Major issue about bottle-cork HOT 14 CLOSED

Hello, can you please describe how to reproduce the issue exactly?
When testing multiple logins with different passwords make sure that a logout has been done and the cookie has been removed.

from bottle-cork.

Yes, here is a sample application, when you login, the password is simply ignored.

from bottle import request, route, template, default_app, run
from beaker.middleware import SessionMiddleware
from cork import Cork

app = default_app()
aaa = Cork('example_conf')
#    I used this code in the 'recreate_example_conf.py' to generated the hashes
#    ...
#    tstamp = str(datetime.utcnow())
#        username = 'root'
#        password = 'pwd'
#        cork._store.users[username] = {
#            'role': 'admin',
#            'hash': cork._hash(username, password),
#            'email_addr': username + '@localhost.local',
#            'desc': username + ' test user',
#            'creation_date': tstamp
#        }
#    ...
app = SessionMiddleware(app, {
                        'beaker.session.auto': True,
                        'beaker.session.type': 'cookie',
                        'beaker.session.validate_key': True,
                        'beaker.session.cookie_expires': True,
                        'beaker.session.timeout': 3600 * 24})

@route('/login', method=['GET', 'POST'])
def login():
    if request.method == 'GET':
        return template("""
        <html>
        <form method="post" action="/login">
            <input name="user" required="required" type="text" placeholder="user">
            <input name="password" type="password" required="required" placeholder="password">
            <input type="submit" name="login" value="login">
        </form>
        </html>
        """)
    if request.method == 'POST':
        username = request.POST.get('user','')
        password = request.POST.get('password','')
        aaa.login(username=username, password=password, success_redirect='/', fail_redirect='/login')

@route('/')
def home():
    aaa.require(role='admin',  fail_redirect='/login')
    return 'welcome'

run(app=app,  host='0.0.0.0', port=80)

from bottle-cork.

I'm not having any unexpected behavior from the code you pasted. Incorrect passwords are making the login fail. However, you have no code to remove the cookie in that snippet. Try inspecting the cookie on your browser before and during the login.

from bottle-cork.

I'm cleaning the cookies manually, I tested the code above on Opera, Chrome and Firefox and using root/pwd, root/abc, root/anything they all get me in.

I'm using the latest releases for beaker, cork and bottle, are you with this same config ?

Beaker==1.6.4
bottle==0.11.2
bottle-cork==0.2

and here is the details for the cookies I'm getting:

name                value                                               domain      size    path    expire
beaker.session.id   78ef4b6864da48d3c62c5ca...3RpbWVxBUdB1CNZUYyLRHUu   127.0.0.1   197 B   /       Session

what can I do to help debug this code?

from bottle-cork.

The library versions are very close. Can you join the #bottlepy IRC channel on Freenode? In the meantime I'll keep investigating.

Beaker 1.6.3
Bottle 0.11.3
Cork 0.2

Thanks!

from bottle-cork.

Also, did you tried running the unit and functional tests? Are they all successful?

from bottle-cork.

Which version of pycrypto?

from bottle-cork.

bottle-cork uses cypto from beaker.

from bottle-cork.

I'm using pycrypto v. 2.6

from bottle-cork.

I've updated the unit and functional tests to run them on windows as well.

from bottle-cork.

Beaker depends on one of Pycryptopp, NSScrypto, JCEcrypto or Crypto and he's silently failing when no one is installed. this make the whole password verification process for cork useless.

I've successfully tested with Crypto and cryptopp and because there is no dependency check when pip install beaker the solution is to enforce dependency on Crypto for cork and add some safety checks.

On windows there is no pip install for any of them, you can get Crypto binaries from here or pycryptopp eggs from here

thanks goes to FedericoCeratto and defnull.

from bottle-cork.

I had added pycrypto dependency in my heroku-fix pull request. Really the solution is probably for beaker to either not silently fail, or to have a hard default dependency.
But for cork to be useful, it may be good to just add the default pycrypto as a dependency.

from bottle-cork.

@23min I've just looked into your pull request, yes you're right.

from bottle-cork.

I've added a safety check in this commit:
6f0755e

from bottle-cork.