master
Bob Mottram 2019-07-25 15:30:12 +01:00
parent 719fc3589d
commit 6d622122f7
1 changed files with 6 additions and 0 deletions

View File

@ -1058,6 +1058,12 @@ class PubServer(BaseHTTPRequestHandler):
# login success - redirect with authorization
print('Login success: '+loginNickname)
self.send_response(303)
# This produces a deterministic token based on nick+password+salt
# But notice that the salt is ephemeral, so a server reboot changes them.
# This allows you to be logged in on two or more devices with the
# same token, but also ensures that if an adversary obtains the token
# then rebooting the server is sufficient to thwart them, without
# any password changes.
if not self.server.salts.get(loginNickname):
self.server.salts[loginNickname]=createPassword(32)
self.server.tokens[loginNickname]=str(sha256((loginNickname+loginPassword+self.server.salts[loginNickname]).encode('utf-8')))