Merge branch 'main' of hectabit.org:HectaBit/PageBurger

This commit is contained in:
maaa 2024-02-25 20:40:20 +01:00
commit a40c25719d
2 changed files with 28 additions and 11 deletions

View File

@ -7,18 +7,34 @@ Headers should be: "Content-type: application/json; charset=UTF-8" for all POSTs
POST - /api/signup - provide "username" and "password".
POST - /api/login - provide "username" and "password".
POST - /api/login - provide "username", "password", "changepassword" (must be "yes" or "no") and "newpass"
To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the argon2 algorithm.
To prevent the server from knowing the encryption key, the password you provide in the request must be hashed with the SHA-3 with 128 iterations (the hash is hashed again 128 times).
If you wish to change the user's password, set "changepassword" to "yes" and "newpass" to the new hash.
Some users use the legacy argon2id mode (by which i mean about 8, so only implement if you feel like it), and to implement argon2id functionality, you hash like this:
Parallelism should be 1
Iterations should be 256
Memory Allocated in bytes should be 512
Length of Hash should be 32 bytes
The output should be in the encoded format, not the hashed format
Salt should be the SHA512 of the password
(Yes i know this is really bad practice, guess why we are replacing it)
To test if SHA-3 or argon2 is used, just try the SHA-3 and if 422 gets returned try argon2.
(For the sake of all of us, change the password to the SHA-3 hash)
The salt should be the SHA-512 of the password.
Password should be at least 8 characters, username must be under 20 characters and alphanumeric.
@ -28,13 +44,13 @@ Assuming everything went correctly, the server will return a secret key.
You'll need to store two things in local storage:
- The secret key you just got, used to fetch notes, save stuff etc.
- SHA512 hashed password, used as encryption key
- A SHA512 hashed password, used as encryption key
## Encryption
Note content and title is encrypted using AES 256-bit.
Encryption password is the SHA512 hashed password we talked about earlier.
Encryption password is the SHA512 hashed password we talked about earlier.
## Basic stuff
@ -64,4 +80,4 @@ note content and title will have to be decrypted
POST - /api/sessions/list - show all sessions, provide "secretKey"
POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId"
POST - /api/sessions/remove - remove session, provide "secretKey" and "sessionId"

11
main
View File

@ -201,17 +201,18 @@ async def apilogin():
conn.commit()
conn.close()
return {
"key": randomCharacters,
}, 200
if str(passwordchange) == "yes":
if passwordchange == "yes":
hashedpassword = generate_password_hash(newpass)
conn = get_db_connection()
conn.execute("UPDATE users SET password = ? WHERE username = ?", (hashedpassword, username))
conn.commit()
conn.close()
return {
"key": randomCharacters,
}, 200
@app.route("/api/userinfo", methods=("GET", "POST"))
async def apiuserinfo():
if request.method == "POST":