From 586654e08e6f401699ea0771a2d7c413efa69b70 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Sat, 29 May 2021 16:22:47 +0200
Subject: [PATCH] app.pw_models: Refactor, use constant-time equality

---
 app/pw_models.py                              |  8 ++---
 .../versions/2021_052917_a5eb5158c4d7_.py     | 29 +++++++++++++++++++
 2 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 migrations/versions/2021_052917_a5eb5158c4d7_.py

diff --git a/app/pw_models.py b/app/pw_models.py
index 6d606343..bde5b6ce 100644
--- a/app/pw_models.py
+++ b/app/pw_models.py
@@ -9,20 +9,16 @@ _NORMALIZATION_FORM = "NFKC"
 
 
 class PasswordOracle:
-    salt = db.Column(db.String(128), nullable=True)
     password = db.Column(db.String(128), nullable=True)
 
     def set_password(self, password):
         password = unicodedata.normalize(_NORMALIZATION_FORM, password)
         salt = bcrypt.gensalt()
-        password_hash = bcrypt.hashpw(password.encode(), salt).decode()
-        self.salt = salt.decode()
-        self.password = password_hash
+        self.password = bcrypt.hashpw(password.encode(), salt).decode()
 
     def check_password(self, password) -> bool:
         if not self.password:
             return False
 
         password = unicodedata.normalize(_NORMALIZATION_FORM, password)
-        password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
-        return self.password.encode() == password_hash
+        return bcrypt.checkpw(password.encode(), self.password.encode())
diff --git a/migrations/versions/2021_052917_a5eb5158c4d7_.py b/migrations/versions/2021_052917_a5eb5158c4d7_.py
new file mode 100644
index 00000000..b351e1ba
--- /dev/null
+++ b/migrations/versions/2021_052917_a5eb5158c4d7_.py
@@ -0,0 +1,29 @@
+"""empty message
+
+Revision ID: a5eb5158c4d7
+Revises: 68e2f38e33f4
+Create Date: 2021-05-29 17:41:32.149720
+
+"""
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'a5eb5158c4d7'
+down_revision = '68e2f38e33f4'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('users', 'salt')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('users', sa.Column('salt', sa.VARCHAR(length=128), autoincrement=False, nullable=True))
+    # ### end Alembic commands ###