Refactor password validation
* Just removes the plaintext password from the source code, instead reading it from an enviroment file. No password hashing here. No-JS login is still on the timeline
This commit is contained in:
parent
81275588d0
commit
635bc32ef2
|
@ -7,6 +7,7 @@ import magic
|
|||
from django.http import HttpResponse
|
||||
from django.shortcuts import render
|
||||
from django.utils import timezone
|
||||
from django.utils.crypto import constant_time_compare
|
||||
|
||||
from whispermaphone import settings
|
||||
from .models import Thought
|
||||
|
@ -21,14 +22,17 @@ ALLOWED_MEDIA_TYPES = {
|
|||
"video/quicktime": "mov",
|
||||
}
|
||||
|
||||
|
||||
def index(request):
|
||||
def check_authenticated(request):
|
||||
authenticated = False
|
||||
try:
|
||||
if request.COOKIES["password"] == "ChromaticWave":
|
||||
if constant_time_compare(request.COOKIES["password"], settings.PASSWORD):
|
||||
authenticated = True
|
||||
except KeyError:
|
||||
pass
|
||||
return authenticated
|
||||
|
||||
def index(request):
|
||||
authenticated = check_authenticated(request)
|
||||
|
||||
try:
|
||||
highlighted_uuid = uuid.UUID(request.GET.get("show", ""))
|
||||
|
@ -54,10 +58,7 @@ def index(request):
|
|||
|
||||
|
||||
def post(request):
|
||||
try:
|
||||
if not request.COOKIES["password"] == "ChromaticWave":
|
||||
return render(request, "whispermaphone/login.html", status=401)
|
||||
except KeyError:
|
||||
if not check_authenticated(request):
|
||||
return render(request, "whispermaphone/login.html", status=401)
|
||||
|
||||
if request.method == "POST":
|
||||
|
@ -111,11 +112,6 @@ def post(request):
|
|||
|
||||
|
||||
def about(request):
|
||||
authenticated = False
|
||||
try:
|
||||
if request.COOKIES["password"] == "ChromaticWave":
|
||||
authenticated = True
|
||||
except KeyError:
|
||||
pass
|
||||
authenticated = check_authenticated(request)
|
||||
|
||||
return render(request, "whispermaphone/about.html", {"authenticated": authenticated})
|
||||
|
|
|
@ -26,6 +26,8 @@ SECRET_KEY = config("SECRET_KEY", default="qdm4_0b)3^)k$6r($!o^a7&0l#^6)@g2wr!x0
|
|||
# SECURITY WARNING: don't run with debug turned on in production!
|
||||
DEBUG = config("DEBUG", default=True, cast=bool)
|
||||
|
||||
PASSWORD = config("PASSWORD", default="password")
|
||||
|
||||
ALLOWED_HOSTS = ["thoughts.learnerpages.com"]
|
||||
if DEBUG:
|
||||
ALLOWED_HOSTS = ["*"]
|
||||
|
|
Loading…
Reference in New Issue