AUTHENTICATION about comp-status HOT 5 CLOSED

Progress has been made. A username and password can be sent, and a token received, which is used for further communication. Tokens are set to expire after 24 hours, or upon central-server restart.

Usernames and passwords both central-server side and server/client side currently aren't encrypted, and I'm not sure how to go about doing that.

TODO:

• Remove hardcoded users in central-server.py, and replace it with a users.json or something and a wizard to go with
• Revoking of tokens while server is deployed (maybe through accounts marked as admin or something?)
• Automatically retrieve new token if old one is revoked.

from comp-status.

Token retrieval has been added, along with the obtaining of new tokens if the old one is revoked. This way, if a token is compromised, it can be revoked and a new one generated.

Maybe I'll add something where a user can regenerate their own token, so if their token gets compromised, they can fix the problem while not being able to mess with other people's tokens.

from comp-status.

An EXTREMELY basic user manager has been added. It will be improved before this issue is closed.

from comp-status.

User manager has been improved to a good enough state.
To mitigate attacks on the database giving people access to passwords (since passwords are currently stored in plaintext), I'm planning to salt the passwords with a string that's generated at password-creation time and stored alongside the password before MD5 hashing the salted password. I'm almost certainly going to mess this up, this is my first time doing something like this, and password security is hell to do right.

EDIT: Going to use bcrypt + salt instead.

TODO:

• Switch to the secrets module
• Implement the above hashing + salt system

from comp-status.

The program is now using bcrypt to store passwords (hopefully) securely, and the README has been updated accordingly. With the user manager in a finished enough state and passwords (hopefully) stored well, I'm happy to finally be able to close this issue. I'll probably improve the user manager over time, and allow clients to manage users.

from comp-status.