1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import random
import bcrypt
from mediagoblin.util import send_email, render_template
from mediagoblin import mg_globals
def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
"""
Check to see if this password matches.
Args:
- raw_pass: user submitted password to check for authenticity.
- stored_hash: The hash of the raw password (and possibly extra
salt) to check against
- extra_salt: (optional) If this password is with stored with a
non-database extra salt (probably in the config file) for extra
security, factor this into the check.
Returns:
True or False depending on success.
"""
if extra_salt:
raw_pass = u"%s:%s" % (extra_salt, raw_pass)
hashed_pass = bcrypt.hashpw(raw_pass, stored_hash)
# Reduce risk of timing attacks by hashing again with a random
# number (thx to zooko on this advice, which I hopefully
# incorporated right.)
#
# See also:
rand_salt = bcrypt.gensalt(5)
randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
return randplus_stored_hash == randplus_hashed_pass
def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
"""
Generate a salt for this new password.
Args:
- raw_pass: user submitted password
- extra_salt: (optional) If this password is with stored with a
non-database extra salt
"""
if extra_salt:
raw_pass = u"%s:%s" % (extra_salt, raw_pass)
return unicode(bcrypt.hashpw(raw_pass, bcrypt.gensalt()))
def fake_login_attempt():
"""
Pretend we're trying to login.
Nothing actually happens here, we're just trying to take up some
time, approximately the same amount of time as
bcrypt_check_password, so as to avoid figuring out what users are
on the system by intentionally faking logins a bunch of times.
"""
rand_salt = bcrypt.gensalt(5)
hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
randplus_stored_hash == randplus_hashed_pass
EMAIL_VERIFICATION_TEMPLATE = (
u"http://{host}{uri}?"
u"userid={userid}&token={verification_key}")
def send_verification_email(user, request):
"""
Send the verification email to users to activate their accounts.
Args:
- user: a user object
- request: the request
"""
rendered_email = render_template(
request, 'mediagoblin/auth/verification_email.txt',
{'username': user['username'],
'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
host=request.host,
uri=request.urlgen('mediagoblin.auth.verify_email'),
userid=unicode(user['_id']),
verification_key=user['verification_key'])})
# TODO: There is no error handling in place
send_email(
mg_globals.app_config['email_sender_address'],
[user['email']],
# TODO
# Due to the distributed nature of GNU MediaGoblin, we should
# find a way to send some additional information about the
# specific GNU MediaGoblin instance in the subject line. For
# example "GNU MediaGoblin @ Wandborg - [...]".
'GNU MediaGoblin - Verify your email!',
rendered_email)
EMAIL_FP_VERIFICATION_TEMPLATE = (
u"http://{host}{uri}?"
u"userid={userid}&token={fp_verification_key}")
def send_fp_verification_email(user, request):
"""
Send the verification email to users to change their password.
Args:
- user: a user object
- request: the request
"""
rendered_email = render_template(
request, 'mediagoblin/auth/fp_verification_email.txt',
{'username': user['username'],
'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
host=request.host,
uri=request.urlgen('mediagoblin.auth.verify_forgot_password'),
userid=unicode(user['_id']),
fp_verification_key=user['fp_verification_key'])})
# TODO: There is no error handling in place
send_email(
mg_globals.app_config['email_sender_address'],
[user['email']],
'GNU MediaGoblin - Change forgotten password!',
rendered_email)
|
