From a8360854489d060367cc17ef7933c867228a88e1 Mon Sep 17 00:00:00 2001
From: 0livd <0livd@users.noreply.github.com>
Date: Tue, 27 Jun 2017 00:16:32 +0200
Subject: Use a hashed password for ADMIN_PASSWORD (#236)

* Use a hashed password for ADMIN_PASSWORD

A generate_password_hash manage.py command is provided
Fixes #233

* Print a console warning for users using a clear text ADMIN_PASSWORD

* Reword ADMIN_PASSWORD doc

* Update changelog

* Update CHANGELOG.rst

- say it out loud
- bump to 2.0 (that's the logic of semantic versioning while introducing breaking changes)

* Bump to 2.0 (breaking change)

* Update hashed password warning message

* Mention the generate password hash in the Changelog
---
 budget/run.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'budget/run.py')

diff --git a/budget/run.py b/budget/run.py
index 00d4326..b576f72 100644
--- a/budget/run.py
+++ b/budget/run.py
@@ -52,6 +52,17 @@ def configure():
         if not 'MAIL_DEFAULT_SENDER' in app.config:
             app.config['MAIL_DEFAULT_SENDER'] = DEFAULT_MAIL_SENDER
 
+    if "pbkdf2:sha256:" not in app.config['ADMIN_PASSWORD'] and app.config['ADMIN_PASSWORD']:
+        # Since 2.0
+        warnings.warn(
+            "The way Ihatemoney stores your ADMIN_PASSWORD has changed. You are using an unhashed"
+            +" ADMIN_PASSWORD, which is not supported anymore and won't let you access your admin"
+            +" endpoints. Please use the command './budget/manage.py generate_password_hash'"
+            +" to generate a proper password HASH and copy the output to the value of"
+            +" ADMIN_PASSWORD in your settings file.",
+            UserWarning
+        )
+
 configure()
 
 
-- 
cgit v1.1