From 932f24c966b3308ceae2df0797868b68d96d44a7 Mon Sep 17 00:00:00 2001 From: Noxcis Date: Tue, 5 Dec 2023 04:44:01 -0800 Subject: [PATCH 1/2] Update dashboard.py --- src/dashboard.py | 41 ++++++++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/src/dashboard.py b/src/dashboard.py index 072410a..87b6ec9 100644 --- a/src/dashboard.py +++ b/src/dashboard.py @@ -5,7 +5,7 @@ Under Apache-2.0 License import sqlite3 import configparser -import hashlib +import bcrypt import ipaddress import json # Python Built-in Library @@ -705,16 +705,20 @@ def auth(): """ data = request.get_json() config = get_dashboard_conf() - password = hashlib.sha256(data['password'].encode()) - if password.hexdigest() == config["Account"]["password"] \ - and data['username'] == config["Account"]["username"]: + saved_password_hash = config["Account"]["password"] + + # Verify the password using bcrypt + if bcrypt.checkpw(data['password'].encode(), saved_password_hash.encode()): session['username'] = data['username'] config.clear() return jsonify({"status": True, "msg": ""}) + config.clear() return jsonify({"status": False, "msg": "Username or Password is incorrect."}) + + """ Index Page """ @@ -857,6 +861,7 @@ def update_peer_default_config(): return redirect(url_for("settings")) + # Update dashboard password @app.route('/update_pwd', methods=['POST']) def update_pwd(): @@ -866,10 +871,19 @@ def update_pwd(): """ config = get_dashboard_conf() - if hashlib.sha256(request.form['currentpass'].encode()).hexdigest() == config.get("Account", "password"): - if hashlib.sha256(request.form['newpass'].encode()).hexdigest() == hashlib.sha256( - request.form['repnewpass'].encode()).hexdigest(): - config.set("Account", "password", hashlib.sha256(request.form['repnewpass'].encode()).hexdigest()) + saved_password_hash = config.get("Account", "password") + current_password = request.form['currentpass'] + new_password = request.form['newpass'] + rep_new_password = request.form['repnewpass'] + + # Verify the current password using bcrypt + if bcrypt.checkpw(current_password.encode(), saved_password_hash.encode()): + # Check if the new passwords match + if new_password == rep_new_password: + # Hash the new password and update the config + new_password_hash = bcrypt.hashpw(new_password.encode(), bcrypt.gensalt()) + config.set("Account", "password", new_password_hash.decode()) + try: set_dashboard_conf(config) session['message'] = "Password update successfully!" @@ -893,6 +907,7 @@ def update_pwd(): return redirect(url_for("settings")) + @app.route('/update_app_ip_port', methods=['POST']) def update_app_ip_port(): """ @@ -1610,7 +1625,15 @@ def init_dashboard(): if "username" not in config['Account']: config['Account']['username'] = 'admin' if "password" not in config['Account']: - config['Account']['password'] = '8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918' + wg_dash_pass = "admin" + #wg_dash_pass = os.environ.get('WG_DASH_PASS') + # Hash the password using bcrypt + salt = bcrypt.gensalt(rounds=12) + hashed_password_bytes = bcrypt.hashpw(wg_dash_pass.encode('utf-8'), salt) + # Convert the hashed password bytes to a string and remove the leading 'b' + hashed_password_str = hashed_password_bytes.decode('utf-8').lstrip('b') + hashpassword_output = f"{hashed_password_str}" + config['Account']['password'] = hashpassword_output # Default dashboard server setting if "Server" not in config: config['Server'] = {} From a4151800f183ef2483e7113035e158a3fa50b5c0 Mon Sep 17 00:00:00 2001 From: Noxcis Date: Tue, 5 Dec 2023 04:47:40 -0800 Subject: [PATCH 2/2] Update requirements.txt --- src/requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/requirements.txt b/src/requirements.txt index 5d3b347..19422f9 100644 --- a/src/requirements.txt +++ b/src/requirements.txt @@ -1,6 +1,7 @@ Flask ifcfg icmplib +bcrypt flask-qrcode gunicorn -certbot \ No newline at end of file +certbot