- Apr 09, 2021
-
-
Marco De Donno authored
-
Marco De Donno authored
This will allows the user to call the correct redis database based upon a string name in a dict, and not a variable perse. The definition of the databases is easier this way, and the call of the correct database is clearer in code.
-
Marco De Donno authored
This will renew the save of the TOTP server side for the username/IP tuple.
-
Marco De Donno authored
This will not change the behavior of the verify() function but is easier to read.
-
Marco De Donno authored
This commit will add a time waste function if the username is not present in the database. This is done to prevent the data extraction, in this case the presence or not, of a username based upon the execution time for the login process. In the configuration file, the 'fake_hash' variable is computed with the input data "fake_data" and the salt "fake_salt" to be transparent about the data used as input for the hashing function. The comparison with the 'verify()' function is a boolean (always True in this case), and is not used in any useful way in the login process. This waste of time is done even if the risk factor is very small (not to say inexistent). The location of this function call is designed to be only present if the username provided as input does not exists in the database. This is done to not impact real users.
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
This will trigger a rate limitation when the username does not exists or if the password is not the correct one. The time to wait is exponential (base 2) after the 5 first attempts.
-
- Apr 07, 2021
-
-
Marco De Donno authored
-
Marco De Donno authored
-
- Apr 03, 2021
-
-
Marco De Donno authored
-
Marco De Donno authored
This is done by splitting the original function in an inner function that manage the creation of the image in a PIL format. This inner function is decorated with the redis cache function. Because of a bug in the PIL library, we can not unPickle a tiff image. The workaround is to use the following code: if isinstance( img, TiffImageFile ): if not hasattr( img, "use_load_libtiff" ): img.use_load_libtiff = True Source: https://github.com/python-pillow/Pillow/pull/4565/files This being patched in the current versions of PIL, we should be use this monkey-patch for new version of Python.
-
Marco De Donno authored
-
Marco De Donno authored
-
- Apr 01, 2021
-
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
Since the variable is global anyway, we don't need to pass it as parameter.
-
Marco De Donno authored
The fetch of the data don't need to be done in an ajax query once the page is loaded. This will directly populate the "secret" javascript variable and the 'input' field.
-
Marco De Donno authored
-
Marco De Donno authored
The remaining time and the current TOTP are not useful in the current workflow.
-
Marco De Donno authored
This is the same order as for the other pages (help on the left, next on the right).
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
This will only use one div to the errors and OK messages. The notification for the use is done via a function call instead of editing the corresponding divs.
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
This will not display a message to the user if the TOTP is correctly set, but will redirect him to the next step automatically.
-
Marco De Donno authored
-
Marco De Donno authored
-
- Mar 31, 2021
-
-
Marco De Donno authored
The user is now obligated to provide the TOTP value to continue. If not provided, the user can still re-open the current page to get help or retry the configuration process. This should remove the miss configured account by not reading the configuration dialog (the user has to provide at least once the TOTP to be able to finish the configuration; if the TOTP value is set in the database, the configuration has been done at least once).
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-
Marco De Donno authored
-