diff options
author | Jason A. Donenfeld | 2018-07-15 04:18:03 +0200 |
---|---|---|
committer | Jason A. Donenfeld | 2018-07-15 04:18:03 +0200 |
commit | 82856923bffaac3ac88a90a797ddb33dcee8635a (patch) | |
tree | fff956daf986ce62fba0f277f0b13a95cb60a5cd /filters | |
parent | auth-filters: generate secret securely (diff) | |
download | cgit-82856923bffaac3ac88a90a797ddb33dcee8635a.tar.gz cgit-82856923bffaac3ac88a90a797ddb33dcee8635a.zip |
auth-filters: use crypt() in simple-authentication
There's no use in giving a silly example to folks who will just copy it, so instead try to do something slightly better. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters')
-rw-r--r-- | filters/simple-authentication.lua | 19 |
1 files changed, 6 insertions, 13 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index bf35632..77d1fd0 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
@@ -23,17 +23,11 @@ local protected_repos = { | |||
23 | qt = { jason = true, bob = true } | 23 | qt = { jason = true, bob = true } |
24 | } | 24 | } |
25 | 25 | ||
26 | -- Please note that, in production, you'll want to replace this simple lookup | 26 | -- A list of users and hashes, generated with `mkpasswd -m sha-512 -R 300000`. |
27 | -- table with either a table of salted and hashed passwords (using something | ||
28 | -- smart like scrypt), or replace this table lookup with an external support, | ||
29 | -- such as consulting your system's pam / shadow system, or an external | ||
30 | -- database, or an external validating web service. For testing, or for | ||
31 | -- extremely low-security usage, you may be able, however, to get away with | ||
32 | -- compromising on hardcoding the passwords in cleartext, as we have done here. | ||
33 | local users = { | 27 | local users = { |
34 | jason = "secretpassword", | 28 | jason = "$6$rounds=300000$YYJct3n/o.ruYK$HhpSeuCuW1fJkpvMZOZzVizeLsBKcGA/aF2UPuV5v60JyH2MVSG6P511UMTj2F3H75.IT2HIlnvXzNb60FcZH1", |
35 | laurent = "s3cr3t", | 29 | laurent = "$6$rounds=300000$dP0KNHwYb3JKigT$pN/LG7rWxQ4HniFtx5wKyJXBJUKP7R01zTNZ0qSK/aivw8ywGAOdfYiIQFqFhZFtVGvr11/7an.nesvm8iJUi.", |
36 | bob = "ilikelua" | 30 | bob = "$6$rounds=300000$jCLCCt6LUpTz$PI1vvd1yaVYcCzqH8QAJFcJ60b6W/6sjcOsU7mAkNo7IE8FRGW1vkjF8I/T5jt/auv5ODLb1L4S2s.CAyZyUC" |
37 | } | 31 | } |
38 | 32 | ||
39 | -- Set this to a path this script can write to for storing a persistent | 33 | -- Set this to a path this script can write to for storing a persistent |
@@ -48,7 +42,7 @@ local secret_filename = "/var/cache/cgit/auth-secret" | |||
48 | 42 | ||
49 | -- Sets HTTP cookie headers based on post and sets up redirection. | 43 | -- Sets HTTP cookie headers based on post and sets up redirection. |
50 | function authenticate_post() | 44 | function authenticate_post() |
51 | local password = users[post["username"]] | 45 | local hash = users[post["username"]] |
52 | local redirect = validate_value("redirect", post["redirect"]) | 46 | local redirect = validate_value("redirect", post["redirect"]) |
53 | 47 | ||
54 | if redirect == nil then | 48 | if redirect == nil then |
@@ -58,8 +52,7 @@ function authenticate_post() | |||
58 | 52 | ||
59 | redirect_to(redirect) | 53 | redirect_to(redirect) |
60 | 54 | ||
61 | -- Lua hashes strings, so these comparisons are time invariant. | 55 | if hash == nil or hash ~= unistd.crypt(post["password"], hash) then |
62 | if password == nil or password ~= post["password"] then | ||
63 | set_cookie("cgitauth", "") | 56 | set_cookie("cgitauth", "") |
64 | else | 57 | else |
65 | -- One week expiration time | 58 | -- One week expiration time |