app.pw_models: Use unicode normalization
Per NIST [SP800-63B, §5.1.1.2] Memorized Secret Verifiers : > the verifier SHOULD apply the Normalization Process for > Stabilized Strings using either the NFKC or NFKD normalization This is necessary for Unicode passwords to work reliably. ASCII-only passwords aren't affected. [SP800-63B, §5.1.1.2]: https://pages.nist.gov/800-63-3/sp800-63b.html#-5112-memorized-secret-verifiers
This commit is contained in:
parent
d216812f14
commit
ecd74b801b
|
@ -1,13 +1,19 @@
|
|||
import unicodedata
|
||||
|
||||
import bcrypt
|
||||
|
||||
from app.extensions import db
|
||||
|
||||
|
||||
_NORMALIZATION_FORM = "NFKC"
|
||||
|
||||
|
||||
class PasswordOracle:
|
||||
salt = db.Column(db.String(128), nullable=True)
|
||||
password = db.Column(db.String(128), nullable=True)
|
||||
|
||||
def set_password(self, password):
|
||||
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
|
||||
salt = bcrypt.gensalt()
|
||||
password_hash = bcrypt.hashpw(password.encode(), salt).decode()
|
||||
self.salt = salt.decode()
|
||||
|
@ -16,5 +22,7 @@ class PasswordOracle:
|
|||
def check_password(self, password) -> bool:
|
||||
if not self.password:
|
||||
return False
|
||||
|
||||
password = unicodedata.normalize(_NORMALIZATION_FORM, password)
|
||||
password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
|
||||
return self.password.encode() == password_hash
|
||||
|
|
Loading…
Reference in New Issue