Skip to content

Hash login password on server side with bcrypt #1139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
May 5, 2021
Merged

Hash login password on server side with bcrypt #1139

merged 29 commits into from
May 5, 2021

Conversation

shreyamalviya
Copy link
Contributor

Fixes #969
Uses bcrypt to salt and hash the password on the server side before storing it.

PR Checklist

  • Have you added an explanation of what your changes do and why you'd like to include them?
  • Is the TravisCI build passing?
  • Was the CHANGELOG.md updated to reflect the changes?
  • Was the documentation framework updated to reflect the changes?

Testing Checklist

  • Added relevant unit tests?
  • Have you successfully tested your changes locally? Elaborate:

    Tested by running Island locally. Network traffic shows plaintext password. server_config.json stores salted and hashed password. Correct password results in authentication. Incorrect is denied.

  • If applicable, add screenshots or log transcripts of the feature working

@codecov
Copy link

codecov bot commented May 3, 2021
edited
Loading

Codecov Report

Merging #1139 (d86e8e8) into develop (7f06ec4) will decrease coverage by 0.07%.
The diff coverage is 18.60%.

❗ Current head d86e8e8 differs from pull request most recent head 7772ea6. Consider uploading reports for the commit 7772ea6 to get more accurate results
Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #1139      +/-   ##
===========================================
- Coverage    28.71%   28.64%   -0.08%     
===========================================
  Files          410      411       +1     
  Lines        12877    12892      +15     
===========================================
- Hits          3698     3693       -5     
- Misses        9179     9199      +20
Impacted Files Coverage Δ
monkey/monkey_island/cc/resources/auth/auth.py 0.00% <0.00%> (ø)
.../monkey_island/cc/resources/auth/password_utils.py 0.00% <0.00%> (ø)
...ey/monkey_island/cc/resources/auth/registration.py 0.00% <0.00%> (ø)
monkey/monkey_island/cc/environment/standard.py 88.88% <66.66%> (+1.38%) ⬆️
...monkey_island/cc/environment/environment_config.py 100.00% <100.00%> (ø)
monkey/monkey_island/cc/environment/user_creds.py 100.00% <100.00%> (+6.89%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7f06ec4...7772ea6. Read the comment docs.

@shreyamalviya shreyamalviya mentioned this pull request May 3, 2021
Closed
mssalvatore and others added 9 commits May 4, 2021 11:58
@mssalvatore mssalvatore mentioned this pull request May 4, 2021
Closed
7 tasks
mssalvatore added 2 commits May 4, 2021 17:07
@mssalvatore
monkey: Remove coupling between Registration and UserCreds
1aed5f3
@mssalvatore
island: Simplify UserCreds constructor by removing defaults
d56cb5c 
The default values were only really used by the test code. We can
simplify the Usercreds's interface and test code by removing
functionality (read: complication) we don't really need.
shreyamalviya
shreyamalviya commented May 5, 2021
View reviewed changes
@mssalvatore mssalvatore merged commit e609094 into develop May 5, 2021
@mssalvatore mssalvatore deleted the pwd-hash branch May 13, 2021 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mssalvatore mssalvatore Awaiting requested review from mssalvatore

@VakarisZ VakarisZ Awaiting requested review from VakarisZ

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Login password should be hashed on the server side
4 participants
@shreyamalviya @mssalvatore @PrajwalM2212 @VakarisZ