Comments (5)
Progress has been made. A username and password can be sent, and a token received, which is used for further communication. Tokens are set to expire after 24 hours, or upon central-server
restart.
Usernames and passwords both central-server
side and server
/client
side currently aren't encrypted, and I'm not sure how to go about doing that.
TODO:
- Remove hardcoded users in
central-server.py
, and replace it with ausers.json
or something and a wizard to go with - Revoking of tokens while server is deployed (maybe through accounts marked as admin or something?)
- Automatically retrieve new token if old one is revoked.
from comp-status.
Token retrieval has been added, along with the obtaining of new tokens if the old one is revoked. This way, if a token is compromised, it can be revoked and a new one generated.
Maybe I'll add something where a user can regenerate their own token, so if their token gets compromised, they can fix the problem while not being able to mess with other people's tokens.
from comp-status.
An EXTREMELY basic user manager has been added. It will be improved before this issue is closed.
from comp-status.
User manager has been improved to a good enough state.
To mitigate attacks on the database giving people access to passwords (since passwords are currently stored in plaintext), I'm planning to salt the passwords with a string that's generated at password-creation time and stored alongside the password before MD5 hashing the salted password. I'm almost certainly going to mess this up, this is my first time doing something like this, and password security is hell to do right.
EDIT: Going to use bcrypt + salt instead.
TODO:
- Switch to the
secrets
module - Implement the above hashing + salt system
from comp-status.
The program is now using bcrypt to store passwords (hopefully) securely, and the README has been updated accordingly. With the user manager in a finished enough state and passwords (hopefully) stored well, I'm happy to finally be able to close this issue. I'll probably improve the user manager over time, and allow clients to manage users.
from comp-status.
Related Issues (20)
- Too Much /give_data HOT 1
- API Refactor HOT 1
- Header + Login HOT 2
- Swagger/OpenAPI Docs
- Redirect to Login Page when Logged Out
- Make the Site Look Better HOT 2
- Proper Rate-Limiting
- Delete Temp-Token on Logout
- Auto-Login with Perma Token
- Move to SQLite HOT 2
- Store in Local Storage Instead of Cookies
- Page Refresh Removes Everything But Login Even Though We're Logged In With Permissions
- ipAddress Storage Key Not Cleared Properly
- `auth_request` Doesn't Verify Key Exists
- Migrate from Bcrypt HOT 1
- 2FA Support
- Fix Username/Password Saving In-Browser HOT 1
- Can Add "fts" Permission through API HOT 1
- Graph View
- Auth on Its Own Endpoint
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from comp-status.