diff options
-rw-r--r-- | users/app/controllers/sessions_controller.rb | 5 | ||||
-rwxr-xr-x | users/test/integration/api/python/flow_with_srp.py | 59 |
2 files changed, 60 insertions, 4 deletions
diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb index d398057..7852e5c 100644 --- a/users/app/controllers/sessions_controller.rb +++ b/users/app/controllers/sessions_controller.rb @@ -9,7 +9,7 @@ class SessionsController < ApplicationController @user = User.find_by_param(params[:login]) session[:handshake] = @user.initialize_auth(params['A'].hex) User.current = @user #? - render :json => { :B => session[:handshake].bb.to_s(16) } + render :json => { :B => session[:handshake].bb.to_s(16), :salt => @user.password_salt } rescue RECORD_NOT_FOUND render :json => {:errors => {:login => ["unknown user"]}} end @@ -30,7 +30,4 @@ class SessionsController < ApplicationController User.current = nil #? redirect_to root_path end - - - end diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py new file mode 100755 index 0000000..08ac94a --- /dev/null +++ b/users/test/integration/api/python/flow_with_srp.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python + +# under development + +import requests +import json +import string +import random +import srp +import binascii + +# let's have some random name +def id_generator(size=6, chars=string.ascii_uppercase + string.digits): + return ''.join(random.choice(chars) for x in range(size)) + +# using globals for a start +server = 'http://localhost:3000' +login = id_generator() +password = id_generator() + id_generator() + +# log the server communication +def print_and_parse(response): + print response.request.method + ': ' + response.url + print " " + json.dumps(response.request.data) + print " -> " + response.text + return json.loads(response.text) + +def signup(session): + salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) + user_params = { + 'user[login]': login, + 'user[password_verifier]': binascii.hexlify(vkey), + 'user[password_salt]': binascii.hexlify(salt) + } + return session.post(server + '/users.json', data = user_params) + +usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) + +def authenticate(session, login): + uname, A = usr.start_authentication() + params = { + 'login': uname, + 'A': binascii.hexlify(A) + } + init = print_and_parse(session.post(server + '/sessions', data = params)) + M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) ) + return session.put(server + '/sessions/' + login, + data = {'client_auth': binascii.hexlify(M)}) + +session = requests.session() +user = print_and_parse(signup(session)) + +# SRP signup would happen here and calculate M hex +auth = print_and_parse(authenticate(session, user['login'])) +usr.verify_session( auth ) + +# At this point the authentication process is complete. +assert usr.authenticated() + |