Secure passwords

[krishnasharmak05]

Closes #11

• Title : Hash the password during login and signup
• Name: Krishna Sharma K
• Idenitfy yourself: SSOC Contributor

Describe the add-ons or changes you've made 📃

Give a clear description of what have you added or modifications made

I have done the following:

• Created a file called encrypt.py in page/auth folder which contains two functions - secure_password and check_password. secure_password returns the hash of the password, which is done using argon2 hashing algorithm. The check_password function verifies whether the hashed password stored in the database and the password entered during login are the same.
• Secured the passwords entered during signup using the secure_password function and checked the secured password against the repeat password before approving the signup request.
• Enabled checking of the password entered during login with the password stored in the database to enable successful login.
• Replaced the plaintext passwords in the database with the new hashed passwords for User, Admin and Super Admin as given in the README file.

Type of change ☑️

What sort of change have you made:

• [x] New feature (non-breaking change which adds functionality)

How Has This Been Tested? ⚙️

I throughly tested the changes by creating new users, and logging them in (See screenshot below).

Checklist: ☑️

• [x] My code follows the Contributing Guidelines & Code of Conduct of this project.
• [x] This PR does not contain plagiarized content.
• [x] I have performed a self-review of my own code.
• [x] I have commented my code, particularly wherever it was hard to understand.
• [x] My changes generate no new warnings.

Screenshots 📷

SignUp testing 👇

Login testing 👇

[github-actions[bot]]

Thank you for submitting your pull request! We'll review it as soon as possible. For further communication, join our discord server https://discord.gg/tSqtvHUJzE.

[krishnasharmak05]

@krishnasharmak05 don't change db, revoke it. And you have hashing the password but on during login, you have to verifying the password using hash codes?

1. If I revoke the database, signups and logins will fail because the hashed passwords (checked against the user’s password field in the database) will be in the format $argon2id$..., while the database will contain plaintext passwords. What’s the purpose of hashing passwords if they’re stored in plaintext? If you have an alternative idea, @Avdhesh-Varshney , please share it so that I can implement it.

2. Yes, I’ve implemented and tested code that verifies user passwords during login. It uses hash codes stored in the database.