Make authentication logic simpler and safer (#270)

* Fixed exposed password in session The project password was set in clear text in the session cookie. The cookie payload is only base64 encoded so it must not be used to store private information. The password is simply replaced by a boolean. * Simplify authentication logic
author: 0livd <github@destras.fr> 2017-10-23 23:03:44 +0200
committer: Alexis Metaireau <alexis@notmyidea.org> 2017-10-23 23:03:44 +0200
commit: 293735eca715c7cc5221e551e5eb41f92b6abd0f (patch)
tree: 187cc016fc0ad541c19ea42457286287237d329c /ihatemoney/web.py
parent: 74e9af59e6401ea0f83e850019c6f461c63bac31 (diff)
download: ihatemoney-mirror-293735eca715c7cc5221e551e5eb41f92b6abd0f.zip
ihatemoney-mirror-293735eca715c7cc5221e551e5eb41f92b6abd0f.tar.gz
ihatemoney-mirror-293735eca715c7cc5221e551e5eb41f92b6abd0f.tar.bz2
1 files changed, 27 insertions, 36 deletions
diff --git a/ihatemoney/web.py b/ihatemoney/web.py
index c7a2f22..92b7ddc 100644
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@@ -105,7 +105,7 @@ def pull_project(endpoint, values):
                                       project_id=project_id))
 
         is_admin = session.get('is_admin')
-        if (project.id in session and session[project.id] == project.password) or is_admin:
+        if session.get(project.id) or is_admin:
             # add project into kwargs and call the original function
             g.project = project
         else:
@@ -159,43 +159,34 @@ def authenticate(project_id=None):
         msg = _("You need to enter a project identifier")
         form.errors["id"] = [msg]
         return render_template("authenticate.html", form=form)
-    else:
-        project = Project.query.get(project_id)
 
-    create_project = False  # We don't want to create the project by default
+    project = Project.query.get(project_id)
     if not project:
-        # But if the user try to connect to an unexisting project, we will
+        # If the user try to connect to an unexisting project, we will
         # propose him a link to the creation form.
-        if request.method == "POST":
-            form.validate()
-        else:
-            create_project = project_id
+        return render_template("authenticate.html", form=form, create_project=project_id)
 
-    else:
-        # if credentials are already in session, redirect
-        if project_id in session and project.password == session[project_id]:
-            setattr(g, 'project', project)
-            return redirect(url_for(".list_bills"))
+    # if credentials are already in session, redirect
+    if session.get(project_id):
+        setattr(g, 'project', project)
+        return redirect(url_for(".list_bills"))
+
+    if request.method == "POST" and form.validate():
+        if not form.password.data == project.password:
+            msg = _("This private code is not the right one")
+            form.errors['password'] = [msg]
+            return render_template("authenticate.html", form=form)
+        # maintain a list of visited projects
+        if "projects" not in session:
+            session["projects"] = []
+        # add the project on the top of the list
+        session["projects"].insert(0, (project_id, project.name))
+        session[project_id] = True
+        session.update()
+        setattr(g, 'project', project)
+        return redirect(url_for(".list_bills"))
 
-        # else process the form
-        if request.method == "POST":
-            if form.validate():
-                if not form.password.data == project.password:
-                    msg = _("This private code is not the right one")
-                    form.errors['password'] = [msg]
-                else:
-                    # maintain a list of visited projects
-                    if "projects" not in session:
-                        session["projects"] = []
-                    # add the project on the top of the list
-                    session["projects"].insert(0, (project_id, project.name))
-                    session[project_id] = form.password.data
-                    session.update()
-                    setattr(g, 'project', project)
-                    return redirect(url_for(".list_bills"))
-
-    return render_template("authenticate.html", form=form,
-                           create_project=create_project)
+    return render_template("authenticate.html", form=form)
 
 
 @main.route("/")
@@ -233,7 +224,7 @@ def create_project():
             db.session.commit()
 
             # create the session object (authenticate)
-            session[project.id] = project.password
+            session[project.id] = True
             session.update()
 
             # send reminder email
@@ -290,8 +281,8 @@ def edit_project():
     if request.method == "POST":
         if edit_form.validate():
             project = edit_form.update(g.project)
+            db.session.add(project)
             db.session.commit()
-            session[project.id] = project.password
 
             return redirect(url_for(".list_bills"))
 
@@ -359,7 +350,7 @@ def demo():
                           contact_email="demo@notmyidea.org")
         db.session.add(project)
         db.session.commit()
-    session[project.id] = project.password
+    session[project.id] = True
     return redirect(url_for(".list_bills", project_id=project.id))
author	0livd <github@destras.fr>	2017-10-23 23:03:44 +0200
committer	Alexis Metaireau <alexis@notmyidea.org>	2017-10-23 23:03:44 +0200
commit	293735eca715c7cc5221e551e5eb41f92b6abd0f (patch)
tree	187cc016fc0ad541c19ea42457286287237d329c /ihatemoney/web.py
parent	74e9af59e6401ea0f83e850019c6f461c63bac31 (diff)
download	ihatemoney-mirror-293735eca715c7cc5221e551e5eb41f92b6abd0f.zip ihatemoney-mirror-293735eca715c7cc5221e551e5eb41f92b6abd0f.tar.gz ihatemoney-mirror-293735eca715c7cc5221e551e5eb41f92b6abd0f.tar.bz2