diff options
| author | Jason A. Donenfeld | 2018-07-15 04:18:03 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld | 2018-07-15 04:18:03 +0200 |
| commit | 82856923bffaac3ac88a90a797ddb33dcee8635a (patch) | |
| tree | fff956daf986ce62fba0f277f0b13a95cb60a5cd /filters | |
| parent | auth-filters: generate secret securely (diff) | |
| download | cgit-82856923bffaac3ac88a90a797ddb33dcee8635a.tar.gz cgit-82856923bffaac3ac88a90a797ddb33dcee8635a.zip | |
auth-filters: use crypt() in simple-authentication
There's no use in giving a silly example to folks who will just copy it, so instead try to do something slightly better. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters')
| -rw-r--r-- | filters/simple-authentication.lua | 19 |
1 files changed, 6 insertions, 13 deletions
| diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index bf35632..77d1fd0 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
| @@ -23,17 +23,11 @@ local protected_repos = { | |||
| 23 | qt = { jason = true, bob = true } | 23 | qt = { jason = true, bob = true } |
| 24 | } | 24 | } |
| 25 | 25 | ||
| 26 | -- Please note that, in production, you'll want to replace this simple lookup | 26 | -- A list of users and hashes, generated with `mkpasswd -m sha-512 -R 300000`. |
| 27 | -- table with either a table of salted and hashed passwords (using something | ||
| 28 | -- smart like scrypt), or replace this table lookup with an external support, | ||
| 29 | -- such as consulting your system's pam / shadow system, or an external | ||
| 30 | -- database, or an external validating web service. For testing, or for | ||
| 31 | -- extremely low-security usage, you may be able, however, to get away with | ||
| 32 | -- compromising on hardcoding the passwords in cleartext, as we have done here. | ||
| 33 | local users = { | 27 | local users = { |
| 34 | jason = "secretpassword", | 28 | jason = "$6$rounds=300000$YYJct3n/o.ruYK$HhpSeuCuW1fJkpvMZOZzVizeLsBKcGA/aF2UPuV5v60JyH2MVSG6P511UMTj2F3H75.IT2HIlnvXzNb60FcZH1", |
| 35 | laurent = "s3cr3t", | 29 | laurent = "$6$rounds=300000$dP0KNHwYb3JKigT$pN/LG7rWxQ4HniFtx5wKyJXBJUKP7R01zTNZ0qSK/aivw8ywGAOdfYiIQFqFhZFtVGvr11/7an.nesvm8iJUi.", |
| 36 | bob = "ilikelua" | 30 | bob = "$6$rounds=300000$jCLCCt6LUpTz$PI1vvd1yaVYcCzqH8QAJFcJ60b6W/6sjcOsU7mAkNo7IE8FRGW1vkjF8I/T5jt/auv5ODLb1L4S2s.CAyZyUC" |
| 37 | } | 31 | } |
| 38 | 32 | ||
| 39 | -- Set this to a path this script can write to for storing a persistent | 33 | -- Set this to a path this script can write to for storing a persistent |
| @@ -48,7 +42,7 @@ local secret_filename = "/var/cache/cgit/auth-secret" | |||
| 48 | 42 | ||
| 49 | -- Sets HTTP cookie headers based on post and sets up redirection. | 43 | -- Sets HTTP cookie headers based on post and sets up redirection. |
| 50 | function authenticate_post() | 44 | function authenticate_post() |
| 51 | local password = users[post["username"]] | 45 | local hash = users[post["username"]] |
| 52 | local redirect = validate_value("redirect", post["redirect"]) | 46 | local redirect = validate_value("redirect", post["redirect"]) |
| 53 | 47 | ||
| 54 | if redirect == nil then | 48 | if redirect == nil then |
| @@ -58,8 +52,7 @@ function authenticate_post() | |||
| 58 | 52 | ||
| 59 | redirect_to(redirect) | 53 | redirect_to(redirect) |
| 60 | 54 | ||
| 61 | -- Lua hashes strings, so these comparisons are time invariant. | 55 | if hash == nil or hash ~= unistd.crypt(post["password"], hash) then |
| 62 | if password == nil or password ~= post["password"] then | ||
| 63 | set_cookie("cgitauth", "") | 56 | set_cookie("cgitauth", "") |
| 64 | else | 57 | else |
| 65 | -- One week expiration time | 58 | -- One week expiration time |