Mirror
/
app-MAIL-temp
mirror of https://github.com/simple-login/app.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

app.pw_models: Use unicode normalization 

Per NIST [SP800-63B, §5.1.1.2] Memorized Secret Verifiers :
> the verifier SHOULD apply the Normalization Process for
> Stabilized Strings using either the NFKC or NFKD normalization

This is necessary for Unicode passwords to work reliably.
ASCII-only passwords aren't affected.

[SP800-63B, §5.1.1.2]: https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers
This commit is contained in:
nicoo 2021-05-26 21:42:19 +02:00
parent d216812f14
commit ecd74b801b
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/pw_models.py
View File

@ -1,13 +1,19 @@
import unicodedata
import bcrypt
from app.extensions import db
_NORMALIZATION_FORM = "NFKC"
class PasswordOracle:
salt = db.Column(db.String(128), nullable=True)
password = db.Column(db.String(128), nullable=True)
def set_password(self, password):
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
salt = bcrypt.gensalt()
password_hash = bcrypt.hashpw(password.encode(), salt).decode()
self.salt = salt.decode()
@ -16,5 +22,7 @@ class PasswordOracle:
def check_password(self, password) -> bool:
if not self.password:
return False
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
return self.password.encode() == password_hash