Use bcrypt to hash passwords for new users in firstboot and user_add forms. Removed references to md5 hashing which was already non-functional.

2026-01-28 08:03:36 +00:00 · 2013-11-03 21:55:06 +00:00 · 2013-11-03 21:55:06 +00:00 · 198cea5b58
commit 198cea5b58
parent 3425d265c3
2 changed files with 17 additions and 9 deletions
--- a/modules/installed/first_boot.py
+++ b/modules/installed/first_boot.py
@ -9,6 +9,7 @@ from withsqlite.withsqlite import sqlite_db
 import cfg
 import config
 from model import User
+from passlib.hash import bcrypt

 class FirstBoot(PagePlugin):
    def __init__(self, *args, **kwargs):
@ -26,7 +27,7 @@ class FirstBoot(PagePlugin):
        return "fake key"

    @cherrypy.expose
-    def state0(self, message="", hostname="", box_key="", submitted=False, username="", md5_password="", **kwargs):
+    def state0(self, message="", hostname="", box_key="", submitted=False, username="", password="", **kwargs):
        """
        In this state, we do time config over HTTP, name the box and
        server key selection.
@ -63,13 +64,15 @@ class FirstBoot(PagePlugin):
            elif submitted and not box_key:
                box_key = self.generate_box_key()
                db['box_key'] = box_key
-            if username and md5_password:
+            if username and password:
+                pass_hash = bcrypt.encrypt(password)
                di = {
                    'username':username,
                    'name':'First user - please change',
                    'expert':'on',
                    "groups": ["expert"],
-                    'passphrase':md5_password,
+                    'passphrase':pass_hash,
+                    'salt':pass_hash[7:29], # for bcrypt
                    }
                new_user = User(di)
                cfg.users.set(username,new_user)
@ -93,7 +96,6 @@ class FirstBoot(PagePlugin):
        form.html("<p><strong>Initial user and password.</strong> Access to this web interface is protected by knowing a username and password.  Provide one here to register the initial privileged user.  The password can be changed and other users added later.</p>")
        form.text_input('Username:', id="username", value=username)
        form.text_input('Password:', id="password", type='password')
-        form.text_input(name="md5_password", type="hidden")
        form.html("<p>%(box_name)s uses cryptographic keys so it can prove its identity when talking to you.  %(box_name)s can make a key for itself, but if one already exists (from a prior FreedomBox, for example), you can paste it below.  This key should not be the same as your key because you are not your FreedomBox!</p>" % {'box_name':cfg.box_name})
        form.text_box("If you want, paste your box's key here.", id="box_key", value=box_key)
        form.hidden(name="submitted", value="True")
--- a/modules/installed/system/users.py
+++ b/modules/installed/system/users.py
@ -6,6 +6,7 @@ import cfg
 from forms import Form
 from util import *
 from model import User
+from passlib.hash import bcrypt

 class users(PagePlugin):
    order = 20 # order of running init in PagePlugins
@ -34,28 +35,33 @@ class add(FormPlugin, PagePlugin):
    def main(self, username='', name='', email='', message=None, *args, **kwargs):
        form = Form(title="Add User", 
                        action="/sys/users/add/index", 
-                        onsubmit="return md5ify('add_user_form', 'password')", 
                        name="add_user_form",
                        message=message)
        form.text_input(_("Username"), name="username", value=username)
        form.text_input(_("Full name"), name="name", value=name)
        form.text_input(_("Email"), name="email", value=email)
        form.text_input(_("Password"), name="password", type="password")
-        form.text_input(name="md5_password", type="hidden")
        form.submit(label=_("Create User"), name="create")
        return form.render()

-    def process_form(self, username=None, name=None, email=None, md5_password=None, **kwargs):
+    def process_form(self, username=None, name=None, email=None, password=None, **kwargs):
        msg = Message()

        if not username: msg.add = _("Must specify a username!")
-        if not md5_password: msg.add = _("Must specify a password!")
+        if not password: msg.add = _("Must specify a password!")
        
        if username in cfg.users.get_all():
            msg.add = _("User already exists!")
        else:
            try:
-                di = {'username':username, 'name':name, 'email':email, 'passphrase':md5_password}
+                pass_hash = bcrypt.encrypt(password)
+                di = {
+                    'username':username,
+                    'name':name,
+                    'email':email,
+                    'passphrase':pass_hash,
+                    'salt': pass_hash[7:29], # for bcrypt
+                    }
                new_user = User(di)
                cfg.users.set(username,new_user)
            except: