Add password protection with double hashing (SHA-256 client, bcrypt server)
This commit is contained in:
Johannes
35
app.py
35
app.py
@@ -1,5 +1,6 @@
|
||||
from flask import Flask, request, jsonify, send_from_directory, abort
|
||||
from flask_cors import CORS
|
||||
import bcrypt
|
||||
import os
|
||||
import re
|
||||
|
||||
@@ -9,6 +10,7 @@ CORS(app, origins="*", allow_headers="*", methods=["GET", "POST", "DELETE", "OPT
|
||||
SAVES_DIR = os.environ.get("SAVES_DIR", "/saves")
|
||||
os.makedirs(SAVES_DIR, exist_ok=True)
|
||||
|
||||
|
||||
def safe_filename(name):
|
||||
name = re.sub(r"[^\w\-. ]", "", name).strip()
|
||||
if not name:
|
||||
@@ -16,17 +18,32 @@ def safe_filename(name):
|
||||
return name + ".puC"
|
||||
|
||||
|
||||
def get_hash_path(name):
|
||||
return os.path.join(SAVES_DIR, safe_filename(name).replace(".puC", ".hash"))
|
||||
|
||||
|
||||
def check_password(name, req):
|
||||
hash_path = get_hash_path(name)
|
||||
if not os.path.exists(hash_path):
|
||||
return # unprotected
|
||||
client_hash = req.headers.get("X-Password-Hash", "")
|
||||
if not client_hash:
|
||||
abort(401, "Password required")
|
||||
stored = open(hash_path, "rb").read()
|
||||
if not bcrypt.checkpw(client_hash.encode(), stored):
|
||||
abort(401, "Wrong password")
|
||||
|
||||
|
||||
@app.route("/saves", methods=["GET"])
|
||||
def list_saves():
|
||||
files = [
|
||||
f[:-4] for f in os.listdir(SAVES_DIR)
|
||||
if f.endswith(".puC")
|
||||
]
|
||||
return jsonify(sorted(files))
|
||||
saves = sorted(f[:-4] for f in os.listdir(SAVES_DIR) if f.endswith(".puC"))
|
||||
protected = sorted(f[:-5] for f in os.listdir(SAVES_DIR) if f.endswith(".hash"))
|
||||
return jsonify({"saves": saves, "protected": protected})
|
||||
|
||||
|
||||
@app.route("/saves/<name>", methods=["GET"])
|
||||
def get_save(name):
|
||||
check_password(name, request)
|
||||
filename = safe_filename(name)
|
||||
path = os.path.join(SAVES_DIR, filename)
|
||||
if not os.path.exists(path):
|
||||
@@ -42,16 +59,24 @@ def store_save(name):
|
||||
abort(400, "No data")
|
||||
with open(os.path.join(SAVES_DIR, filename), "wb") as f:
|
||||
f.write(data)
|
||||
ph = request.headers.get("X-Password-Hash", "")
|
||||
if ph:
|
||||
hashed = bcrypt.hashpw(ph.encode(), bcrypt.gensalt())
|
||||
open(get_hash_path(name), "wb").write(hashed)
|
||||
return jsonify({"ok": True, "name": name})
|
||||
|
||||
|
||||
@app.route("/saves/<name>", methods=["DELETE"])
|
||||
def delete_save(name):
|
||||
check_password(name, request)
|
||||
filename = safe_filename(name)
|
||||
path = os.path.join(SAVES_DIR, filename)
|
||||
if not os.path.exists(path):
|
||||
abort(404)
|
||||
os.remove(path)
|
||||
hash_path = get_hash_path(name)
|
||||
if os.path.exists(hash_path):
|
||||
os.remove(hash_path)
|
||||
return jsonify({"ok": True})
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user