incomplete authentication system (lecture is over)
This commit is contained in:
parent
5c9efaadb4
commit
dc44f6334d
|
@ -0,0 +1,16 @@
|
||||||
|
# This is probably false advertising because it doesn't actually add a user for you.
|
||||||
|
# It only generates a string that you can copy-paste into users.py
|
||||||
|
|
||||||
|
from pyshare_receiver import salthash
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
if len(sys.argv) != 3:
|
||||||
|
print('''
|
||||||
|
Usage:
|
||||||
|
$ python add_user.py <username> <password>
|
||||||
|
''')
|
||||||
|
sys.exit(0)
|
||||||
|
else:
|
||||||
|
print()
|
|
@ -1,19 +0,0 @@
|
||||||
# this file can be run on a server to act as the endpoint of the script.
|
|
||||||
# I mainly want to test whether this is faster than sftp
|
|
||||||
|
|
||||||
from flask import Flask, request
|
|
||||||
from werkzeug.utils import secure_filename
|
|
||||||
|
|
||||||
app = Flask(__name__)
|
|
||||||
|
|
||||||
@app.route('/', methods=['POST'])
|
|
||||||
def receive_file() -> tuple:
|
|
||||||
if 'file' in request.files:
|
|
||||||
file = request.files.get('file')
|
|
||||||
filename = secure_filename(file.filename)
|
|
||||||
file.save(filename)
|
|
||||||
return filename, 201
|
|
||||||
return 'you\'re doing this wrong', 418
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
app.run(ssl_context='adhoc')
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
# this file can be run on a server to act as the endpoint of the script.
|
||||||
|
# I mainly want to test whether this is faster than sftp
|
||||||
|
|
||||||
|
from flask import Flask, request
|
||||||
|
from werkzeug.utils import secure_filename
|
||||||
|
from hashlib import sha3_256
|
||||||
|
from users import users
|
||||||
|
|
||||||
|
app = Flask(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
def salthash(password, salt):
|
||||||
|
return sha3_256((password + salt).encode('utf8')).hexdigest()
|
||||||
|
|
||||||
|
|
||||||
|
def authenticate(request):
|
||||||
|
print(request.form)
|
||||||
|
if 'name' not in request.form or 'passwd' not in request.form:
|
||||||
|
return False
|
||||||
|
name = request.form.get('name')
|
||||||
|
passwd = request.form.get('passwd')
|
||||||
|
if name in users:
|
||||||
|
user = users.get(name)
|
||||||
|
if salthash(passwd, user[1]) == user[0]:
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
@app.route('/', methods=['POST'])
|
||||||
|
def receive_file() -> tuple:
|
||||||
|
if 'file' in request.files:
|
||||||
|
if authenticate(request) is True:
|
||||||
|
file = request.files.get('file')
|
||||||
|
filename = secure_filename(file.filename)
|
||||||
|
file.save(filename)
|
||||||
|
return filename, 201
|
||||||
|
else:
|
||||||
|
return 'Wrong or no credentials', 403
|
||||||
|
return 'you\'re doing this wrong', 418
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
app.run(ssl_context='adhoc')
|
|
@ -0,0 +1,12 @@
|
||||||
|
# Add credentials for your own users here.
|
||||||
|
# Since I'll only have very few users (probably just me), using a proper DB is overkill
|
||||||
|
# The password hash is generated by
|
||||||
|
# hashlib.sha3_256(bytes((password + salt).encode('utf8'))).hexdigest()
|
||||||
|
|
||||||
|
users = {
|
||||||
|
'user1': ['c7d9c9621e417ea09141edbac126cd1f3ab1b2b94b2ad3b155a1e26a88b216c0', 'user1salt'],
|
||||||
|
}
|
||||||
|
|
||||||
|
# And btw, the password is just 'password'.
|
||||||
|
# I'm just saying this because there will be that one guy who actually thinks
|
||||||
|
# "Oh, I could totally brute-force this password now"
|
Loading…
Reference in New Issue
Block a user