Add argon2 password hash
This commit is contained in:
50
backend/auth.py
Normal file
50
backend/auth.py
Normal file
@@ -0,0 +1,50 @@
|
|||||||
|
from datetime import datetime, timedelta
|
||||||
|
from flask import session
|
||||||
|
from flask_login import login_user
|
||||||
|
from . import db
|
||||||
|
from backend.models import User, LoginIP
|
||||||
|
from backend.alldebrid import check_alldebrid_status, send_ntfy
|
||||||
|
from backend.security import verify_password
|
||||||
|
|
||||||
|
MAX_ATTEMPTS = 5
|
||||||
|
BLOCK_TIME = timedelta(minutes=15)
|
||||||
|
|
||||||
|
def authenticate_user(username: str, password: str, ip: str):
|
||||||
|
ip_record = LoginIP.query.filter_by(ip=ip).first()
|
||||||
|
if not ip_record:
|
||||||
|
ip_record = LoginIP(ip=ip)
|
||||||
|
db.session.add(ip_record)
|
||||||
|
db.session.commit()
|
||||||
|
|
||||||
|
# IP bloquée
|
||||||
|
if ip_record.blocked_until and datetime.utcnow() < ip_record.blocked_until:
|
||||||
|
remaining = int((ip_record.blocked_until - datetime.utcnow()).total_seconds() // 60) + 1
|
||||||
|
return None, f"Trop de tentatives depuis votre IP. Réessayez dans {remaining} min."
|
||||||
|
|
||||||
|
user = User.query.filter_by(username=username).first()
|
||||||
|
if user and verify_password(password, user.password):
|
||||||
|
# Reset IP
|
||||||
|
ip_record.count = 0
|
||||||
|
ip_record.blocked_until = None
|
||||||
|
db.session.commit()
|
||||||
|
|
||||||
|
login_user(user)
|
||||||
|
session['user'] = user.username
|
||||||
|
|
||||||
|
# Vérification AllDebrid
|
||||||
|
premium = check_alldebrid_status()
|
||||||
|
session['alldebrid_active'] = premium
|
||||||
|
if premium:
|
||||||
|
send_ntfy("AllDebrid non premium", "Tentative avortée sur ygg-service !")
|
||||||
|
|
||||||
|
return user, None
|
||||||
|
else:
|
||||||
|
ip_record.count += 1
|
||||||
|
ip_record.last_attempt = datetime.utcnow()
|
||||||
|
if ip_record.count >= MAX_ATTEMPTS:
|
||||||
|
ip_record.blocked_until = datetime.utcnow() + BLOCK_TIME
|
||||||
|
msg = f"Trop de tentatives. Blocage pour {BLOCK_TIME.seconds // 60} minutes."
|
||||||
|
else:
|
||||||
|
msg = f"Identifiants invalides ({ip_record.count}/{MAX_ATTEMPTS})"
|
||||||
|
db.session.commit()
|
||||||
|
return None, msg
|
||||||
@@ -13,3 +13,6 @@ class LoginIP(db.Model):
|
|||||||
count = db.Column(db.Integer, default=0, nullable=False)
|
count = db.Column(db.Integer, default=0, nullable=False)
|
||||||
blocked_until = db.Column(db.DateTime, nullable=True)
|
blocked_until = db.Column(db.DateTime, nullable=True)
|
||||||
last_attempt = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
|
last_attempt = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
|
||||||
|
failed_attempts = db.Column(db.Integer, default=0, nullable=False)
|
||||||
|
locked_until = db.Column(db.DateTime, nullable=True)
|
||||||
|
last_failed = db.Column(db.DateTime, nullable=True)
|
||||||
|
|||||||
@@ -1,19 +1,18 @@
|
|||||||
# Standard library
|
# Standard library
|
||||||
from datetime import datetime, timedelta
|
from datetime import timedelta
|
||||||
from io import BytesIO
|
from io import BytesIO
|
||||||
import time
|
import time
|
||||||
|
|
||||||
# Third-party libraries
|
# Third-party libraries
|
||||||
import requests
|
import requests
|
||||||
from flask import render_template, request, redirect, url_for, session, flash, jsonify, make_response
|
from flask import render_template, request, redirect, url_for, session, flash, jsonify, make_response
|
||||||
from flask_login import login_user, logout_user, login_required, current_user
|
from flask_login import logout_user, login_required, current_user
|
||||||
from werkzeug.security import check_password_hash
|
from flask import request, render_template, redirect, url_for, flash
|
||||||
|
|
||||||
|
|
||||||
# Project imports
|
# Project imports
|
||||||
from . import db
|
|
||||||
from backend.models import User, LoginIP
|
|
||||||
from backend.utils import format_size, calculate_age
|
from backend.utils import format_size, calculate_age
|
||||||
from backend.alldebrid import check_alldebrid_status, send_ntfy
|
from backend.auth import authenticate_user
|
||||||
|
|
||||||
MAX_ATTEMPTS = 5
|
MAX_ATTEMPTS = 5
|
||||||
BLOCK_TIME = timedelta(minutes=15)
|
BLOCK_TIME = timedelta(minutes=15)
|
||||||
@@ -34,48 +33,15 @@ def init_app(app):
|
|||||||
|
|
||||||
@app.route('/login', methods=['GET', 'POST'])
|
@app.route('/login', methods=['GET', 'POST'])
|
||||||
def login():
|
def login():
|
||||||
ip = request.remote_addr or "unknown"
|
|
||||||
ip_record = LoginIP.query.filter_by(ip=ip).first()
|
|
||||||
if not ip_record:
|
|
||||||
ip_record = LoginIP(ip=ip)
|
|
||||||
db.session.add(ip_record)
|
|
||||||
db.session.commit()
|
|
||||||
|
|
||||||
if ip_record.blocked_until and datetime.utcnow() < ip_record.blocked_until:
|
|
||||||
remaining = int((ip_record.blocked_until - datetime.utcnow()).total_seconds() // 60) + 1
|
|
||||||
flash(f"Trop de tentatives depuis votre IP. Réessayez dans {remaining} min.")
|
|
||||||
return render_template("login.html")
|
|
||||||
|
|
||||||
if request.method == "POST":
|
if request.method == "POST":
|
||||||
username = request.form.get("username")
|
username = request.form.get("username")
|
||||||
password = request.form.get("password")
|
password = request.form.get("password")
|
||||||
user = User.query.filter_by(username=username).first()
|
ip = request.remote_addr or "unknown"
|
||||||
|
|
||||||
if user and check_password_hash(user.password, password):
|
user, msg = authenticate_user(username, password, ip)
|
||||||
ip_record.count = 0
|
if user:
|
||||||
ip_record.blocked_until = None
|
return redirect(url_for('dashboard'))
|
||||||
db.session.commit()
|
|
||||||
login_user(user)
|
|
||||||
session['user'] = user.username
|
|
||||||
|
|
||||||
# --- Vérification AllDebrid ---
|
|
||||||
print("Vérification en cours")
|
|
||||||
premium = check_alldebrid_status()
|
|
||||||
session['alldebrid_active'] = premium
|
|
||||||
if not premium: # notifier seulement si le compte n’est plus premium
|
|
||||||
print("Envoi notif")
|
|
||||||
send_ntfy("AllDebrid non premium", "Tentative avortée sur ygg-service !")
|
|
||||||
|
|
||||||
return redirect(url_for("dashboard"))
|
|
||||||
else:
|
else:
|
||||||
ip_record.count += 1
|
|
||||||
ip_record.last_attempt = datetime.utcnow()
|
|
||||||
if ip_record.count >= MAX_ATTEMPTS:
|
|
||||||
ip_record.blocked_until = datetime.utcnow() + BLOCK_TIME
|
|
||||||
msg = f"Trop de tentatives. Blocage pour {BLOCK_TIME.seconds // 60} minutes."
|
|
||||||
else:
|
|
||||||
msg = f"Identifiants invalides ({ip_record.count}/{MAX_ATTEMPTS})"
|
|
||||||
db.session.commit()
|
|
||||||
flash(msg)
|
flash(msg)
|
||||||
|
|
||||||
return render_template("login.html")
|
return render_template("login.html")
|
||||||
|
|||||||
19
backend/security.py
Normal file
19
backend/security.py
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
from passlib.context import CryptContext
|
||||||
|
|
||||||
|
# Configuration sensible : tu peux ajuster time_cost, memory_cost, parallelism
|
||||||
|
pwd_context = CryptContext(
|
||||||
|
schemes=["argon2"],
|
||||||
|
deprecated="auto",
|
||||||
|
argon2__time_cost=3,
|
||||||
|
argon2__memory_cost=64 * 1024, # 64 MB
|
||||||
|
argon2__parallelism=2
|
||||||
|
)
|
||||||
|
|
||||||
|
def hash_password(plain: str) -> str:
|
||||||
|
return pwd_context.hash(plain)
|
||||||
|
|
||||||
|
def verify_password(plain: str, hashed: str) -> bool:
|
||||||
|
return pwd_context.verify(plain, hashed)
|
||||||
|
|
||||||
|
def needs_rehash(hashed: str) -> bool:
|
||||||
|
return pwd_context.needs_update(hashed)
|
||||||
@@ -1,16 +1,19 @@
|
|||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
from backend import create_app, db
|
from backend import create_app, db
|
||||||
from backend.models import User
|
from backend.models import User
|
||||||
from werkzeug.security import generate_password_hash
|
from backend.security import hash_password
|
||||||
|
|
||||||
app = create_app()
|
app = create_app()
|
||||||
|
|
||||||
with app.app_context():
|
with app.app_context():
|
||||||
username = input("Nom d'utilisateur : ")
|
username = input("Nom d'utilisateur : ")
|
||||||
password = input("Mot de passe : ")
|
password = input("Mot de passe : ")
|
||||||
|
|
||||||
if User.query.filter_by(username=username).first():
|
if User.query.filter_by(username=username).first():
|
||||||
print(f"Utilisateur '{username}' existe déjà !")
|
print(f"Utilisateur '{username}' existe déjà !")
|
||||||
else:
|
else:
|
||||||
user = User(username=username, password=generate_password_hash(password))
|
hashed_pw = hash_password(password) # utilisation de passlib
|
||||||
|
user = User(username=username, password=hashed_pw)
|
||||||
db.session.add(user)
|
db.session.add(user)
|
||||||
db.session.commit()
|
db.session.commit()
|
||||||
print(f"Utilisateur '{username}' créé avec succès !")
|
print(f"Utilisateur '{username}' créé avec succès !")
|
||||||
|
|||||||
@@ -3,3 +3,6 @@ Flask-Login
|
|||||||
Flask-SQLAlchemy
|
Flask-SQLAlchemy
|
||||||
requests
|
requests
|
||||||
feedparser
|
feedparser
|
||||||
|
Flask-Limiter
|
||||||
|
passlib[argon2]
|
||||||
|
argon2-cffi
|
||||||
Reference in New Issue
Block a user