ecd74b801b
Per NIST [SP800-63B, §5.1.1.2] Memorized Secret Verifiers : > the verifier SHOULD apply the Normalization Process for > Stabilized Strings using either the NFKC or NFKD normalization This is necessary for Unicode passwords to work reliably. ASCII-only passwords aren't affected. [SP800-63B, §5.1.1.2]: https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers
29 lines
824 B
Python
29 lines
824 B
Python
import unicodedata
|
|
|
|
import bcrypt
|
|
|
|
from app.extensions import db
|
|
|
|
|
|
_NORMALIZATION_FORM = "NFKC"
|
|
|
|
|
|
class PasswordOracle:
|
|
salt = db.Column(db.String(128), nullable=True)
|
|
password = db.Column(db.String(128), nullable=True)
|
|
|
|
def set_password(self, password):
|
|
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
|
|
salt = bcrypt.gensalt()
|
|
password_hash = bcrypt.hashpw(password.encode(), salt).decode()
|
|
self.salt = salt.decode()
|
|
self.password = password_hash
|
|
|
|
def check_password(self, password) -> bool:
|
|
if not self.password:
|
|
return False
|
|
|
|
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
|
|
password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
|
|
return self.password.encode() == password_hash
|