Example authenticated replayer is not working; Solved

[volkerjaenisch]

Dear aiosmtpd people! Thank you for your work!

The "authenticated replayer" example has two bugs:

• The username and password have to be decoded to utf-8 since they may be bytes (dependent of the client).
• Argon2 hashes cannot simply be compared, they have to be verified.

Here the fixed code.

class Authenticator:
    def __init__(self, auth_database):
        self.auth_db = Path(auth_database)
        self.ph = PasswordHasher()

    def __call__(self, server, session, envelope, mechanism, auth_data):
        fail_nothandled = AuthResult(success=False, handled=False)
        if mechanism not in ("LOGIN", "PLAIN"):
            return fail_nothandled
        if not isinstance(auth_data, LoginPassword):
            return fail_nothandled
        username = auth_data.login.decode()
        password = auth_data.password.decode()
        conn = sqlite3.connect(self.auth_db)
        curs = conn.execute(
            "SELECT hashpass FROM userauth WHERE username=?", (username,)
        )
        hash_db = curs.fetchone()
        conn.close()
        if not hash_db:
            return fail_nothandled
        if not self.ph.verify(hash_db[0], password):
            return fail_nothandled
        return AuthResult(success=True)

Cheers, Volker