summaryrefslogtreecommitdiff
path: root/users
diff options
context:
space:
mode:
Diffstat (limited to 'users')
-rw-r--r--users/app/controllers/sessions_controller.rb5
-rwxr-xr-xusers/test/integration/api/python/flow_with_srp.py59
2 files changed, 60 insertions, 4 deletions
diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index d398057..7852e5c 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -9,7 +9,7 @@ class SessionsController < ApplicationController
@user = User.find_by_param(params[:login])
session[:handshake] = @user.initialize_auth(params['A'].hex)
User.current = @user #?
- render :json => { :B => session[:handshake].bb.to_s(16) }
+ render :json => { :B => session[:handshake].bb.to_s(16), :salt => @user.password_salt }
rescue RECORD_NOT_FOUND
render :json => {:errors => {:login => ["unknown user"]}}
end
@@ -30,7 +30,4 @@ class SessionsController < ApplicationController
User.current = nil #?
redirect_to root_path
end
-
-
-
end
diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py
new file mode 100755
index 0000000..08ac94a
--- /dev/null
+++ b/users/test/integration/api/python/flow_with_srp.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python
+
+# under development
+
+import requests
+import json
+import string
+import random
+import srp
+import binascii
+
+# let's have some random name
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+ return ''.join(random.choice(chars) for x in range(size))
+
+# using globals for a start
+server = 'http://localhost:3000'
+login = id_generator()
+password = id_generator() + id_generator()
+
+# log the server communication
+def print_and_parse(response):
+ print response.request.method + ': ' + response.url
+ print " " + json.dumps(response.request.data)
+ print " -> " + response.text
+ return json.loads(response.text)
+
+def signup(session):
+ salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+ user_params = {
+ 'user[login]': login,
+ 'user[password_verifier]': binascii.hexlify(vkey),
+ 'user[password_salt]': binascii.hexlify(salt)
+ }
+ return session.post(server + '/users.json', data = user_params)
+
+usr = srp.User( login, password, srp.SHA256, srp.NG_1024 )
+
+def authenticate(session, login):
+ uname, A = usr.start_authentication()
+ params = {
+ 'login': uname,
+ 'A': binascii.hexlify(A)
+ }
+ init = print_and_parse(session.post(server + '/sessions', data = params))
+ M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) )
+ return session.put(server + '/sessions/' + login,
+ data = {'client_auth': binascii.hexlify(M)})
+
+session = requests.session()
+user = print_and_parse(signup(session))
+
+# SRP signup would happen here and calculate M hex
+auth = print_and_parse(authenticate(session, user['login']))
+usr.verify_session( auth )
+
+# At this point the authentication process is complete.
+assert usr.authenticated()
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-06 17:33:16 +0000