forked from Ailur/burgernotes-server
Merge branch 'main' of hectabit.org:HectaBit/PageBurger
This commit is contained in:
commit
a40c25719d
28
APIDOCS.md
28
APIDOCS.md
|
@ -7,18 +7,34 @@ Headers should be: "Content-type: application/json; charset=UTF-8" for all POSTs
|
||||||
|
|
||||||
POST - /api/signup - provide "username" and "password".
|
POST - /api/signup - provide "username" and "password".
|
||||||
|
|
||||||
POST - /api/login - provide "username" and "password".
|
POST - /api/login - provide "username", "password", "changepassword" (must be "yes" or "no") and "newpass"
|
||||||
|
|
||||||
To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the argon2 algorithm.
|
To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the SHA-3 with 128 iterations (the hash is hashed again 128 times).
|
||||||
|
|
||||||
|
If you wish to change the user's password, set "changepassword" to "yes" and "newpass" to the new hash.
|
||||||
|
|
||||||
|
|
||||||
|
Some users use the legacy argon2id mode (by which i mean about 8, so only implement if you feel like it), and to implement argon2id functionality, you hash like this:
|
||||||
|
|
||||||
Parallelism should be 1
|
Parallelism should be 1
|
||||||
|
|
||||||
Iterations should be 256
|
Iterations should be 256
|
||||||
|
|
||||||
Memory Allocated in bytes should be 512
|
Memory Allocated in bytes should be 512
|
||||||
|
|
||||||
Length of Hash should be 32 bytes
|
Length of Hash should be 32 bytes
|
||||||
|
|
||||||
The output should be in the encoded format, not the hashed format
|
The output should be in the encoded format, not the hashed format
|
||||||
|
|
||||||
|
Salt should be the SHA512 of the password
|
||||||
|
|
||||||
|
|
||||||
|
(Yes i know this is really bad practice, guess why we are replacing it)
|
||||||
|
|
||||||
|
To test if SHA-3 or argon2 is used, just try the SHA-3 and if 422 gets returned try argon2.
|
||||||
|
|
||||||
|
(For the sake of all of us, change the password to the SHA-3 hash)
|
||||||
|
|
||||||
The salt should be the SHA-512 of the password.
|
|
||||||
|
|
||||||
Password should be at least 8 characters, username must be under 20 characters and alphanumeric.
|
Password should be at least 8 characters, username must be under 20 characters and alphanumeric.
|
||||||
|
|
||||||
|
@ -28,13 +44,13 @@ Assuming everything went correctly, the server will return a secret key.
|
||||||
|
|
||||||
You'll need to store two things in local storage:
|
You'll need to store two things in local storage:
|
||||||
- The secret key you just got, used to fetch notes, save stuff etc.
|
- The secret key you just got, used to fetch notes, save stuff etc.
|
||||||
- SHA512 hashed password, used as encryption key
|
- A SHA512 hashed password, used as encryption key
|
||||||
|
|
||||||
## Encryption
|
## Encryption
|
||||||
|
|
||||||
Note content and title is encrypted using AES 256-bit.
|
Note content and title is encrypted using AES 256-bit.
|
||||||
|
|
||||||
Encryption password is the SHA512 hashed password we talked about earlier.
|
Encryption password is the SHA512 hashed password we talked about earlier.
|
||||||
|
|
||||||
## Basic stuff
|
## Basic stuff
|
||||||
|
|
||||||
|
@ -64,4 +80,4 @@ note content and title will have to be decrypted
|
||||||
|
|
||||||
POST - /api/sessions/list - show all sessions, provide "secretKey"
|
POST - /api/sessions/list - show all sessions, provide "secretKey"
|
||||||
|
|
||||||
POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId"
|
POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId"
|
||||||
|
|
11
main
11
main
|
@ -201,17 +201,18 @@ async def apilogin():
|
||||||
conn.commit()
|
conn.commit()
|
||||||
conn.close()
|
conn.close()
|
||||||
|
|
||||||
return {
|
if passwordchange == "yes":
|
||||||
"key": randomCharacters,
|
|
||||||
}, 200
|
|
||||||
|
|
||||||
if str(passwordchange) == "yes":
|
|
||||||
hashedpassword = generate_password_hash(newpass)
|
hashedpassword = generate_password_hash(newpass)
|
||||||
conn = get_db_connection()
|
conn = get_db_connection()
|
||||||
conn.execute("UPDATE users SET password = ? WHERE username = ?", (hashedpassword, username))
|
conn.execute("UPDATE users SET password = ? WHERE username = ?", (hashedpassword, username))
|
||||||
conn.commit()
|
conn.commit()
|
||||||
conn.close()
|
conn.close()
|
||||||
|
|
||||||
|
return {
|
||||||
|
"key": randomCharacters,
|
||||||
|
}, 200
|
||||||
|
|
||||||
|
|
||||||
@app.route("/api/userinfo", methods=("GET", "POST"))
|
@app.route("/api/userinfo", methods=("GET", "POST"))
|
||||||
async def apiuserinfo():
|
async def apiuserinfo():
|
||||||
if request.method == "POST":
|
if request.method == "POST":
|
||||||
|
|
Loading…
Reference in New Issue