From c6f72e112ba3d797e71302d96504bbd54c83ca6b Mon Sep 17 00:00:00 2001
From: 0livd <github@destras.fr>
Date: Thu, 21 Dec 2017 13:57:01 +0100
Subject: Use hashed passwords for projects (#286)

- Remove all occurences of clear text project passwords.
- Migrate the database to hash the previously stored passwords.
Closes #232
---
 ihatemoney/api.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'ihatemoney/api.py')

diff --git a/ihatemoney/api.py b/ihatemoney/api.py
index a34fa12..82380fd 100644
--- a/ihatemoney/api.py
+++ b/ihatemoney/api.py
@@ -5,6 +5,7 @@ from flask_rest import RESTResource, need_auth
 from ihatemoney.models import db, Project, Person, Bill
 from ihatemoney.forms import (ProjectForm, EditProjectForm, MemberForm,
                               get_billform_for)
+from werkzeug.security import check_password_hash
 
 
 api = Blueprint("api", __name__, url_prefix="/api")
@@ -21,7 +22,7 @@ def check_project(*args, **kwargs):
     if auth and "project_id" in kwargs and \
             auth.username == kwargs["project_id"]:
         project = Project.query.get(auth.username)
-        if project and project.password == auth.password:
+        if project and check_password_hash(project.password, auth.password):
             return project
     return False
 
-- 
cgit v1.1