about summary refs log tree commit diff
path: root/filters
diff options
context:
space:
mode:
Diffstat (limited to 'filters')
-rw-r--r--filters/simple-authentication.lua19
1 files changed, 6 insertions, 13 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index bf35632..77d1fd0 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -23,17 +23,11 @@ local protected_repos = {
 	qt		= { jason = true, bob = true }
 }
 
--- Please note that, in production, you'll want to replace this simple lookup
--- table with either a table of salted and hashed passwords (using something
--- smart like scrypt), or replace this table lookup with an external support,
--- such as consulting your system's pam / shadow system, or an external
--- database, or an external validating web service. For testing, or for
--- extremely low-security usage, you may be able, however, to get away with
--- compromising on hardcoding the passwords in cleartext, as we have done here.
+-- A list of users and hashes, generated with `mkpasswd -m sha-512 -R 300000`.
 local users = {
-	jason		= "secretpassword",
-	laurent		= "s3cr3t",
-	bob		= "ilikelua"
+	jason		= "$6$rounds=300000$YYJct3n/o.ruYK$HhpSeuCuW1fJkpvMZOZzVizeLsBKcGA/aF2UPuV5v60JyH2MVSG6P511UMTj2F3H75.IT2HIlnvXzNb60FcZH1",
+	laurent		= "$6$rounds=300000$dP0KNHwYb3JKigT$pN/LG7rWxQ4HniFtx5wKyJXBJUKP7R01zTNZ0qSK/aivw8ywGAOdfYiIQFqFhZFtVGvr11/7an.nesvm8iJUi.",
+	bob		= "$6$rounds=300000$jCLCCt6LUpTz$PI1vvd1yaVYcCzqH8QAJFcJ60b6W/6sjcOsU7mAkNo7IE8FRGW1vkjF8I/T5jt/auv5ODLb1L4S2s.CAyZyUC"
 }
 
 -- Set this to a path this script can write to for storing a persistent
@@ -48,7 +42,7 @@ local secret_filename = "/var/cache/cgit/auth-secret"
 
 -- Sets HTTP cookie headers based on post and sets up redirection.
 function authenticate_post()
-	local password = users[post["username"]]
+	local hash = users[post["username"]]
 	local redirect = validate_value("redirect", post["redirect"])
 
 	if redirect == nil then
@@ -58,8 +52,7 @@ function authenticate_post()
 
 	redirect_to(redirect)
 
-	-- Lua hashes strings, so these comparisons are time invariant.
-	if password == nil or password ~= post["password"] then
+	if hash == nil or hash ~= unistd.crypt(post["password"], hash) then
 		set_cookie("cgitauth", "")
 	else
 		-- One week expiration time
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-23 11:05:51 +0000
ver.c?h=daemon&id=a7339f0e1edff37a532c459ce6467f16749383d6&follow=1'>Miscellaneous code cleanupJune McEnroe 2018-03-05Pass message structs by valueJune McEnroe 2018-03-05Use stdio in merge and metaJune McEnroe 2018-03-05Clean up spawn constantsJune McEnroe 2018-03-05Rename Tile timestamps {create,modify,access}TimeJune McEnroe 2018-03-05Pack message type enumsJune McEnroe 2018-03-05Undef COLOR_ constants in torus.hJune McEnroe 2018-03-05Generate tagsJune McEnroe 2017-10-03Simplify Makefile with pattern ruleJune McEnroe Insert rant about how GNU make handles the .c rule with extra dependencies. Also I don't care that everything links curses now. 2017-09-27Remove leading blank linesJune McEnroe 2017-09-27Add merge.c to READMEJune McEnroe 2017-09-03Assert client coords are valid after movementJune McEnroe 2017-09-03Relicense AGPLJune McEnroe I know it's already published under a permissive license in what is probably its final form, but I want to license it AGPL anyway on principle following some conversations I had about open source, corporations and copyleft. 2017-09-01Revert "Add client readOnly mode"June McEnroe This reverts commit 34f25ae40a3db9369e9d98b3814f2b93bbc21451. 2017-09-01Remove clientRemove call from clientCastJune McEnroe If an error occurs on a client socket during a broadcast, that client will show up in the kqueue loop with EV_EOF and get removed that way. Tested by sending SIGKILL to a client and watching its cursor disappear. 2017-09-01Add client readOnly modeJune McEnroe 2017-08-31Clean up merge toolJune McEnroe Choose the version with the most recent access if the modify times are the same. 2017-08-31Choose B for tiles with equal modify timesJune McEnroe This way newer access counts and times will be preserved. 2017-08-31Add quick data file merge toolJune McEnroe Hopefully I won't have to use it ever again. 2017-08-30Use only foreground color for selecting spawnJune McEnroe 2017-08-29Add four additional spawnsJune McEnroe 2017-08-28Add respawningJune McEnroe 2017-08-26Move license above includesJune McEnroe Why was it down there? 2017-08-26Snapshot metadataJune McEnroe 2017-08-26Add meta.c to READMEJune McEnroe 2017-08-26Use MakefileJune McEnroe