From 32e3c5c1ed97db765791404f5be124eaab4c1785 Mon Sep 17 00:00:00 2001
From: Shamil K Muhammed <noteness@disroot.org>
Date: Tue, 18 Apr 2017 13:21:32 +0530
Subject: [PATCH] Fix user logging in with any password
`bcrypt.hashpw` returns the password hashed with the same salt,
not if the password matches the hash. So to check if the
password is correct, the hash thus obtained should then be
compared, and then verified.
Also, diaspora just doesn't hash the password using bcrypt, it
appends a "pepper" to the password and then hashes it. So, when
checking the password, the pepper should be appended.
---
diaspora_auth_provider.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/diaspora_auth_provider.py b/diaspora_auth_provider.py
index 217a858..d22b058 100644
--- a/diaspora_auth_provider.py
+++ b/diaspora_auth_provider.py
@@ -44,6 +44,8 @@ class DiasporaAuthProvider:
@defer.inlineCallbacks
def check_password(self, user_id, password):
+ if not password:
+ defer.returnValue(False)
# user_id is @localpart:hs_bare. we only need the localpart.
local_part = user_id.split(':', 1)[0][1:]
logger.info("Checking if user {} exists.".format(local_part))
@@ -63,7 +65,8 @@ class DiasporaAuthProvider:
logger.debug("User {} exists. Checking password".format(local_part))
# user exists, check if the password is correct.
encrypted_password = user[1]
- if not bcrypt.hashpw(password, encrypted_password):
+ peppered_pass = "{}{}".format(password, self.config.pepper)
+ if not (bcrypt.hashpw(peppered_pass, encrypted_password) == encrypted_password):
logger.info("Password given for {} is wrong. Rejecting auth request.".format(local_part))
defer.returnValue(False)
# Ok, user's password is correct. check if the user exists in the homeserver db.
@@ -92,5 +95,6 @@ class DiasporaAuthProvider:
Conf.db_port = config['database']['port']
Conf.db_username = config['database']['username']
Conf.db_password = config['database']['password']
+ Conf.pepper = config['pepper']
return Conf
--
GitLab