PR#548: Add a change password link for local auth - pagure

		`@@ -0,0 +1,28 @@`
		`+ """versioning_passwords`
		`+`
		`+ Revision ID: 1b6d7dc5600a`
		`+ Revises: 3b441ef4e928`
		`+ Create Date: 2016-01-13 07:57:23.465676`
		`+`
		`+ """`
		`+`
		`+ # revision identifiers, used by Alembic.`
		`+ revision = '1b6d7dc5600a'`
		`+ down_revision = '3b441ef4e928'`
		`+`
		`+ from alembic import op`
		`+ import sqlalchemy as sa`
		`+ import sqlalchemy.orm`
		`+ from pagure.lib import model`
		`+`
		`+`
		`+ def upgrade():`
		`+ engine = op.get_bind().engine`
		`+ session = sa.orm.scoped_session(sa.orm.sessionmaker(bind=engine))`
		`+ session.query(model.User).update(`
		`+ {model.User.password: '$1$' + model.User.password}, synchronize_session=False)`
		`+ session.commit()`
		`+`
		`+`
		`+ def downgrade():`
		`+ raise ValueError("Password can not be downgraded")`

pagure/__init__.py

file modified

		`@@ -309,6 +309,7 @@`
		`FAS.logout()`
		`flask.flash("You are no longer logged-in")`
		`elif APP.config.get('PAGURE_AUTH', None) == 'local':`
		`+ import pagure.ui.login as login`
		`login.logout()`
		`return flask.redirect(return_point)`

pagure/lib/login.py

file modified

+39 -1

		`@@ -1,17 +1,23 @@`
		`# -- coding: utf-8 --`

		`"""`
		`- (c) 2015 - Copyright Red Hat Inc`
		`+ (c) 2015-2016 - Copyright Red Hat Inc`

		`Authors:`
		`Pierre-Yves Chibon <pingou@pingoured.fr>`
		`+ Farhaan Bukhsh <farhaan.bukhsh@gmail.com>`

		`"""`

		`import random`
		`import string`
		`+ import bcrypt`

		`+ import hashlib`
		`+ import pagure`
		`from pagure.lib import model`
		`+ from kitchen.text.converters import to_unicode, to_bytes`
		`+ from cryptography.hazmat.primitives import constant_time`


		`def id_generator(size=15, chars=string.ascii_uppercase + string.digits):`
		`@@ -61,3 +67,35 @@`
		`)`

		`return query.all()`
		`+`
		`+`
		`+ def generate_hashed_value(password):`
		`+ """ Generate hash value for password`
		`+ """`
		`+ return '$2$' + bcrypt.hashpw(to_unicode(password), bcrypt.gensalt())`
		`+`
		`+`
		`+ def check_password(entered_password, user_password, seed=None):`
		`+ """ Version checking and returning the password`
		`+ """`
		`+ if not user_password.count('$') >= 2:`
		`+ raise pagure.exceptions.PagureException(`
		`+ 'Password of unknown version found in the database'`
		`+ )`
		`+`
		`+ _, version, user_password = user_password.split('$', 2)`
		`+`
		`+ if version == '2':`
		`+ password = bcrypt.hashpw(to_unicode(entered_password), user_password)`
		`+`
		`+ elif version == '1':`
		`+ password = '%s%s' % (to_unicode(entered_password), seed)`
		`+ password = hashlib.sha512(password).hexdigest()`
		`+`
		`+ else:`
		`+ raise pagure.exceptions.PagureException(`
		`+ 'Password of unknown version found in the database'`
		`+ )`
		`+`
		`+ return constant_time.bytes_eq(`
		`+ to_bytes(password), to_bytes(user_password))`

pagure/login_forms.py

file modified

+15

		`@@ -86,3 +86,18 @@`
		`'Confirm password <span class="error">*</span>',`
		`[wtforms.validators.Required(), same_password]`
		`)`
		`+`
		`+ class ChangePasswordForm(wtf.Form):`
		`+ """ Form to reset one's password in the local database. """`
		`+ old_password = wtforms.PasswordField(`
		`+ 'Old Password <span class="error">*</span>',`
		`+ [wtforms.validators.Required()]`
		`+ )`
		`+ password = wtforms.PasswordField(`
alert("boo! (puiterwijk was here)"); Uiterwijk (puiterwijk)">puiterwijk commented 8 years ago Name this new_password perhaps?
pingou commented 8 years ago I believe same_password expect this name
		`+ 'Password <span class="error">*</span>',`
		`+ [wtforms.validators.Required()]`
		`+ )`
		`+ confirm_password = wtforms.PasswordField(`
		`+ 'Confirm password <span class="error">*</span>',`
		`+ [wtforms.validators.Required(), same_password]`
		`+ )`

pagure/templates/login/password_recover.html

file added

+31

		`@@ -0,0 +1,31 @@`
		`+ {% extends "master.html" %}`
		`+ {% from "_formhelper.html" import render_bootstrap_field %}`
		`+`
		`+ {% block title %}Change password{% endblock %}`
		`+ {%block tag %}home{% endblock %}`
		`+`
		`+ {% block content %}`
		`+`
		`+ <div class="container">`
		`+ <div class="row">`
		`+ <div class="col-md-8 col-md-offset-2">`
		`+ <div class="card m-t-3">`
		`+ <div class="card-header">`
		`+ <strong>Change password</strong>`
		`+ </div>`
		`+ <form action="{{ url_for('change_password')}}" method="post">`
		`+ {{ render_bootstrap_field(form.old_password) }}`
		`+ {{ render_bootstrap_field(form.password) }}`
		`+ {{ render_bootstrap_field(form.confirm_password) }}`
		`+ {{ form.csrf_token }}`
		`+ <input class="btn btn-primary" type="submit" value="Update"`
		`+ title="Update description">`
		`+ <input type="button" value="Cancel" class="btn btn-default"`
		`+ onclick="history.back();">`
		`+ </form>`
		`+ </div>`
		`+ </div>`
		`+ </div>`
		`+ </div>`
		`+`
		`+ {% endblock %}`

pagure/templates/login/password_reset.html

file modified

+2 -2

		`@@ -1,5 +1,5 @@`
		`{% extends "master.html" %}`
		`- {% from "_formhelper.html" import render_field_in_row %}`
		`+ {% from "_formhelper.html" import render_bootstrap_field %}`

		`{% block title %}Change password{% endblock %}`
		`{% set tag = "home" %}`
		`@@ -16,7 +16,7 @@`
		`<form action="{{ url_for('.reset_password', token=token)`
		`}}" method="post">`
		`{{ render_bootstrap_field(form.password) }}`
		`- {{ render_field_in_row(form.confirm_password) }}`
		`+ {{ render_bootstrap_field(form.confirm_password) }}`
		`<input class="btn btn-primary" type="submit" value="Update">`
		`<input type="button" value="Cancel" class="btn btn-default" onclick="history.back();">`
		`{{ form.csrf_token }}`

pagure/templates/master.html

file modified

+1 -1

		`@@ -78,7 +78,7 @@`
		`</a>`
		`</li>`
		`{% endif %}`
		`- {% endif %}`
		`+ {% endif %}`
		`</ul>`
		`</div>`
		`</nav>`

pagure/templates/user_settings.html

file modified

+6 -1

		`@@ -88,7 +88,12 @@`
		`</form>`
		`</div>`
		`</div>`
		`-`
		`+ <div class="card m-b-3">`
		`+ {% if config.get('PAGURE_AUTH')=='local' %}`
		`+ <a href="{{ url_for('change_password', username=g.fas_user.username) }}">Change password</a>`
		`+ {% endif %}`
		`+ </div>`
		`</div>`
		`</div>`
		`+`
		`{% endblock %}`

pagure/ui/login.py

file modified

+95 -26

		`@@ -1,10 +1,11 @@`
		`# -- coding: utf-8 --`

		`"""`
		`- (c) 2014, 2015 - Copyright Red Hat Inc`
		`+ (c) 2014-2016 - Copyright Red Hat Inc`

		`Authors:`
		`Pierre-Yves Chibon <pingou@pingoured.fr>`
		`+ Farhaan Bukhsh <farhaan.bukhsh@gmail.com>`

		`"""`

		`@@ -12,6 +13,7 @@`
		`import hashlib`
		`import datetime`
		`import urlparse`
		`+ import bcrypt`

		`import flask`
		`from sqlalchemy.exc import SQLAlchemyError`
		`@@ -21,7 +23,8 @@`
		`import pagure.lib.login`
		`import pagure.lib.model as model`
		`import pagure.lib.notify`
		`- from pagure import APP, SESSION`
		`+ from pagure import APP, SESSION, cla_required`
		`+ from pagure.lib.login import generate_hashed_value, check_password`

		`# pylint: disable=E1101`

		`@@ -44,9 +47,7 @@`
		`flask.flash('Email address already taken.', 'error')`
		`return flask.redirect(flask.request.url)`

		`- password = '%s%s' % (`
		`- form.password.data, APP.config.get('PASSWORD_SEED', None))`
		`- form.password.data = hashlib.sha512(password).hexdigest()`
		`+ form.password.data = generate_hashed_value(form.password.data)`

		`token = pagure.lib.login.id_generator(40)`

		`@@ -66,19 +67,17 @@`
		`SESSION.flush()`

		`try:`
		`- SESSION.flush()`
		`+ SESSION.commit()`
		`send_confirmation_email(user)`
		`flask.flash(`
		`'User created, please check your email to activate the '`
		`'account')`
		`- except SQLAlchemyError as err:`
		`+ except SQLAlchemyError as err: # pragma: no cover`
		`SESSION.rollback()`
		`flask.flash('Could not create user.')`
		`APP.logger.debug('Could not create user.')`
		`APP.logger.exception(err)`

		`- SESSION.commit()`
		`-`
		`return flask.redirect(flask.url_for('auth_login'))`

		`return flask.render_template(`
		`@@ -89,7 +88,7 @@`

		`@APP.route('/dologin', methods=['POST'])`
		`def do_login():`
		`- """ Lo the user in user.`
		`+ """ Log the user in user.`
		`"""`
		`form = forms.LoginForm()`
		`next_url = flask.request.args.get('next_url')`
		`@@ -98,20 +97,36 @@`

		`if form.validate_on_submit():`
		`username = form.username.data`
		`- password = '%s%s' % (`
		`- form.password.data, APP.config.get('PASSWORD_SEED', None))`
		`- password = hashlib.sha512(password).hexdigest()`
		`-`
		`user_obj = pagure.lib.search_user(SESSION, username=username)`
		`- if not user_obj or user_obj.password != password:`
		`+ if not user_obj:`
		`+ flask.flash('Username or password invalid.', 'error')`
		`+ return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`+ try:`
		`+ password_checks = check_password(`
		`+ form.password.data, user_obj.password,`
		`+ seed=APP.config.get('PASSWORD_SEED', None))`
		`+ except pagure.exceptions.PagureException as err:`
		`+ APP.logger.exception(err)`
		`+ flask.flash('Username or password of invalid format.', 'error')`
		`+ return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`+ if not password_checks:`
		`flask.flash('Username or password invalid.', 'error')`
		`return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`elif user_obj.token:`
		`flask.flash(`
		`'Invalid user, did you confirm the creation with the url '`
		`'provided by email?', 'error')`
		`return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`else:`
		`+`
		`+ if not user_obj.password.startswith('$2$'):`
		`+ user_obj.password = generate_hashed_value(form.password.data)`
		`+ SESSION.add(user_obj)`
		`+`
		`visit_key = pagure.lib.login.id_generator(40)`
		`now = datetime.datetime.utcnow()`
		`expiry = now + datetime.timedelta(days=30)`
		`@@ -180,12 +195,13 @@`
		`flask.flash('Username invalid.', 'error')`
		`return flask.redirect(flask.url_for('auth_login'))`
		`elif user_obj.token:`
		`- current_time = datetime.datetime.now()`
		`- invalid_period = user_obj.updated_on + datetime.timedelta(minutes=3)`
		`+ current_time = datetime.datetime.utcnow()`
		`+ invalid_period = user_obj.updated_on + \`
		`+ datetime.timedelta(minutes=3)`
		`if current_time < invalid_period:`
		`flask.flash('An email was sent to you less than 3 minutes ago, '`
		`- 'did you check your spam folder? Otherwise, '`
		`- 'try again after some time.', 'error')`
		`+ 'did you check your spam folder? Otherwise, '`
		`+ 'try again after some time.', 'error')`
		`return flask.redirect(flask.url_for('auth_login'))`

		`token = pagure.lib.login.id_generator(40)`
		`@@ -197,7 +213,7 @@`
		`send_lostpassword_email(user_obj)`
		`flask.flash(`
		`'Check your email to finish changing your password')`
		`- except SQLAlchemyError as err:`
		`+ except SQLAlchemyError as err: # pragma: no cover`
		`SESSION.rollback()`
		`flask.flash(`
		`'Could not set the token allowing changing a password.',`
		`@@ -232,9 +248,8 @@`

		`if form.validate_on_submit():`

		`- password = '%s%s' % (`
		`- form.password.data, APP.config.get('PASSWORD_SEED', None))`
		`- user_obj.password = hashlib.sha512(password).hexdigest()`
		`+ user_obj.password = generate_hashed_value(form.password.data)`
		`+`
		`user_obj.token = None`
		`SESSION.add(user_obj)`

		`@@ -242,7 +257,7 @@`
		`SESSION.commit()`
		`flask.flash(`
		`'Password changed')`
		`- except SQLAlchemyError as err:`
		`+ except SQLAlchemyError as err: # pragma: no cover`
		`SESSION.rollback()`
		`flask.flash('Could not set the new password.', 'error')`
		`APP.logger.debug(`
		`@@ -256,13 +271,67 @@`
		`form=form,`
		`token=token,`
		`)`
		`-`
		`-`
		`#`
		`# Methods specific to local login.`
		`#`


		`+ @APP.route('/password/change/', methods=['GET', 'POST'])`
		`+ @APP.route('/password/change', methods=['GET', 'POST'])`
		`+ @cla_required`
		`+ def change_password():`
		`+ """ Method to change the password for local auth users.`
		`+ """`
		`+`
		`+ form = forms.ChangePasswordForm()`
		`+ user_obj = pagure.lib.search_user(`
		`+ SESSION, username=flask.g.fas_user.username)`
		`+`
		`+ if not user_obj:`
		`+ flask.abort(404, 'User not found')`
		`+`
		`+ if form.validate_on_submit():`
		`+`
		`+ try:`
		`+ password_checks = check_password(`
		`+ form.old_password.data, user_obj.password,`
		`+ seed=APP.config.get('PASSWORD_SEED', None))`
		`+ except pagure.exceptions.PagureException as err:`
		`+ APP.logger.exception(err)`
		`+ flask.flash(`
		`+ 'Could not update your password, either user or password '`
		`+ 'could not be checked', 'error')`
		`+ return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`+ if password_checks:`
		`+ user_obj.password = generate_hashed_value(form.password.data)`
		`+ SESSION.add(user_obj)`
		`+`
		`+ else:`
		`+ flask.flash(`
		`+ 'Could not update your password, either user or password '`
		`+ 'could not be checked', 'error')`
		`+ return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`+ try:`
		`+ SESSION.commit()`
		`+ flask.flash(`
		`+ 'Password changed')`
		`+ except SQLAlchemyError as err: # pragma: no cover`
		`+ SESSION.rollback()`
		`+ flask.flash('Could not set the new password.', 'error')`
		`+ APP.logger.debug(`
		`+ 'Password change - Error setting new password.')`
		`+ APP.logger.exception(err)`
		`+`
		`+ return flask.redirect(flask.url_for('auth_login'))`
		`+`
		`+ return flask.render_template(`
		`+ 'login/password_recover.html',`
		`+ form=form,`
		`+ )`
		`+`
		`+`
		`def send_confirmation_email(user):`
		`""" Sends the confirmation email asking the user to confirm its email`
		`address.`

requirements.txt

file modified

		`@@ -26,3 +26,4 @@`
		`straight.plugin==1.4.0-post-1`
		`trollius-redis`
		`wtforms`
		`+ py-bcrypt`

tests/test_pagure_flask_ui_login.py

file added

+553

		`@@ -0,0 +1,553 @@`
		`+ # -- coding: utf-8 --`
		`+`
		`+ """`
		`+ (c) 2016 - Copyright Red Hat Inc`
		`+`
		`+ Authors:`
		`+ Pierre-Yves Chibon <pingou@pingoured.fr>`
		`+ Farhaan Bukhsh <farhaan.bukhsh@gmail.com>`
		`+`
		`+ """`
		`+`
		`+ __requires__ = ['SQLAlchemy >= 0.8']`
		`+ import pkg_resources`
		`+`
		`+ import datetime`
		`+ import hashlib`
		`+ import json`
		`+ import unittest`
		`+ import shutil`
		`+ import sys`
		`+ import tempfile`
		`+ import os`
		`+`
		`+ import pygit2`
		`+ from mock import patch`
		`+`
		`+ sys.path.insert(0, os.path.join(os.path.dirname(`
		`+ os.path.abspath(__file__)), '..'))`
		`+`
		`+`
		`+ import pagure.lib`
		`+ import tests`
		`+ from pagure.lib.repo import PagureRepo`
		`+`
		`+ import pagure.ui.login`
		`+`
		`+`
		`+ class PagureFlaskLogintests(tests.Modeltests):`
		`+ """ Tests for flask app controller of pagure """`
		`+`
		`+ def setUp(self):`
		`+ """ Set up the environnment, ran before every tests. """`
		`+ super(PagureFlaskLogintests, self).setUp()`
		`+`
		`+ pagure.APP.config['TESTING'] = True`
		`+ pagure.APP.config['EMAIL_SEND'] = False`
		`+ pagure.APP.config['PAGURE_AUTH'] = 'local'`
		`+ pagure.SESSION = self.session`
		`+ pagure.ui.SESSION = self.session`
		`+ pagure.ui.app.SESSION = self.session`
		`+ pagure.ui.login.SESSION = self.session`
		`+`
		`+ self.app = pagure.APP.test_client()`
		`+`
		`+ def test_new_user(self):`
		`+ """ Test the new_user endpoint. """`
		`+`
		`+ # Check before:`
		`+ items = pagure.lib.search_user(self.session)`
		`+ self.assertEqual(2, len(items))`
		`+`
		`+ # First access the new user page`
		`+ output = self.app.get('/user/new')`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>New user - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/user/new" method="post">', output.data)`
		`+`
		`+ # Create the form to send there`
		`+`
		`+ # This has all the data needed`
		`+ data = {`
		`+ 'user': 'foo',`
		`+ 'fullname': 'user foo',`
		`+ 'email_address': 'foo@bar.com',`
		`+ 'password': 'barpass',`
		`+ 'confirm_password': 'barpass',`
		`+ }`
		`+`
		`+ # Submit this form - Doesn't work since there is no csrf token`
		`+ output = self.app.post('/user/new', data=data)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>New user - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/user/new" method="post">', output.data)`
		`+`
		`+ csrf_token = output.data.split(`
		`+ 'name="csrf_token" type="hidden" value="')[1].split('">')[0]`
		`+`
		`+ # Submit the form with the csrf token`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post('/user/new', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>New user - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/user/new" method="post">', output.data)`
		`+ self.assertIn('Username already taken.', output.data)`
		`+`
		`+ # Submit the form with another username`
		`+ data['user'] = 'foouser'`
		`+ output = self.app.post('/user/new', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>New user - Pagure</title>', output.data)`
		`+ self.assertIn('Email address already taken.', output.data)`
		`+`
		`+ # Submit the form with proper data`
		`+ data['email_address'] = 'foo@example.com'`
		`+ output = self.app.post('/user/new', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'User created, please check your email to activate the account',`
		`+ output.data)`
		`+`
		`+ # Check after:`
		`+ items = pagure.lib.search_user(self.session)`
		`+ self.assertEqual(3, len(items))`
		`+`
		`+ def test_do_login(self):`
		`+ """ Test the do_login endpoint. """`
		`+`
		`+ output = self.app.get('/login/')`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+`
		`+ # This has all the data needed`
		`+ data = {`
		`+ 'username': 'foouser',`
		`+ 'password': 'barpass',`
		`+ }`
		`+`
		`+ # Submit this form - Doesn't work since there is no csrf token`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn('Insufficient information provided', output.data)`
		`+`
		`+ csrf_token = output.data.split(`
		`+ 'name="csrf_token" type="hidden" value="')[1].split('">')[0]`
		`+`
		`+ # Submit the form with the csrf token - but invalid user`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn('Username or password invalid.', output.data)`
		`+`
		`+ # Create a local user`
		`+ self.test_new_user()`
		`+`
		`+ items = pagure.lib.search_user(self.session)`
		`+ self.assertEqual(3, len(items))`
		`+`
		`+ # Submit the form with the csrf token - but user not confirmed`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn(`
		`+ 'Invalid user, did you confirm the creation with the url '`
		`+ 'provided by email?', output.data)`
		`+`
		`+ # User in the DB, csrf provided - but wrong password submitted`
		`+ data['password'] = 'password'`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn('Username or password invalid.', output.data)`
		`+`
		`+ # When account is not confirmed i.e user_obj != None`
		`+ data['password'] = 'barpass'`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn(`
		`+ 'Invalid user, did you confirm the creation with the url '`
		`+ 'provided by email?', output.data)`
		`+`
		`+ # Wrong password submitted`
		`+ data['password'] = 'password'`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn('Username or password invalid.', output.data)`
		`+`
		`+ # When account is not confirmed i.e user_obj != None`
		`+ data['password'] = 'barpass'`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn(`
		`+ 'Invalid user, did you confirm the creation with the url '`
		`+ 'provided by email?', output.data)`
		`+`
		`+ # Confirm the user so that we can log in`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertNotEqual(item.token, None)`
		`+`
		`+ # Remove the token`
		`+ item.token = None`
		`+ self.session.add(item)`
		`+ self.session.commit`
		`+`
		`+ # Check the user`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertEqual(item.token, None)`
		`+`
		`+ # Login but cannot save the session to the DB due to the missing IP`
		`+ # address in the flask request`
		`+ data['password'] = 'barpass'`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<a class="nav-link" href="/login/?next=http://localhost/">',`
		`+ output.data)`
		`+ self.assertIn(`
		`+ 'Could not set the session in the db, please report this error '`
		`+ 'to an admin', output.data)`
		`+`
		`+ # Make the password invalid`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertTrue(item.password.startswith('$2$'))`
		`+`
		`+ # Remove the $2$`
		`+ item.password = item.password[3:]`
		`+ self.session.add(item)`
		`+ self.session.commit`
		`+`
		`+ # Check the password`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertFalse(item.password.startswith('$2$'))`
		`+`
		`+ # Try login again`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/dologin" method="post">', output.data)`
		`+ self.assertIn('Username or password of invalid format.', output.data)`
		`+`
		`+ # Make the password be version 1`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertTrue(item.password.startswith('$2$'))`
		`+`
		`+ # V1 password`
		`+ password = '%s%s' % ('barpass', None)`
		`+ password = hashlib.sha512(password).hexdigest()`
		`+ item.token = None`
		`+ item.password = '$1$%s' % password`
		`+ self.session.add(item)`
		`+ self.session.commit`
		`+`
		`+ # Check the password`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertTrue(item.password.startswith('$1$'))`
		`+`
		`+ # Log in with a v1 password`
		`+ output = self.app.post('/dologin', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<a class="nav-link" href="/login/?next=http://localhost/">',`
		`+ output.data)`
		`+ self.assertIn(`
		`+ 'Could not set the session in the db, please report this error '`
		`+ 'to an admin', output.data)`
		`+`
		`+ def test_confirm_user(self):`
		`+ """ Test the confirm_user endpoint. """`
		`+`
		`+ output = self.app.get('/confirm/foo', follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'No user associated with this token.', output.data)`
		`+`
		`+ # Create a local user`
		`+ self.test_new_user()`
		`+`
		`+ items = pagure.lib.search_user(self.session)`
		`+ self.assertEqual(3, len(items))`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertTrue(item.password.startswith('$2$'))`
		`+ self.assertNotEqual(item.token, None)`
		`+`
		`+ output = self.app.get(`
		`+ '/confirm/%s' % item.token, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'Email confirmed, account activated', output.data)`
		`+`
		`+ def test_lost_password(self):`
		`+ """ Test the lost_password endpoint. """`
		`+`
		`+ output = self.app.get('/password/lost')`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Lost password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/lost" method="post">', output.data)`
		`+`
		`+ # Prepare the data to send`
		`+ data = {`
		`+ 'username': 'foouser',`
		`+ }`
		`+`
		`+ # Missing CSRF`
		`+ output = self.app.post('/password/lost', data=data)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Lost password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/lost" method="post">', output.data)`
		`+`
		`+ csrf_token = output.data.split(`
		`+ 'name="csrf_token" type="hidden" value="')[1].split('">')[0]`
		`+`
		`+ # With the CSRF - But invalid user`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post(`
		`+ '/password/lost', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn('Username invalid.', output.data)`
		`+`
		`+ # With the CSRF and a valid user`
		`+ data['username'] = 'foo'`
		`+ output = self.app.post(`
		`+ '/password/lost', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'Check your email to finish changing your password', output.data)`
		`+`
		`+ # With the CSRF and a valid user - but too quick after the last one`
		`+ data['username'] = 'foo'`
		`+ output = self.app.post(`
		`+ '/password/lost', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'An email was sent to you less than 3 minutes ago, did you '`
		`+ 'check your spam folder? Otherwise, try again after some time.',`
		`+ output.data)`
		`+`
		`+ def test_reset_password(self):`
		`+ """ Test the reset_password endpoint. """`
		`+`
		`+ output = self.app.get('/password/reset/foo', follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn('No user associated with this token.', output.data)`
		`+ self.assertIn('<form action="/dologin" method="post">', output.data)`
		`+`
		`+ self.test_lost_password()`
		`+ self.test_new_user()`
		`+`
		`+ # Check the password`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertNotEqual(item.token, None)`
		`+ self.assertTrue(item.password.startswith('$2$'))`
		`+`
		`+ old_password = item.password`
		`+ token = item.token`
		`+`
		`+ output = self.app.get(`
		`+ '/password/reset/%s' % token, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Change password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/reset/', output.data)`
		`+`
		`+ data = {`
		`+ 'password': 'passwd',`
		`+ 'confirm_password': 'passwd',`
		`+ }`
		`+`
		`+ # Missing CSRF`
		`+ output = self.app.post(`
		`+ '/password/reset/%s' % token, data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Change password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/reset/', output.data)`
		`+`
		`+ csrf_token = output.data.split(`
		`+ 'name="csrf_token" type="hidden" value="')[1].split('">')[0]`
		`+`
		`+ # With CSRF`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post(`
		`+ '/password/reset/%s' % token, data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn('Password changed', output.data)`
		`+`
		`+ def test_change_password(self):`
		`+ """ Test the change_password endpoint. """`
		`+`
		`+ # Not logged in, redirects`
		`+ output = self.app.get('/password/change', follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Login - Pagure</title>', output.data)`
		`+ self.assertIn('<form action="/dologin" method="post">', output.data)`
		`+`
		`+ user = tests.FakeUser()`
		`+ with tests.user_set(pagure.APP, user):`
		`+ output = self.app.get('/password/change')`
		`+ self.assertEqual(output.status_code, 404)`
		`+ self.assertIn('User not found', output.data)`
		`+`
		`+ user = tests.FakeUser(username='foo')`
		`+ with tests.user_set(pagure.APP, user):`
		`+ output = self.app.get('/password/change')`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn(`
		`+ '<title>Change password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/change" method="post">', output.data)`
		`+`
		`+ data = {`
		`+ 'old_password': 'foo',`
		`+ 'password': 'foo',`
		`+ 'confirm_password': 'foo',`
		`+ }`
		`+`
		`+ # No CSRF token`
		`+ output = self.app.post('/password/change', data=data)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn(`
		`+ '<title>Change password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/change" method="post">', output.data)`
		`+`
		`+ csrf_token = output.data.split(`
		`+ 'name="csrf_token" type="hidden" value="')[1].split('">')[0]`
		`+`
		`+ # With CSRF - Invalid password format`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post(`
		`+ '/password/change', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'Could not update your password, either user or password '`
		`+ 'could not be checked', output.data)`
		`+`
		`+ self.test_new_user()`
		`+`
		`+ # Remove token of foouser`
		`+ item = pagure.lib.search_user(self.session, username='foouser')`
		`+ self.assertEqual(item.user, 'foouser')`
		`+ self.assertNotEqual(item.token, None)`
		`+ self.assertTrue(item.password.startswith('$2$'))`
		`+ item.token = None`
		`+ self.session.add(item)`
		`+ self.session.commit()`
		`+`
		`+ user = tests.FakeUser(username='foouser')`
		`+ with tests.user_set(pagure.APP, user):`
		`+ output = self.app.get('/password/change')`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn(`
		`+ '<title>Change password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/change" method="post">', output.data)`
		`+`
		`+ data = {`
		`+ 'old_password': 'foo',`
		`+ 'password': 'foo',`
		`+ 'confirm_password': 'foo',`
		`+ }`
		`+`
		`+ # No CSRF token`
		`+ output = self.app.post('/password/change', data=data)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn(`
		`+ '<title>Change password - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ '<form action="/password/change" method="post">', output.data)`
		`+`
		`+ csrf_token = output.data.split(`
		`+ 'name="csrf_token" type="hidden" value="')[1].split('">')[0]`
		`+`
		`+ # With CSRF - Incorrect password`
		`+ data['csrf_token'] = csrf_token`
		`+ output = self.app.post(`
		`+ '/password/change', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn(`
		`+ 'Could not update your password, either user or password '`
		`+ 'could not be checked', output.data)`
		`+`
		`+ # With CSRF - Correct password`
		`+ data['old_password'] = 'barpass'`
		`+ output = self.app.post(`
		`+ '/password/change', data=data, follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn('Password changed', output.data)`
		`+`
		`+ def test_logout(self):`
		`+ """ Test the auth_logout endpoint for local login. """`
		`+`
		`+ output = self.app.get('/logout/', follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertNotIn('You have been logged out', output.data)`
		`+ self.assertIn(`
		`+ '<a class="nav-link" href="/login/?next=http://localhost/">',`
		`+ output.data)`
		`+`
		`+ user = tests.FakeUser(username='foo')`
		`+ with tests.user_set(pagure.APP, user):`
		`+ output = self.app.get('/logout/', follow_redirects=True)`
		`+ self.assertEqual(output.status_code, 200)`
		`+ self.assertIn('<title>Home - Pagure</title>', output.data)`
		`+ self.assertIn('You have been logged out', output.data)`
		`+ # Due to the way the tests are running we do not actually`
		`+ # log out`
		`+ self.assertIn(`
		`+ '<a href="/logout/?next=http://localhost/">log out</a>',`
		`+ output.data)`
		`+`
		`+`
		`+ if __name__ == '__main__':`
		`+ SUITE = unittest.TestLoader().loadTestsFromTestCase(PagureFlaskLogintests)`
		`+ unittest.TextTestRunner(verbosity=2).run(SUITE)`

tests/test_pagure_lib_login.py

file added

+113

		`@@ -0,0 +1,113 @@`
		`+ # -- coding: utf-8 --`
		`+`
		`+ """`
		`+ (c) 2016 - Copyright Red Hat Inc`
		`+`
		`+ Authors:`
		`+ Pierre-Yves Chibon <pingou@pingoured.fr>`
		`+ Farhaan Bukhsh <farhaan.bukhsh@gmail.com>`
		`+`
		`+ """`
		`+`
		`+ __requires__ = ['SQLAlchemy >= 0.8']`
		`+ import pkg_resources`
		`+`
		`+ import unittest`
		`+ import shutil`
		`+ import sys`
		`+ import os`
		`+`
		`+ from mock import patch`
		`+`
		`+ sys.path.insert(0, os.path.join(os.path.dirname(`
		`+ os.path.abspath(__file__)), '..'))`
		`+`
		`+ import pagure.lib`
		`+ from pagure.exceptions import PagureException`
		`+ import pagure.lib.login`
		`+ import hashlib`
		`+ from pagure import APP`
		`+ import tests`
		`+`
		`+`
		`+ class PagureLibLogintests(tests.Modeltests):`
		`+ """ Tests for pagure.lib.login """`
		`+`
		`+ def test_id_generator(self):`
		`+ ''' Test pagure.lib.login.id_generator. '''`
		`+ self.assertEqual(`
		`+ pagure.lib.login.id_generator(size=3, chars=['a']),`
		`+ 'aaa'`
		`+ )`
		`+`
		`+ def test_get_users_by_group(self):`
		`+ ''' Test pagure.lib.login.get_users_by_group. '''`
		`+`
		`+ users = pagure.lib.login.get_users_by_group(self.session, 'foo')`
		`+ self.assertEqual(users, [])`
		`+`
		`+ def test_get_session_by_visitkey(self):`
		`+ ''' Test pagure.lib.login.get_session_by_visitkey. '''`
		`+`
		`+ session = pagure.lib.login.get_session_by_visitkey(self.session, 'foo')`
		`+ self.assertEqual(session, None)`
		`+`
		`+ def test_generate_hashed_value(self):`
		`+ ''' Test pagure.lib.login.generate_hashed_value. '''`
		`+ password = pagure.lib.login.generate_hashed_value('foo')`
		`+ self.assertTrue(password.startswith('$2$'))`
		`+ self.assertEqual(len(password), 63)`
		`+`
		`+ def test_check_password(self):`
		`+ ''' Test pagure.lib.login.check_password. '''`
		`+`
		`+ # Version 2`
		`+ password = pagure.lib.login.generate_hashed_value('foo')`
		`+ self.assertTrue(`
		`+ pagure.lib.login.check_password('foo', password))`
		`+ self.assertFalse(`
		`+ pagure.lib.login.check_password('bar', password))`
		`+`
		`+ # Version 1`
		`+ password = '%s%s' % ('foo', APP.config.get('PASSWORD_SEED', None))`
		`+ password = '$1$' + hashlib.sha512(password).hexdigest()`
		`+ self.assertTrue(pagure.lib.login.check_password('foo', password))`
		`+ self.assertFalse(pagure.lib.login.check_password('bar', password))`
		`+`
		`+ # Invalid password - No version`
		`+ password = '%s%s' % ('foo', APP.config.get('PASSWORD_SEED', None))`
		`+ password = hashlib.sha512(password).hexdigest()`
		`+ self.assertRaises(`
		`+ PagureException,`
		`+ pagure.lib.login.check_password,`
		`+ 'foo', password`
		`+ )`
		`+`
		`+ # Invalid password - Invalid version`
		`+ password = '$3$' + password`
		`+ self.assertRaises(`
		`+ PagureException,`
		`+ pagure.lib.login.check_password,`
		`+ 'foo',`
		`+ password`
		`+ )`
		`+ password = '%s%s' % ('foo', APP.config.get('PASSWORD_SEED', None))`
		`+ password = hashlib.sha512(password).hexdigest()`
		`+ self.assertRaises(`
		`+ PagureException,`
		`+ pagure.lib.login.check_password,`
		`+ 'foo', password`
		`+ )`
		`+`
		`+ # Invalid password - Invalid version`
		`+ password = '$3$' + password`
		`+ self.assertRaises(`
		`+ PagureException,`
		`+ pagure.lib.login.check_password,`
		`+ 'foo',`
		`+ password`
		`+ )`
		`+`
		`+ if __name__ == '__main__':`
		`+ SUITE = unittest.TestLoader().loadTestsFromTestCase(PagureLibLogintests)`
		`+ unittest.TextTestRunner(verbosity=2).run(SUITE)`

no initial comment

puiterwijk commented on line 18 of pagure/ui/login.py 8 years ago

This is a HORRIBLE way of checking the old password, since this is completely open to a timing side-channel attack.
Please, PLEASE, use a constant time comparison function!

For example, use: https://cryptography.readthedocs.org/en/latest/hazmat/primitives/constant-time/

puiterwijk commented on line 21 of pagure/ui/login.py 8 years ago

This is very bad way of storing a password!
Please consider using bcrypt for password storage.
The problem is that the SHA family of functions is created in such a way that they are as fast as possible, which you do NOT want with password storage: you want to make it as hard as possible for an offline attacker to try lots of possibilities to check if they match (dictionary and/or brute-force attack).

pingou commented on line 6 of pagure/templates/login/password_change.html 8 years ago

How is password recovery working then?

pingou commented on line 18 of pagure/ui/login.py 8 years ago

Sounds like a good idea, def :thumbsup: for me

pingou commented on line 21 of pagure/ui/login.py 8 years ago

In order to improve the security, we may want to move all the code related to securing a password into 1 single function, allowing us adjust this one method to improve things

puiterwijk commented on line 17 of pagure/ui/login.py 8 years ago

Using a setup-wide password "seed" (in the industry often called a "salt") is a very bad idea, as it doesn't deter attackers much: they just have to create a rainbow table for your setup instead of reusing one for all instances.

You should use a per-user salt so that they will have to brute-force every user by him-/herself.

puiterwijk commented on line 17 of pagure/ui/login.py 8 years ago

Sorry, I meant "using ONLY a setup-wide password" is bad idea.
Using one in combination with a per-user salt is fine (but doesn't add much if the salt is generated securely).

pingou commented 8 years ago

After discussing with @puiterwijk, it seems that using https://pypi.python.org/pypi/bcrypt/ might solve most/all of the mentioned issues.

pingou commented 8 years ago

https://pypi.python.org/pypi/py-bcrypt is packaged for Fedora and EPEL7, so might be a good start

pingou commented on line 6 of pagure/templates/login/password_change.html 8 years ago

Change needed? :)

pingou commented on line 33 of pagure/ui/login.py 8 years ago

Left over I suppose :)

pingou commented on line 16 of pagure/ui/login.py 8 years ago

This will work but will break backward compatibility with all the instances currently deployed.

pingou commented on line 5 of pagure/ui/login.py 8 years ago

I see no changes in the requirements, which module is being used here?

pingou commented 8 years ago

We'll need unit-tests for this, especially to make sure the form works properly on checking that the password and confirm_password are indeed always equals

pingou commented on line 42 of pagure/ui/login.py 8 years ago

This also means we can drop the PASSWORD_SEED no? Check it (git grep should help) and if so please go ahead :)

puiterwijk commented on line 12 of pagure/login_forms.py 8 years ago

Name this new_password perhaps?

puiterwijk commented on line 16 of pagure/ui/login.py 8 years ago

As Toshio mentioned, this will fail if non-ASCII characters are inserted.
Please make sure to test that case as well.

(If you need test data: you can copy and paste "当たり")

puiterwijk commented on line 16 of pagure/ui/login.py 8 years ago

Actually, it doesn't crash, and should work fine.

puiterwijk commented on line 32 of pagure/ui/login.py 8 years ago

Perhaps a bit more sanity check? This is a very broad exception, and can mean a lot of things.

I would suggest to instead change the password into something like $1$<old-system> and $2$<bcrypt-version> so you can actually know which version of password storage is in use.

This will require an alembic change during the upgrade to make sure all current passwords are prefixed with $1$.

puiterwijk commented on line 44 of pagure/ui/login.py 8 years ago

add intending to pass pep8.

puiterwijk commented on line 44 of pagure/ui/login.py 8 years ago

indenting

puiterwijk commented on line 34 of pagure/ui/login.py 8 years ago

When you get in this case, you have both the old style password hash and the unhashed pasword.

This means that you can now update the password to the new hash system!

puiterwijk commented 8 years ago

NOTE: You are still using == for password comparison!
This is NOT constant-time, and as such a side channel data leakage!

pingou commented on line 12 of pagure/login_forms.py 8 years ago

I believe same_password expect this name

pingou commented on line 32 of pagure/ui/login.py 8 years ago

Or check if password[0] and password[2] are != $ no?

puiterwijk commented on line 32 of pagure/ui/login.py 8 years ago

Well, sure, but then you're required to always support the version without version-indicator.
Just porting the current values on upgrade makes the most sense to me, as that would make the code neater.

puiterwijk commented on line 20 of pagure/ui/login.py 8 years ago

Why this try-catch? You can just always use the to_unicode function.

puiterwijk commented on line 52 of pagure/ui/login.py 8 years ago

Why do you have a separate if for this? Just store an password_version=1 and then after checking the password just below this code, convert it.

puiterwijk commented on line 54 of pagure/ui/login.py 8 years ago

Why hash it yet again? bcrypt is slow (that's the exact reason you should use it), so this should be done as little as possible.
If you first check (as suggested before), you don't need this.

puiterwijk commented on line 59 of pagure/ui/login.py 8 years ago

This is still not constant time.

puiterwijk commented on line 53 of pagure/ui/login.py 8 years ago

Maybe extract away the prefixing and hashing of the password into a helper function, so it's easier to switch to $3$ in the future without having to change it at multiple places?

puiterwijk commented on line 47 of pagure/ui/login.py 8 years ago

How about instead doing something like:
_, password_version, password = user_obj.password.split('$')

That way you can also handle possible versions like $2,loadfactor=50$ if we ever want to make the load factor variable.

puiterwijk commented on line 118 of pagure/ui/login.py 8 years ago

This error message sounds quite strange.

pingou commented 8 years ago

How about instead doing something like:
_, password_version, password = user_obj.password.split('$')

That way you can also handle possible versions like $2,loadfactor=50$ if we ever want to make the load factor variable.

You may want to limit the split, in case the hash itself ever contains a '$'

puiterwijk commented 8 years ago

Right, that's a good call.
_, password_version, password_hash = user_obj.password.split('$', 2)

pingou commented on line 19 of pagure/ui/login.py 8 years ago

pep8 would ask you for spaces around the + but this is a detail

pingou commented on line 42 of pagure/ui/login.py 8 years ago

what is version going to be on existing sha512 passwords?

In other words, will version ever gonna == '1'?

pingou commented on line 48 of pagure/ui/login.py 8 years ago

This is longer than 80 chars
How is this going to work for passwords in existing databases?

pingou commented on line 58 of pagure/ui/login.py 8 years ago

Similar to above

This is longer than 80 chars
Is version ever going to == '1'?

pingou commented on line 98 of pagure/ui/login.py 8 years ago

2 lines?

pingou commented on line 98 of pagure/ui/login.py 8 years ago

So if the if above is not true, we still say Password changed?

puiterwijk commented on line 48 of pagure/ui/login.py 8 years ago

Probably best to do version == '1': and add an else: that just says "Something is wrong with your account". No uncertainties wanted with security.

puiterwijk commented on line 106 of pagure/ui/login.py 8 years ago

missing to_unicode.

puiterwijk commented on line 106 of pagure/ui/login.py 8 years ago

missing to_unicode.

puiterwijk commented on line 68 of pagure/ui/login.py 8 years ago

As said, probably you want a function generate_hashed_password for the storage and updating functions.
That way, if the default every changes from bcrypt to X, you only need to update one place to generate the new schema instead of digging for all places.

puiterwijk commented 8 years ago

Perhaps it's useful to add test cases, since this introduces some pretty interesting code.

pingou commented on line 64 of pagure/ui/login.py 8 years ago

Are we ever going to have a version == 1?

pingou commented 8 years ago

Probably best to do version == '1': and add an else: that just says "Something is wrong with your account". No uncertainties wanted with security.

I was more thinking along the lines of:
if there is no version -> check the current approach (sha512)

This allows to keep the app backward compatible w/o any changes to the DB ( I'm
not entirely sure I like the idea of touching the passwords stored in an alembic
migration)

pingou commented on line 20 of pagure/ui/login.py 8 years ago

Typo here: retrieve

pingou commented on line 20 of pagure/ui/login.py 8 years ago

Why not comparing here directly?

pingou commented on line 20 of pagure/ui/login.py 8 years ago

Should these two method remain in the controller?

pingou commented on line 88 of pagure/ui/login.py 8 years ago

you do string comparison using is not? Oo

pingou commented on line 124 of pagure/ui/login.py 8 years ago

I wonder if this part, that checks the validity of the old password shouldn't be using the same path/functions as we have upon login.

puiterwijk commented 8 years ago

I was more thinking along the lines of:
if there is no version -> check the current approach (sha512)
This allows to keep the app backward compatible w/o any changes to the DB ( I'm
not entirely sure I like the idea of touching the passwords stored in an alembic
migration)

Well, the problem here is: are you 100% sure that the current approach will never create hashes that start with $X$?
Also, in that case you can't just do "_, version, user_password = user_obj.password.split('$', 2)" since that would crash horribly if there were no $'s in the password field.

pingou commented 8 years ago

Ok since bcrypt may use '$', then alembic migration it is, but then, it's still missing :)

farhaan commented on line 21 of pagure/ui/login.py 8 years ago

Not comparing here directly because I am checking version and the performing the required conversion , comparing here will lead to one additional if in login and change password! Should I do it here ?

pingou commented on line 123 of pagure/ui/login.py 8 years ago

Should we move this code to the back-end as it seems to be redundant with what is in the login process?

Moreoever, this would make testing the code much easier.

pingou commented 8 years ago

We will need unit-tests before we can merge this, so after the alembic migration script this is the next big step/requirement.

pingou commented on line 22 of alembic/versions/1b6d7dc5600a_versioning_passwords.py 8 years ago

Could you split this line? place the dict and the synchronize_session in another line (or two).

pingou commented on line 22 of alembic/versions/1b6d7dc5600a_versioning_passwords.py 8 years ago

Also, no need for the ; :)

pingou commented on line 21 of pagure/lib/login.py 8 years ago

Two empty lines between functions

pingou commented on line 39 of pagure/lib/login.py 8 years ago

No need for two returns if we store the value in a variable

Just do a global 'return' at the end

Also: What happens if version is neither 1 nor 2? Shouldn't we say something?

pingou commented on line 20 of pagure/ui/login.py 8 years ago

Adding a new line?

pingou commented on line 70 of pagure/ui/login.py 8 years ago

Is this a 3 or 4 spaces indentation?

farhaan commented on line 23 of alembic/versions/1b6d7dc5600a_versioning_passwords.py 8 years ago

really sorry for that been writing JS for a while :rabbit:

pingou commented on line 42 of pagure/lib/login.py 8 years ago

How do you flask an error message from the backend library?

pingou commented on line 42 of pagure/lib/login.py 8 years ago

err, let's try again: how do you flash an error message? :)

pingou commented on line 57 of pagure/ui/login.py 8 years ago

I actually kinda wish this was in the backend as well, we have this line present twice at the moment, having it on the backend would allow having it only once.

pingou commented on line 57 of pagure/ui/login.py 8 years ago

And that would allow to do the split in the backend as well which is also something that I like :)

pingou commented on line 25 of pagure/lib/login.py 8 years ago

Looking at the code I think we may want to drop this, it's used in only one place and doesn't bring much

farhaan commented on line 26 of pagure/lib/login.py 8 years ago

You are right ! If we are checking in check_password there is no need of this.

pingou commented on line 14 of pagure/ui/login.py 8 years ago

The imports here needs to be adjusted as well

pingou commented on line 125 of pagure/ui/login.py 8 years ago

While working on the tests I realized:

a) This method does not enforce being logged in?

b) Why requiring the username in the URL? Are we allowing to change someone else's password?

pingou commented on line 143 of pagure/ui/login.py 8 years ago

This is the place where I commented about the fact that user are not required to be logged in and that we can basically change anyone's password.

puiterwijk commented on line 179 of pagure/ui/login.py 8 years ago

I think this is a bit vague, since if passsword_checks is True it first run this code and then also what comes after the end of the else block.

It would feel more readable if you just have an "if not password_checks" which aborts, and otherwise just falls through, just like in the login code.

puiterwijk commented 8 years ago

Except for the remark with the if-blocks, this code looks good to me.

pingou commented on line 93 of pagure/ui/login.py 8 years ago

How can user_obj be None since we check if line 80?

pingou commented on line 5 of requirements.txt 8 years ago

Didn't use py-bcrypt finally?

pingou commented on line 8 of tests/test_pagure_flask_ui_login.py 8 years ago

I think you also touched this file :)

pingou commented on line 8 of tests/test_pagure_lib_login.py 8 years ago

And this one to :)

pingou commented on line 169 of pagure/ui/login.py 8 years ago

Btw, this is meant to be below the routes, I had replaced it there but looks like this got lost.

pingou commented on line 9 of pagure/ui/login.py 8 years ago

And here?

pingou commented on line 1 of pagure/lib/login.py 8 years ago

Add your name to the author list at the top

pingou commented on line 1 of pagure/lib/login.py 8 years ago

pingou commented 8 years ago

Official :thumbsup: for me! Congrats @farhaan

@puiterwijk, are you ok as well?

pingou commented on line 221 of pagure/ui/login.py 8 years ago

The error message is incorrect, that's not a password lost error

puiterwijk commented 8 years ago

Ack. :thumbsup:

pingou commented on line 97 of pagure/ui/login.py 8 years ago

That's the redundant if check

puiterwijk commented on line 97 of pagure/ui/login.py 8 years ago

Only partially.
It should still check for password_checks.

pingou commented on line 97 of pagure/ui/login.py 8 years ago

agreed

puiterwijk commented on line 101 of pagure/ui/login.py 8 years ago

Please note that this means that if someone requests a password reset for my user, I need to go to my email and reset my password before I can log back in: it won't accept my current password anymore.

This might be a Denial of Service if I can't reach my old email anymore (and was just going to update it), or otherwise just a major annoyance.

pingou commented on line 101 of pagure/ui/login.py 8 years ago

On the other side, it means if your password gets public that anyone can log in with it even during the time you're busy resetting it.

puiterwijk commented on line 101 of pagure/ui/login.py 8 years ago

Well, I don't like using the email token as "security feature" in this way: it just doesn't make sense. I doubt that if someone accidentally publishes their password (in which case they're hosed anyway), they won't use the lost password feature: they'll use change password.

pingou commented 8 years ago

And again :thumbsup: for me :)