Add authentication for pre-existing users.

app/db/__init__.py

@@ -47,6 +47,29 @@ class Db(object):
             return None
         return services[0]
 
+    def get_salt_for_user(self, user):
+        salt = self._perform_query_param('select salt from users where name = ?', [user])
+        if len(salt) == 0:
+            return None
+        return salt[0]['salt']
+
+    def check_password_for_user(self, user, password):
+        user = self._perform_query_param('select * from users where name = ? and password = ?', [user, password])
+        if len(user) == 0:
+            return False
+        return True
+
+    def _perform_query_param(self, query, data):
+        cursor = self.db.execute(query, data)
+        names = list(map(lambda x: x[0], cursor.description))
+        result = []
+        for row in cursor.fetchall():
+            row_result = {}
+            for index in range(0, len(names)):
+                row_result[names[index]] = row[index]
+            result.append(row_result)
+        return result
+    
     def _perform_query(self, query):
         cursor = self.db.execute(query)
         names = list(map(lambda x: x[0], cursor.description))

app/main.py

@@ -1,11 +1,15 @@
 from datetime import datetime
 from flask import Flask
-from flask import render_template
+from flask import render_template, make_response
 from flask import request, redirect, g
 from flask import url_for
+from flask import Response
+import hashlib
 import os.path
 import time
 
+from functools import wraps
+
 import db
 
 #from db import Db
@@ -13,10 +17,34 @@ app = Flask(__name__)
 DATABASE = '/data/rollerverbrauch.db'
 DEBUG = True
 SECRET_KEY = 'development key'
-USERNAME = 'admin'
-PASSWORD = 'default'
 app.config.from_object(__name__)
 
+def check_auth(username, password):
+    salt = g.db2.get_salt_for_user(username)
+    if salt == None:
+        return False
+    m = hashlib.sha256(password.encode('utf-8'))
+    m = hashlib.sha256((m.hexdigest()+salt).encode('utf-8'))
+    digest = m.hexdigest()
+    ok = g.db2.check_password_for_user(username, digest)
+    if not ok:
+        app.logger.error("digest: " + digest)
+    return ok
+
+def authenticate():
+    resp = make_response(render_template('login_required.html'), 401)
+    resp.headers['WWW-Authenticate'] = 'Basic realm="Login Required"'
+    return resp
+
+def requires_auth(f):
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        auth = request.authorization
+        if not auth or not check_auth(auth.username, auth.password):
+            return authenticate()
+        return f(*args, **kwargs)
+    return decorated
+
 @app.before_request
 def before_request():
     g.db2 = db.Db(app.config['DATABASE'])
@@ -28,10 +56,12 @@ def teardown_request(exception):
     pass
 
 @app.route('/')
+@requires_auth
 def index():
     return redirect(url_for('get_pit_stops'))
 
 @app.route('/services')
+@requires_auth
 def get_services():
     data = g.db2.getAllServices()
     data.reverse()
@@ -39,6 +69,7 @@ def get_services():
     return render_template('services.html', data=g.data)
 
 @app.route('/pitstops', methods=['POST'])
+@requires_auth
 def create_pit_stop():
     last_pitstop = g.db2.getLastPitStop()
     errorMsg = {}
@@ -84,6 +115,7 @@ def create_pit_stop():
     return redirect(url_for('get_pit_stops'))
 
 @app.route('/pitstops/createForm', methods=['GET'])
+@requires_auth
 def create_pit_stop_form():
     values = g.db2.getLastPitStop()
     values['date'] = time.strftime("%Y-%m-%d")
@@ -96,16 +128,19 @@ def add_service_warning(data):
     data['service_info'] = service_info
 
 @app.route('/pitstops', methods=['GET'])
+@requires_auth
 def get_pit_stops():
     data = prepare_pit_stops(g.db2.getAllPitStops())
     g.data['pitstops'] = data
     return render_template('pitstops.html', data=g.data)
 
 @app.route('/manual', methods=['GET'])
+@requires_auth
 def get_manual():
     return render_template('manual.html', data=g.data)
 
 @app.route('/statistics', methods=['GET'])
+@requires_auth
 def get_statistics():
     pitstops = g.db2.getAllPitStops()
     count = len(pitstops)
@@ -148,4 +183,4 @@ if __name__ == '__main__':
     if not os.path.isfile(DATABASE) or os.stat(DATABASE).st_size == 0:
         db = db.Db(app.config['DATABASE'])
         db.init_db(app.open_resource('schema.sql', mode='r'))
-    app.run(debug=True, host='0.0.0.0')
+    app.run(debug=True, host='0.0.0.0')

app/schema.sql

@@ -1,15 +1,25 @@
 drop table if exists pitstops;
 create table pitstops (
-	`id`	INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	`id`		INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-	`date`	TEXT NOT NULL,
+	`date`		TEXT NOT NULL,
 	`odometer`	INTEGER NOT NULL,
 	`litres`	REAL NOT NULL
 );
+
 drop table if exists services;
 CREATE TABLE `services` (
-	`id`	INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	`id`			INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-	`date`	TEXT,
+	`date`			TEXT,
 	`odometer_planned`	INTEGER NOT NULL,
-	`odometer_done`	INTEGER,
+	`odometer_done`		INTEGER,
-	`tasks`	TEXT NOT NULL
+	`tasks`			TEXT NOT NULL
 );
+
+drop table if exists users;
+create table `users` (
+	`id` 		INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	`name`		TEXT NOT NULL,
+	`salt`		TEXT NOT NULL,
+	`password`	TEXT NOT NULL
+);
+insert into users (name, salt, password) values ('shing19m', 'pL85Kl2U', '207357fdbf6f379c53bb5ab7fa0bc8c0072ae743973a510f551db7b5c90049b7');

app/templates/login_required.html

@@ -0,0 +1,5 @@
+{% extends "layout.html" %}
+
+{% block body %}
+	Please authorize yourself!
+{% endblock %}