nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-28 08:03:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
311 Commits 11 Branches 403 Tags 290 MiB
Commit Graph

14 Commits

Author SHA1 Message Date
James Valleroy
3a696e0bb9 Fix check for already existing username in add_user. Add documentation of process for storing and validating hashed passwords. 2013-11-11 07:31:53 -06:00
James Valleroy
f7ad1089a5 Update tests for auth module, and fix some bugs discovered in auth module. 2013-11-11 07:31:53 -06:00
James Valleroy
2abe8559e5 Add add_user function to auth module. 2013-11-11 07:31:53 -06:00
James Valleroy
4a9177a257 Use bcrypt for login form. Add tests to check that salts and hashes are random, and check handling of invalid passwords or salts. 2013-11-11 07:28:26 -06:00
Nick Daly
95fbf9527f Merge pull request #50 from jvalleroy/fix-redirects 
Fix redirects
 2013-11-10 19:34:34 -08:00
James Valleroy
7b3a2fbe2c Remove completed TODO. 2013-11-02 17:34:17 +00:00
James Valleroy
38d3e84961 first_boot needs to move up a folder to reach router. Prepend server_dir to redirects in router, auth, and auth_page. 2013-11-02 11:25:37 +00:00
Petter Reinholdtsen
6630a8f3d5 Make sure login do not throw exception for unknown users. 2013-09-26 20:04:27 +02:00
Nick Daly
dc5139bd2d Simplify authentication code. 2013-09-08 16:53:40 -05:00
Nick Daly
ad7f932fe8 Merged: Add time to auth.py 
Author: Tzafrir Cohen <tzafrir@debian.org>
Desription: Missing import from auth.py
http://git.tzafrir.org.il/?p=plinth/plinth.git
 2013-09-08 16:52:57 -05:00
Tom Galloway
2bd413e657 If needed instead of an elif. 2013-04-24 09:29:58 +01:00
Nick Daly
1492fe9728 Unify authentication errors. 
Give the same error if the username doesn't exist or if the password
is wrong.  If we deliver separate errors, we tell the attacker whether
they've picked a valid password or not.

Also, if username doesn't exist, hash the password anyway to avoid
this timing side-channel attack:

1. Invalid Username:

   A. User tries to log in with invalid username.
   B. User name is not found in database.
   C. Password is never hashed.

2. Invalid Password:

   A. User tries to log in with valid username.
   B. User name is found in database.
   C. Password is hashed.

Given that proper password hashing will take a minute, *not* hashing
the password takes so much less time that we've effectively indicated
to the attacker that the username didn't exist, regardless of the
error message.  This way, no such error occurs.
 2013-03-23 19:59:20 -05:00
James Vasile
79de884549 complete the transition to sqlite 2012-02-19 15:07:14 -05:00
James Vasile
35071d7212 ... 2011-02-22 13:32:45 -05:00