burrson/pu-saves
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add password protection with double hashing (SHA-256 client, bcrypt server)

Browse Source
This commit is contained in:
Johannes
2026-03-13 00:31:19 +01:00
parent 375ca73b9e
commit 51c2e64319
2 changed files with 31 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
app.py
View File

@@ -1,5 +1,6 @@
from flask import Flask, request, jsonify, send_from_directory, abort from flask import Flask, request, jsonify, send_from_directory, abort
from flask_cors import CORS from flask_cors import CORS
import bcrypt
import os import os
import re import re
@@ -9,6 +10,7 @@ CORS(app, origins="*", allow_headers="*", methods=["GET", "POST", "DELETE", "OPT
SAVES_DIR = os.environ.get("SAVES_DIR", "/saves") SAVES_DIR = os.environ.get("SAVES_DIR", "/saves")
os.makedirs(SAVES_DIR, exist_ok=True) os.makedirs(SAVES_DIR, exist_ok=True)
def safe_filename(name): def safe_filename(name):
name = re.sub(r"[^\w\-. ]", "", name).strip() name = re.sub(r"[^\w\-. ]", "", name).strip()
if not name: if not name:
@@ -16,17 +18,32 @@ def safe_filename(name):
return name + ".puC" return name + ".puC"
def get_hash_path(name):
return os.path.join(SAVES_DIR, safe_filename(name).replace(".puC", ".hash"))
def check_password(name, req):
hash_path = get_hash_path(name)
if not os.path.exists(hash_path):
return # unprotected
client_hash = req.headers.get("X-Password-Hash", "")
if not client_hash:
abort(401, "Password required")
stored = open(hash_path, "rb").read()
if not bcrypt.checkpw(client_hash.encode(), stored):
abort(401, "Wrong password")
@app.route("/saves", methods=["GET"]) @app.route("/saves", methods=["GET"])
def list_saves(): def list_saves():
files = [ saves = sorted(f[:-4] for f in os.listdir(SAVES_DIR) if f.endswith(".puC"))
f[:-4] for f in os.listdir(SAVES_DIR) protected = sorted(f[:-5] for f in os.listdir(SAVES_DIR) if f.endswith(".hash"))
if f.endswith(".puC") return jsonify({"saves": saves, "protected": protected})
]
return jsonify(sorted(files))
@app.route("/saves/<name>", methods=["GET"]) @app.route("/saves/<name>", methods=["GET"])
def get_save(name): def get_save(name):
check_password(name, request)
filename = safe_filename(name) filename = safe_filename(name)
path = os.path.join(SAVES_DIR, filename) path = os.path.join(SAVES_DIR, filename)
if not os.path.exists(path): if not os.path.exists(path):
@@ -42,16 +59,24 @@ def store_save(name):
abort(400, "No data") abort(400, "No data")
with open(os.path.join(SAVES_DIR, filename), "wb") as f: with open(os.path.join(SAVES_DIR, filename), "wb") as f:
f.write(data) f.write(data)
ph = request.headers.get("X-Password-Hash", "")
if ph:
hashed = bcrypt.hashpw(ph.encode(), bcrypt.gensalt())
open(get_hash_path(name), "wb").write(hashed)
return jsonify({"ok": True, "name": name}) return jsonify({"ok": True, "name": name})
@app.route("/saves/<name>", methods=["DELETE"]) @app.route("/saves/<name>", methods=["DELETE"])
def delete_save(name): def delete_save(name):
check_password(name, request)
filename = safe_filename(name) filename = safe_filename(name)
path = os.path.join(SAVES_DIR, filename) path = os.path.join(SAVES_DIR, filename)
if not os.path.exists(path): if not os.path.exists(path):
abort(404) abort(404)
os.remove(path) os.remove(path)
hash_path = get_hash_path(name)
if os.path.exists(hash_path):
os.remove(hash_path)
return jsonify({"ok": True}) return jsonify({"ok": True})

1
requirements.txt
View File

@@ -1,3 +1,4 @@
flask==3.1.0 flask==3.1.0
flask-cors==5.0.1 flask-cors==5.0.1
gunicorn==23.0.0 gunicorn==23.0.0
bcrypt==4.2.1