app.pw_models: Use unicode normalization
Per NIST [SP800-63B, §5.1.1.2] Memorized Secret Verifiers : > the verifier SHOULD apply the Normalization Process for > Stabilized Strings using either the NFKC or NFKD normalization This is necessary for Unicode passwords to work reliably. ASCII-only passwords aren't affected. [SP800-63B, §5.1.1.2]: https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers
This commit is contained in:
parent
d216812f14
commit
ecd74b801b
|
@ -1,13 +1,19 @@
|
||||||
|
import unicodedata
|
||||||
|
|
||||||
import bcrypt
|
import bcrypt
|
||||||
|
|
||||||
from app.extensions import db
|
from app.extensions import db
|
||||||
|
|
||||||
|
|
||||||
|
_NORMALIZATION_FORM = "NFKC"
|
||||||
|
|
||||||
|
|
||||||
class PasswordOracle:
|
class PasswordOracle:
|
||||||
salt = db.Column(db.String(128), nullable=True)
|
salt = db.Column(db.String(128), nullable=True)
|
||||||
password = db.Column(db.String(128), nullable=True)
|
password = db.Column(db.String(128), nullable=True)
|
||||||
|
|
||||||
def set_password(self, password):
|
def set_password(self, password):
|
||||||
|
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
|
||||||
salt = bcrypt.gensalt()
|
salt = bcrypt.gensalt()
|
||||||
password_hash = bcrypt.hashpw(password.encode(), salt).decode()
|
password_hash = bcrypt.hashpw(password.encode(), salt).decode()
|
||||||
self.salt = salt.decode()
|
self.salt = salt.decode()
|
||||||
|
@ -16,5 +22,7 @@ class PasswordOracle:
|
||||||
def check_password(self, password) -> bool:
|
def check_password(self, password) -> bool:
|
||||||
if not self.password:
|
if not self.password:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
|
||||||
password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
|
password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
|
||||||
return self.password.encode() == password_hash
|
return self.password.encode() == password_hash
|
||||||
|
|
Loading…
Reference in a new issue