search

OpenJBOD / software

MIT License
0 stars 1 forks source link

Authentication Support #6

Closed TheGuyDanish closed 5 days ago

TheGuyDanish commented 1 month ago

Microdot supports using sessions to have some kind of identification. We could use this to provide authentication to reach the control panel, securing it from potential malicious actors.

The biggest challenge to this at the moment (as I see it) is storing the password. MicroPython provides a limited number of hashing functions and none of them are salted.

As such, the best-effort way to store a password would be something like:

import hashlib, binascii
# [...]
password = 'admin' # We'd grab this from an input, probably on the settings page.
hash = hashlib.sha256(password.encode())
hash_for_storage = binascii.hexlify(hash.digest())
CONFIG['users']['username'] = hash_for_storage

Then authentication could be handled as:

import hashlib, binascii
from microdot.session import Session, with_session
# [...]
username = 'admin' # This would be an input from a sign-in page. 
password = 'admin'  # Ditto
hash = hashlib.sha256(password.encode())
hash_for_comparison = binascii.hexlify(hash.digest())
if hash_for_comparison == CONFIG['users'][username]:
  session['username'] = username
  session.save()

For this to be relevant, #1 should be handled first.

Further reading/examples: https://github.com/miguelgrinberg/microdot/blob/main/examples/sessions/login.py

TheGuyDanish commented 1 month ago

https://github.com/miguelgrinberg/microdot/pull/217 seems to hold the easy answer to this!