1 # GNU MediaGoblin -- federated, autonomous media hosting
2 # Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
4 # This program is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU Affero General Public License as published by
6 # the Free Software Foundation, either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU Affero General Public License for more details.
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21 from mediagoblin
.tools
.mail
import send_email
22 from mediagoblin
.tools
.template
import render_template
23 from mediagoblin
import mg_globals
26 def bcrypt_check_password(raw_pass
, stored_hash
, extra_salt
=None):
28 Check to see if this password matches.
31 - raw_pass: user submitted password to check for authenticity.
32 - stored_hash: The hash of the raw password (and possibly extra
33 salt) to check against
34 - extra_salt: (optional) If this password is with stored with a
35 non-database extra salt (probably in the config file) for extra
36 security, factor this into the check.
39 True or False depending on success.
42 raw_pass
= u
"%s:%s" % (extra_salt
, raw_pass
)
44 hashed_pass
= bcrypt
.hashpw(raw_pass
.encode('utf-8'), stored_hash
)
46 # Reduce risk of timing attacks by hashing again with a random
47 # number (thx to zooko on this advice, which I hopefully
48 # incorporated right.)
51 rand_salt
= bcrypt
.gensalt(5)
52 randplus_stored_hash
= bcrypt
.hashpw(stored_hash
, rand_salt
)
53 randplus_hashed_pass
= bcrypt
.hashpw(hashed_pass
, rand_salt
)
55 return randplus_stored_hash
== randplus_hashed_pass
58 def bcrypt_gen_password_hash(raw_pass
, extra_salt
=None):
60 Generate a salt for this new password.
63 - raw_pass: user submitted password
64 - extra_salt: (optional) If this password is with stored with a
65 non-database extra salt
68 raw_pass
= u
"%s:%s" % (extra_salt
, raw_pass
)
71 bcrypt
.hashpw(raw_pass
.encode('utf-8'), bcrypt
.gensalt()))
74 def fake_login_attempt():
76 Pretend we're trying to login.
78 Nothing actually happens here, we're just trying to take up some
79 time, approximately the same amount of time as
80 bcrypt_check_password, so as to avoid figuring out what users are
81 on the system by intentionally faking logins a bunch of times.
83 rand_salt
= bcrypt
.gensalt(5)
85 hashed_pass
= bcrypt
.hashpw(str(random
.random()), rand_salt
)
87 randplus_stored_hash
= bcrypt
.hashpw(str(random
.random()), rand_salt
)
88 randplus_hashed_pass
= bcrypt
.hashpw(hashed_pass
, rand_salt
)
90 randplus_stored_hash
== randplus_hashed_pass
93 EMAIL_VERIFICATION_TEMPLATE
= (
94 u
"http://{host}{uri}?"
95 u
"userid={userid}&token={verification_key}")
98 def send_verification_email(user
, request
):
100 Send the verification email to users to activate their accounts.
103 - user: a user object
104 - request: the request
106 rendered_email
= render_template(
107 request
, 'mediagoblin/auth/verification_email.txt',
108 {'username': user
.username
,
109 'verification_url': EMAIL_VERIFICATION_TEMPLATE
.format(
111 uri
=request
.urlgen('mediagoblin.auth.verify_email'),
112 userid
=unicode(user
.id),
113 verification_key
=user
.verification_key
)})
115 # TODO: There is no error handling in place
117 mg_globals
.app_config
['email_sender_address'],
120 # Due to the distributed nature of GNU MediaGoblin, we should
121 # find a way to send some additional information about the
122 # specific GNU MediaGoblin instance in the subject line. For
123 # example "GNU MediaGoblin @ Wandborg - [...]".
124 'GNU MediaGoblin - Verify your email!',
128 EMAIL_FP_VERIFICATION_TEMPLATE
= (
129 u
"http://{host}{uri}?"
130 u
"userid={userid}&token={fp_verification_key}")
133 def send_fp_verification_email(user
, request
):
135 Send the verification email to users to change their password.
138 - user: a user object
139 - request: the request
141 rendered_email
= render_template(
142 request
, 'mediagoblin/auth/fp_verification_email.txt',
143 {'username': user
.username
,
144 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE
.format(
146 uri
=request
.urlgen('mediagoblin.plugins.basic_auth.verify_forgot_password'),
147 userid
=unicode(user
.id),
148 fp_verification_key
=user
.fp_verification_key
)})
150 # TODO: There is no error handling in place
152 mg_globals
.app_config
['email_sender_address'],
154 'GNU MediaGoblin - Change forgotten password!',