Compare commits

..

2 Commits

Author SHA1 Message Date
8060d84ac2 misc bugfix 2020-04-09 07:58:38 -04:00
fab4d831a6 fido2 library changed its api 2020-04-09 07:58:29 -04:00
4 changed files with 8 additions and 6 deletions

View File

@ -4,6 +4,7 @@ A security shield for protecting a number of small web applications.
## Requirements ## Requirements
Python 3.7+ Python 3.7+
PostgreSQL 11.5+ PostgreSQL 11.5+
Debian System packages: `build-essential python3-dev`
Python packages: `wheel gunicorn aiohttp aiohttp_jinja2 asyncpg passlib argon2_cffi uvloop fido2` Python packages: `wheel gunicorn aiohttp aiohttp_jinja2 asyncpg passlib argon2_cffi uvloop fido2`
## Install ## Install

View File

@ -9,7 +9,8 @@ from datetime import datetime
from aiohttp import web from aiohttp import web
from fido2.client import ClientData from fido2.client import ClientData
from fido2.server import Fido2Server, RelyingParty from fido2.server import Fido2Server
from fido2.webauthn import PublicKeyCredentialRpEntity
from fido2.ctap2 import AttestationObject, AuthenticatorData, \ from fido2.ctap2 import AttestationObject, AuthenticatorData, \
AttestedCredentialData AttestedCredentialData
from fido2 import cbor from fido2 import cbor
@ -17,7 +18,7 @@ from fido2 import cbor
import config import config
routes = web.RouteTableDef() routes = web.RouteTableDef()
rp = RelyingParty(config.server_domain, 'Buckler') rp = PublicKeyCredentialRpEntity(config.server_domain, 'Buckler')
server = Fido2Server(rp) server = Fido2Server(rp)
def auth_required(func): def auth_required(func):

View File

@ -16,8 +16,8 @@ async def buckler_session(request, handler):
Verifies the user with the configured Buckler app and retrieves any Verifies the user with the configured Buckler app and retrieves any
session data they may have. Redirects them to the login page otherwise. session data they may have. Redirects them to the login page otherwise.
""" """
user_id = request.cookies.get('userid') user_id = request.cookies.get('userid', '')
user_sid = request.cookies.get('session') user_sid = request.cookies.get('session', '')
url = config.buckler['url'] + '/get_session' url = config.buckler['url'] + '/get_session'
params = { params = {

View File

@ -89,14 +89,14 @@ async def change_password(request):
return errors return errors
async with request.app['pool'].acquire() as conn: async with request.app['pool'].acquire() as conn:
pw_hash = conn.fetchrow( pw_hash = await conn.fetchrow(
"SELECT password_hash FROM user_info WHERE id = $1", "SELECT password_hash FROM user_info WHERE id = $1",
request['session']['id']) request['session']['id'])
if not argon2.verify(current_pw, pw_hash['password_hash']): if not argon2.verify(current_pw, pw_hash['password_hash']):
errors['change_password'] = "Invalid password." errors['change_password'] = "Invalid password."
return errors return errors
h = argon2.hash(new_pw) h = argon2.hash(new_pw)
conn.execute( await conn.execute(
"UPDATE user_info SET password_hash = $1 WHERE id = $2", "UPDATE user_info SET password_hash = $1 WHERE id = $2",
h, request['session']['id']) h, request['session']['id'])
return errors return errors