sascha
/
Notes
mirror of https://github.com/TriliumNext/Notes
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

username, password and flask_secret_key are now persisted in database

pull/255/head
azivner 2017-09-12 21:06:09 +07:00
parent 9787ce432a
commit b4f9fc3a5e
9 changed files with 71 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
change-password.py
Unescape Escape View File

@ -7,15 +7,17 @@ import getpass
from Crypto.Cipher import AES from Crypto.Cipher import AES
from Crypto.Util import Counter from Crypto.Util import Counter
import binascii import binascii
import src.password_provider
import src.my_scrypt import src.my_scrypt
config = src.config_provider.getConfig()
src.sql.connect(config['Document']['documentPath'])
currentPassword = getpass.getpass(prompt="Enter current password: ") currentPassword = getpass.getpass(prompt="Enter current password: ")
currentPasswordHash = binascii.hexlify(src.my_scrypt.getVerificationHash(currentPassword)) currentPasswordHash = binascii.hexlify(src.my_scrypt.getVerificationHash(currentPassword))
if currentPasswordHash != src.password_provider.getPasswordHash(): if currentPasswordHash != src.sql.getOption('password'):
print("Given password doesn't match hash") print("Given password doesn't match hash")
exit(-1) exit(-1)
@ -31,9 +33,6 @@ if newPassword1 != newPassword2:
newPasswordVerificationKey = binascii.hexlify(src.my_scrypt.getVerificationHash(newPassword1)) newPasswordVerificationKey = binascii.hexlify(src.my_scrypt.getVerificationHash(newPassword1))
newPasswordEncryptionKey = src.my_scrypt.getEncryptionHash(newPassword1) newPasswordEncryptionKey = src.my_scrypt.getEncryptionHash(newPassword1)
config = src.config_provider.getConfig()
src.sql.connect(config['Document']['documentPath'])
encryptedNotes = src.sql.getResults("select note_id, note_title, note_text from notes where encryption = 1") encryptedNotes = src.sql.getResults("select note_id, note_title, note_text from notes where encryption = 1")
def decrypt(encryptedBase64): def decrypt(encryptedBase64):
@ -63,10 +62,7 @@ for note in encryptedNotes:
print("Note " + note['note_id'] + " re-encrypted with new password") print("Note " + note['note_id'] + " re-encrypted with new password")
src.password_provider.setPasswordHash(newPasswordVerificationKey) src.sql.setOption('password', newPasswordVerificationKey)
print("New password has been saved into password.txt")
src.sql.commit() src.sql.commit()
print("Changes committed. All encrypted notes were re-encrypted successfully with new password key.") print("Changes committed. All encrypted notes were re-encrypted successfully with new password key.")

8
config-sample.ini
Unescape Escape View File

@ -1,10 +1,6 @@
[Document] [Document]
documentPath=demo.ncdb documentPath=demo.ncdb
[Security]
# run "python generate-secret-key.py" and paste the result below
flaskSecretKey=
[Network] [Network]
port=5000 port=5000
# true for TLS/SSL/HTTPS (secure), false for HTTP (unsecure). # true for TLS/SSL/HTTPS (secure), false for HTTP (unsecure).
@ -12,7 +8,3 @@ https=true
# path to certificate (run "bash generate-cert.sh" to generate self-signed certificate). Relevant only if https=true # path to certificate (run "bash generate-cert.sh" to generate self-signed certificate). Relevant only if https=true
certPath=cert.crt certPath=cert.crt
certKeyPath=cert.key certKeyPath=cert.key
[Login]
# Enter below credentials with with which you want to authenticate to Notecase web app
username=your_username

18
generate-password.py
Unescape Escape View File

@ -1,18 +0,0 @@
#!/usr/bin/python
import getpass
import src.my_scrypt
import binascii
import src.password_provider
password1 = getpass.getpass()
password2 = getpass.getpass(prompt='Repeat the same password:')
if password1 == password2:
hash = src.my_scrypt.getVerificationHash(password1)
src.password_provider.setPasswordHash(binascii.hexlify(hash))
print('Password has been generated and saved into password.txt. You can now login.')
else:
print('Entered passwords are not identical!')

5
generate-secret-key.py
Unescape Escape View File

@ -1,5 +0,0 @@
#!/usr/bin/python
import os
import base64
print(base64.b64encode(os.urandom(24)))

45
setup.py
Unescape Escape View File

@ -0,0 +1,45 @@
#!/usr/bin/python
import binascii
import getpass
import os
import base64
from builtins import input
import src.config_provider
import src.sql
import src.my_scrypt
config = src.config_provider.getConfig()
src.sql.connect(config['Document']['documentPath'])
username = src.sql.getOption("username")
if username:
print("Application has been already set up.")
exit(1)
print("Please provide your desired login credentials")
username = input("Username: ")
password1 = getpass.getpass()
password2 = getpass.getpass(prompt='Repeat the same password: ')
if password1 == password2:
hash = src.my_scrypt.getVerificationHash(password1)
src.sql.setOption('username', username)
src.sql.setOption('password', binascii.hexlify(hash))
# urandom is secure enough, see https://docs.python.org/2/library/os.html
src.sql.setOption('flask_secret_key', base64.b64encode(os.urandom(24)))
src.sql.setOption('verification_salt', base64.b64encode(os.urandom(24)))
src.sql.setOption('encryption_salt', base64.b64encode(os.urandom(24)))
src.sql.commit()
print('Application has been set up. You can now login.')
else:
print('Entered passwords are not identical!')

22
src/app.py
Unescape Escape View File

@ -7,18 +7,26 @@ from flask_cors import CORS
from flask_login import LoginManager, UserMixin, login_user, login_required, logout_user from flask_login import LoginManager, UserMixin, login_user, login_required, logout_user
from notes_api import notes_api from notes_api import notes_api
from sql import connect from sql import connect, getOption
from tree_api import tree_api from tree_api import tree_api
from notes_move_api import notes_move_api from notes_move_api import notes_move_api
from password_api import password_api from password_api import password_api
import config_provider import config_provider
import my_scrypt import my_scrypt
import password_provider
config = config_provider.getConfig() config = config_provider.getConfig()
documentPath = config['Document']['documentPath']
connect(documentPath)
flask_secret_key = getOption("flask_secret_key")
if not flask_secret_key:
print("Application has not been setup yet. Run 'python setup.py' to finish setup.")
exit(1)
app = Flask(__name__) app = Flask(__name__)
app.secret_key = config['Security']['flaskSecretKey'] app.secret_key = flask_secret_key
app.register_blueprint(tree_api) app.register_blueprint(tree_api)
app.register_blueprint(notes_api) app.register_blueprint(notes_api)
app.register_blueprint(notes_move_api) app.register_blueprint(notes_move_api)
@ -43,19 +51,15 @@ def logout():
return redirect('login') return redirect('login')
user = User() user = User()
user.id = config['Login']['username'] user.id = getOption('username')
port = config['Network']['port'] port = config['Network']['port']
https = config['Network']['https'] https = config['Network']['https']
certPath = config['Network']['certPath'] certPath = config['Network']['certPath']
certKeyPath = config['Network']['certKeyPath'] certKeyPath = config['Network']['certKeyPath']
documentPath = config['Document']['documentPath']
connect(documentPath)
def verify_password(guessed_password): def verify_password(guessed_password):
hashed_password = binascii.unhexlify(password_provider.getPasswordHash()) hashed_password = binascii.unhexlify(getOption('password'))
guess_hashed = my_scrypt.getVerificationHash(guessed_password) guess_hashed = my_scrypt.getVerificationHash(guessed_password)

4
src/password_api.py
Unescape Escape View File

@ -2,7 +2,7 @@ from flask import Blueprint, jsonify, request
from flask_login import login_required from flask_login import login_required
import hashlib import hashlib
import binascii import binascii
import password_provider import sql
password_api = Blueprint('password_api', __name__) password_api = Blueprint('password_api', __name__)
@ -11,7 +11,7 @@ password_api = Blueprint('password_api', __name__)
def verifyPassword(): def verifyPassword():
req = request.get_json(force=True) req = request.get_json(force=True)
hashedPassword = password_provider.getPasswordHash() hashedPassword = sql.getOption('password')
hashedPasswordBytes = binascii.unhexlify(hashedPassword) hashedPasswordBytes = binascii.unhexlify(hashedPassword)
hashedPasswordSha = hashlib.sha256(hashedPasswordBytes).hexdigest() hashedPasswordSha = hashlib.sha256(hashedPasswordBytes).hexdigest()

7
src/password_provider.py
Unescape Escape View File

@ -1,7 +0,0 @@
def getPasswordHash():
with open('password.txt') as file:
return file.readline()
def setPasswordHash(newPasswordHash):
with open('password.txt', 'w') as file:
file.write(newPasswordHash)

6
src/sql.py
Unescape Escape View File

@ -26,6 +26,12 @@ def insert(tablename, rec):
cursor = execute('INSERT INTO '+tablename+' ('+keys+') VALUES ('+question_marks+')', values) cursor = execute('INSERT INTO '+tablename+' ('+keys+') VALUES ('+question_marks+')', values)
return cursor.lastrowid return cursor.lastrowid
def setOption(name, value):
execute("UPDATE options SET opt_value = ? WHERE opt_name = ?", [value, name])
def getOption(name):
return getSingleResult("SELECT opt_value FROM options WHERE opt_name = ?", [name])['opt_value']
def delete(tablename, note_id): def delete(tablename, note_id):
execute("DELETE FROM " + tablename + " WHERE note_id = ?", [note_id]) execute("DELETE FROM " + tablename + " WHERE note_id = ?", [note_id])