Compare commits

...

2 Commits

Author SHA1 Message Date
8060d84ac2 misc bugfix 2020-04-09 07:58:38 -04:00
fab4d831a6 fido2 library changed its api 2020-04-09 07:58:29 -04:00
4 changed files with 8 additions and 6 deletions

View File

@ -4,6 +4,7 @@ A security shield for protecting a number of small web applications.
## Requirements
Python 3.7+
PostgreSQL 11.5+
Debian System packages: `build-essential python3-dev`
Python packages: `wheel gunicorn aiohttp aiohttp_jinja2 asyncpg passlib argon2_cffi uvloop fido2`
## Install

View File

@ -9,7 +9,8 @@ from datetime import datetime
from aiohttp import web
from fido2.client import ClientData
from fido2.server import Fido2Server, RelyingParty
from fido2.server import Fido2Server
from fido2.webauthn import PublicKeyCredentialRpEntity
from fido2.ctap2 import AttestationObject, AuthenticatorData, \
AttestedCredentialData
from fido2 import cbor
@ -17,7 +18,7 @@ from fido2 import cbor
import config
routes = web.RouteTableDef()
rp = RelyingParty(config.server_domain, 'Buckler')
rp = PublicKeyCredentialRpEntity(config.server_domain, 'Buckler')
server = Fido2Server(rp)
def auth_required(func):

View File

@ -16,8 +16,8 @@ async def buckler_session(request, handler):
Verifies the user with the configured Buckler app and retrieves any
session data they may have. Redirects them to the login page otherwise.
"""
user_id = request.cookies.get('userid')
user_sid = request.cookies.get('session')
user_id = request.cookies.get('userid', '')
user_sid = request.cookies.get('session', '')
url = config.buckler['url'] + '/get_session'
params = {

View File

@ -89,14 +89,14 @@ async def change_password(request):
return errors
async with request.app['pool'].acquire() as conn:
pw_hash = conn.fetchrow(
pw_hash = await conn.fetchrow(
"SELECT password_hash FROM user_info WHERE id = $1",
request['session']['id'])
if not argon2.verify(current_pw, pw_hash['password_hash']):
errors['change_password'] = "Invalid password."
return errors
h = argon2.hash(new_pw)
conn.execute(
await conn.execute(
"UPDATE user_info SET password_hash = $1 WHERE id = $2",
h, request['session']['id'])
return errors