mirror of
https://github.com/Tautulli/Tautulli.git
synced 2025-07-16 02:02:58 -07:00
Always hash http password
This commit is contained in:
JonnyWong16
parent
dff9a56950
commit
b0a395ad0b
6 changed files with 21 additions and 78 deletions
|
|
@ -660,20 +660,10 @@
|
|||
<div class="col-md-4">
|
||||
<input type="password" class="form-control auth-settings" id="http_password" name="http_password" value="${config['http_password']}" size="30" autocomplete="new-password">
|
||||
</div>
|
||||
<div id="http_hash_password_error" class="alert alert-danger settings-alert" role="alert"></div>
|
||||
</div>
|
||||
<p class="help-block">Password for web server authentication. Leave empty to disable.</p>
|
||||
</div>
|
||||
|
||||
<div class="checkbox advanced-setting">
|
||||
<label>
|
||||
<input type="checkbox" name="http_hash_password" id="http_hash_password" value="1" ${config['http_hash_password']} data-parsley-trigger="change"> Hash Password in the Config File
|
||||
</label>
|
||||
<span id="hashPasswordCheck" class="settings-warning"></span>
|
||||
<p class="help-block">Store a hashed password in the config file.<br />Warning: Your password cannot be recovered if forgotten!</p>
|
||||
</div>
|
||||
<input type="text" id="http_hashed_password" name="http_hashed_password" value="${config['http_hashed_password']}" style="display: none;" data-parsley-trigger="change" data-parsley-type="integer" data-parsley-range="[0, 1]"
|
||||
data-parsley-errors-container="#http_hash_password_error" data-parsley-error-message="Cannot un-hash password, please set a new password." data-parsley-no-focus required>
|
||||
<div class="checkbox advanced-setting">
|
||||
<label>
|
||||
<input type="checkbox" class="auth-settings" name="http_basic_auth" id="http_basic_auth" value="1" ${config['http_basic_auth']} data-parsley-trigger="change"> Use Basic Authentication
|
||||
|
|
@ -2316,7 +2306,6 @@ $(document).ready(function() {
|
|||
if (authChanged || httpChanged || directoryChanged) {
|
||||
$('#restart-modal').modal('show');
|
||||
}
|
||||
$("#http_hashed_password").val($("#http_hash_password").is(":checked") ? 1 : 0);
|
||||
getConfigurationTable();
|
||||
getSchedulerTable();
|
||||
getNotifiersTable();
|
||||
|
|
@ -2921,32 +2910,6 @@ $(document).ready(function() {
|
|||
allowGuestAccessCheck();
|
||||
});
|
||||
|
||||
function hashPasswordCheck () {
|
||||
if ($("#http_basic_auth").is(":checked")) {
|
||||
$("#http_hash_password").attr("checked", false).attr("disabled", true);
|
||||
$("#hashPasswordCheck").html("Password cannot be hashed with basic authentication.");
|
||||
} else {
|
||||
$("#http_hash_password").attr("disabled", false);
|
||||
$("#hashPasswordCheck").html("");
|
||||
}
|
||||
if (!($("#http_hash_password").is(":checked")) && $("#http_hashed_password").val() == "1" && $("#http_password").val() == " ") {
|
||||
$("#http_hashed_password").val(-1);
|
||||
} else if ($("#http_hash_password").is(":checked") && $("#http_hashed_password").val() == "-1" && $("#http_password").val() == " ") {
|
||||
$("#http_hashed_password").val(1);
|
||||
$("#http_hash_password_error").html("");
|
||||
}
|
||||
}
|
||||
hashPasswordCheck();
|
||||
|
||||
$('#http_password, #http_hash_password, #http_basic_auth').change(function () {
|
||||
hashPasswordCheck();
|
||||
});
|
||||
|
||||
$('#http_password').change(function () {
|
||||
$("#http_hashed_password").val($("#http_hash_password").is(":checked") ? 1 : 0);
|
||||
$("#http_hash_password_error").html("");
|
||||
});
|
||||
|
||||
// Load PMS downloads
|
||||
function loadUpdateDistros() {
|
||||
var update_params_ajax = $.getJSON('get_server_update_params', function (data) { return data; });
|
||||
|
|
|
|||
|
|
@ -89,7 +89,6 @@
|
|||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<input type="hidden" class="form-control" name="http_hash_password" id="http_hash_password" value="1">
|
||||
<input type="hidden" class="form-control" name="http_plex_admin" id="http_plex_admin" value="1">
|
||||
<input type="hidden" id="authentication_valid" data-validate="validateAuthentication" value="">
|
||||
<span style="display: none;" id="authentication-status"></span>
|
||||
|
|
|
|||
|
|
@ -647,13 +647,7 @@ General optional parameters:
|
|||
data = None
|
||||
apikey = hashlib.sha224(str(random.getrandbits(256)).encode('utf-8')).hexdigest()[0:32]
|
||||
if plexpy.CONFIG.HTTP_USERNAME and plexpy.CONFIG.HTTP_PASSWORD:
|
||||
authenticated = False
|
||||
if plexpy.CONFIG.HTTP_HASHED_PASSWORD and \
|
||||
username == plexpy.CONFIG.HTTP_USERNAME and check_hash(password, plexpy.CONFIG.HTTP_PASSWORD):
|
||||
authenticated = True
|
||||
elif not plexpy.CONFIG.HTTP_HASHED_PASSWORD and \
|
||||
username == plexpy.CONFIG.HTTP_USERNAME and password == plexpy.CONFIG.HTTP_PASSWORD:
|
||||
authenticated = True
|
||||
authenticated = username == plexpy.CONFIG.HTTP_USERNAME and check_hash(password, plexpy.CONFIG.HTTP_PASSWORD)
|
||||
|
||||
if authenticated:
|
||||
if plexpy.CONFIG.API_KEY:
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ import time
|
|||
import threading
|
||||
|
||||
from configobj import ConfigObj, ParseError
|
||||
from hashing_passwords import make_hash
|
||||
|
||||
import plexpy
|
||||
if plexpy.PYTHON2:
|
||||
|
|
@ -124,8 +125,8 @@ _CONFIG_DEFINITIONS = {
|
|||
'HTTPS_IP': (str, 'General', '127.0.0.1'),
|
||||
'HTTP_BASIC_AUTH': (int, 'General', 0),
|
||||
'HTTP_ENVIRONMENT': (str, 'General', 'production'),
|
||||
'HTTP_HASH_PASSWORD': (int, 'General', 0),
|
||||
'HTTP_HASHED_PASSWORD': (int, 'General', 0),
|
||||
'HTTP_HASH_PASSWORD': (int, 'General', 1),
|
||||
'HTTP_HASHED_PASSWORD': (int, 'General', 1),
|
||||
'HTTP_HOST': (str, 'General', '0.0.0.0'),
|
||||
'HTTP_PASSWORD': (str, 'General', ''),
|
||||
'HTTP_PORT': (int, 'General', 8181),
|
||||
|
|
@ -569,3 +570,13 @@ class Config(object):
|
|||
int(self.CHECK_GITHUB_INTERVAL // 60)
|
||||
+ (self.CHECK_GITHUB_INTERVAL % 60 > 0)
|
||||
)
|
||||
|
||||
self.CONFIG_VERSION = 19
|
||||
|
||||
if self.CONFIG_VERSION == 19:
|
||||
if not self.HTTP_HASHED_PASSWORD:
|
||||
self.HTTP_PASSWORD = make_hash(self.HTTP_PASSWORD)
|
||||
self.HTTP_HASH_PASSWORD = 1
|
||||
self.HTTP_HASHED_PASSWORD = 1
|
||||
|
||||
self.CONFIG_VERSION = 20
|
||||
|
|
|
|||
|
|
@ -132,12 +132,7 @@ def check_credentials(username=None, password=None, token=None, admin_login='0',
|
|||
if username and password:
|
||||
if plexpy.CONFIG.HTTP_PASSWORD:
|
||||
user_details = {'user_id': None, 'username': username}
|
||||
|
||||
if plexpy.CONFIG.HTTP_HASHED_PASSWORD and \
|
||||
username == plexpy.CONFIG.HTTP_USERNAME and check_hash(password, plexpy.CONFIG.HTTP_PASSWORD):
|
||||
return True, user_details, 'admin'
|
||||
elif not plexpy.CONFIG.HTTP_HASHED_PASSWORD and \
|
||||
username == plexpy.CONFIG.HTTP_USERNAME and password == plexpy.CONFIG.HTTP_PASSWORD:
|
||||
if username == plexpy.CONFIG.HTTP_USERNAME and check_hash(password, plexpy.CONFIG.HTTP_PASSWORD):
|
||||
return True, user_details, 'admin'
|
||||
|
||||
if plexpy.CONFIG.HTTP_PLEX_ADMIN or (not admin_login == '1' and plexpy.CONFIG.ALLOW_GUEST_ACCESS):
|
||||
|
|
|
|||
|
|
@ -3133,8 +3133,6 @@ class WebInterface(object):
|
|||
"allow_guest_access": checked(plexpy.CONFIG.ALLOW_GUEST_ACCESS),
|
||||
"history_table_activity": checked(plexpy.CONFIG.HISTORY_TABLE_ACTIVITY),
|
||||
"http_basic_auth": checked(plexpy.CONFIG.HTTP_BASIC_AUTH),
|
||||
"http_hash_password": checked(plexpy.CONFIG.HTTP_HASH_PASSWORD),
|
||||
"http_hashed_password": plexpy.CONFIG.HTTP_HASHED_PASSWORD,
|
||||
"http_host": plexpy.CONFIG.HTTP_HOST,
|
||||
"http_username": plexpy.CONFIG.HTTP_USERNAME,
|
||||
"http_port": plexpy.CONFIG.HTTP_PORT,
|
||||
|
|
@ -3271,7 +3269,7 @@ class WebInterface(object):
|
|||
"notify_group_recently_added_grandparent", "notify_group_recently_added_parent",
|
||||
"notify_new_device_initial_only",
|
||||
"notify_server_update_repeat", "notify_plexpy_update_repeat",
|
||||
"monitor_pms_updates", "get_file_sizes", "log_blacklist", "http_hash_password",
|
||||
"monitor_pms_updates", "get_file_sizes", "log_blacklist",
|
||||
"allow_guest_access", "cache_images", "http_proxy", "http_basic_auth", "notify_concurrent_by_ip",
|
||||
"history_table_activity", "plexpy_auto_update",
|
||||
"themoviedb_lookup", "tvmaze_lookup", "musicbrainz_lookup", "http_plex_admin",
|
||||
|
|
@ -3285,30 +3283,13 @@ class WebInterface(object):
|
|||
kwargs[checked_config] = 1
|
||||
|
||||
# If http password exists in config, do not overwrite when blank value received
|
||||
if kwargs.get('http_password'):
|
||||
if kwargs['http_password'] == ' ' and plexpy.CONFIG.HTTP_PASSWORD != '':
|
||||
if kwargs.get('http_hash_password') and not plexpy.CONFIG.HTTP_HASHED_PASSWORD:
|
||||
kwargs['http_password'] = make_hash(plexpy.CONFIG.HTTP_PASSWORD)
|
||||
kwargs['http_hashed_password'] = 1
|
||||
if kwargs.get('http_password') != ' ':
|
||||
kwargs['http_password'] = make_hash(kwargs['http_password'])
|
||||
# Flag to refresh JWT uuid to log out clients
|
||||
kwargs['jwt_update_secret'] = True and not first_run
|
||||
else:
|
||||
kwargs['http_password'] = plexpy.CONFIG.HTTP_PASSWORD
|
||||
|
||||
elif kwargs['http_password'] and kwargs.get('http_hash_password'):
|
||||
kwargs['http_password'] = make_hash(kwargs['http_password'])
|
||||
kwargs['http_hashed_password'] = 1
|
||||
|
||||
# Flag to refresh JWT uuid to log out clients
|
||||
kwargs['jwt_update_secret'] = True and not first_run
|
||||
|
||||
elif not kwargs.get('http_hash_password'):
|
||||
kwargs['http_hashed_password'] = 0
|
||||
|
||||
# Flag to refresh JWT uuid to log out clients
|
||||
kwargs['jwt_update_secret'] = True and not first_run
|
||||
|
||||
else:
|
||||
kwargs['http_hashed_password'] = 0
|
||||
|
||||
for plain_config, use_config in [(x[4:], x) for x in kwargs if x.startswith('use_')]:
|
||||
# the use prefix is fairly nice in the html, but does not match the actual config
|
||||
kwargs[plain_config] = kwargs[use_config]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue