few users (probably just me), using a proper DB is overkill
+# The password hash is generated by
+# hashlib.sha3_256(bytes((password + salt).encode('utf8'))).hexdigest()
+
+users = {
+    'user1': ['c7d9c9621e417ea09141edbac126cd1f3ab1b2b94b2ad3b155a1e26a88b216c0', 'user1salt'],
+}
+
+# And btw, the password is just 'password'.
+# I'm just saying this because there will be that one guy who actually thinks
+# "Oh, I could totally brute-force this password now"