Refactor password validation

* Just removes the plaintext password from the source code, instead reading it from an enviroment file. No password hashing here. No-JS login is still on the timeline
2021-10-03 00:25:17 -04:00 · 2021-10-03 00:25:17 -04:00 · 635bc32ef2
parent 81275588d0
commit 635bc32ef2
2 changed files with 11 additions and 13 deletions
--- a/main/views.py
+++ b/main/views.py
@ -7,6 +7,7 @@ import magic
 from django.http import HttpResponse
 from django.shortcuts import render
 from django.utils import timezone
+from django.utils.crypto import constant_time_compare

 from whispermaphone import settings
 from .models import Thought
@ -21,14 +22,17 @@ ALLOWED_MEDIA_TYPES = {
    "video/quicktime": "mov",
 }

-
-def index(request):
+def check_authenticated(request):
    authenticated = False
    try:
-        if request.COOKIES["password"] == "ChromaticWave":
+        if constant_time_compare(request.COOKIES["password"], settings.PASSWORD):
            authenticated = True
    except KeyError:
        pass
+    return authenticated
+
+def index(request):
+    authenticated = check_authenticated(request)

    try:
        highlighted_uuid = uuid.UUID(request.GET.get("show", ""))
@ -54,10 +58,7 @@ def index(request):


 def post(request):
-    try:
-        if not request.COOKIES["password"] == "ChromaticWave":
-            return render(request, "whispermaphone/login.html", status=401)
-    except KeyError:
+    if not check_authenticated(request):
        return render(request, "whispermaphone/login.html", status=401)

    if request.method == "POST":
@ -111,11 +112,6 @@ def post(request):


 def about(request):
-    authenticated = False
-    try:
-        if request.COOKIES["password"] == "ChromaticWave":
-            authenticated = True
-    except KeyError:
-        pass
+    authenticated = check_authenticated(request)

    return render(request, "whispermaphone/about.html", {"authenticated": authenticated})
--- a/whispermaphone/settings.py
+++ b/whispermaphone/settings.py
@ -26,6 +26,8 @@ SECRET_KEY = config("SECRET_KEY", default="qdm4_0b)3^)k$6r($!o^a7&0l#^6)@g2wr!x0
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = config("DEBUG", default=True, cast=bool)

+PASSWORD = config("PASSWORD", default="password")
+
 ALLOWED_HOSTS = ["thoughts.learnerpages.com"]
 if DEBUG:
    ALLOWED_HOSTS = ["*"]