azul [Thu, 25 Jan 2018 08:42:26 +0000 (00:42 -0800)]
Add .gitlab-ci.yml
Azul [Thu, 25 Jan 2018 08:17:45 +0000 (09:17 +0100)]
Version 0.5.0 - upgrade dependencies
Upgrade all dependencies. In particular to avoid a jquery vulnerability.
Azul [Thu, 17 Sep 2015 17:48:36 +0000 (19:48 +0200)]
Merge remote-tracking branch 'alster/feature/extra-signup-params'
Azul [Thu, 17 Sep 2015 17:48:11 +0000 (19:48 +0200)]
Merge remote-tracking branch 'alster/add-ci' into master
kaeff [Tue, 8 Sep 2015 23:13:34 +0000 (01:13 +0200)]
Allow extra signup params from account
For the feature/invite-codes in leap_web, we need to be able to pass an
extra parameter (the invite code) from the signup form to the server.
This approach allows the consumer of SRP to specify a custom
implementation of Account that returns arbitrary `loginParams`, and
Session will pass them on so that they become part of the XHR.
- Split session.signup into signup and update to restrict extra params
to signup only
kaeff [Wed, 16 Sep 2015 21:02:03 +0000 (23:02 +0200)]
Bump version to 0.4.0
kaeff [Wed, 16 Sep 2015 00:32:01 +0000 (02:32 +0200)]
Remove jasmine html runner & outdated libs
kaeff [Wed, 16 Sep 2015 00:12:50 +0000 (02:12 +0200)]
Run tests via cli using karma & PhantomJS for Travis
Instead of jasmine's HTML runner, use karma to run specs. karma & all
other dependencies are installed via npm and executed via node.js. This
allows TravisCI to execute the test, and as a side effect, bumps the
versions on the testing toolchain.
- Install node.js
- Run `npm install` once to download dependencies.
- Run `npm test` to run all tests
Things to bear in mind:
- This commit adds general project information in `package.js`
- `karma.conf.js` specifies the order in which src, spec and lib files
are loaded
- Switch to jasmine spies instead of sinon
jessib [Mon, 14 Oct 2013 17:27:08 +0000 (10:27 -0700)]
Merge pull request #4 from azul/bugfix/utf8-in-sha
properly treat utf8 chars in password
Azul [Mon, 14 Oct 2013 09:43:34 +0000 (11:43 +0200)]
properly treat utf8 chars in password
utf-8 encoding used to be bundled with the SHA256 library. However we
only want to utf8 encode strings that are actual user input. We do not
want to encode the bytearrays that are used when hashing the hex values
calculated during for SRP.
So I separated the utf-8 encoding and the sha256 hashing.
jessib [Thu, 26 Sep 2013 17:05:52 +0000 (10:05 -0700)]
Merge pull request #3 from azul/feature/use-token-auth
use token from the form to submit password update
Azul [Tue, 24 Sep 2013 08:05:15 +0000 (10:05 +0200)]
use token from the form to submit password update
Azul [Fri, 12 Jul 2013 10:29:40 +0000 (12:29 +0200)]
also zeroprefix the salt if needed
Now what else can you possibly zeroprefix?
This should be it - shouldn't it?
Azul [Fri, 12 Jul 2013 10:10:29 +0000 (12:10 +0200)]
prefix incoming B too
Azul [Fri, 12 Jul 2013 09:50:45 +0000 (11:50 +0200)]
also prefix our own toString(16) hex values
Azul [Fri, 12 Jul 2013 09:32:01 +0000 (11:32 +0200)]
the 0 prefix in hex is essential for building the M and M2 strings
azul [Sat, 6 Jul 2013 14:47:19 +0000 (07:47 -0700)]
Merge pull request #2 from elijh/feature/always-use-v1
always use the API-only controller for all requests.
elijah [Thu, 4 Jul 2013 10:51:16 +0000 (03:51 -0700)]
always use the API-only controller for all requests.
jessib [Mon, 24 Jun 2013 17:32:58 +0000 (10:32 -0700)]
Merge pull request #1 from azul/refactor/separate-session
Refactor/separate session
Azul [Sat, 22 Jun 2013 14:17:45 +0000 (16:17 +0200)]
refactor: separate account from session
Azul [Sat, 22 Jun 2013 13:14:14 +0000 (15:14 +0200)]
refactor: rename constants to calculate and clean up hash usage
Azul [Sat, 22 Jun 2013 12:53:13 +0000 (14:53 +0200)]
refactor: separate calculations from session
Azul [Thu, 20 Jun 2013 15:28:55 +0000 (17:28 +0200)]
fix bug wrt zero padding of hashes
Azul [Wed, 20 Mar 2013 11:51:56 +0000 (12:51 +0100)]
Merge branch 'release/0.3.0'
Azul [Wed, 20 Mar 2013 11:51:26 +0000 (12:51 +0100)]
added version file
Azul [Wed, 20 Mar 2013 11:49:34 +0000 (12:49 +0100)]
use a proper random a for the handshake
Azul [Sun, 25 Nov 2012 11:55:00 +0000 (12:55 +0100)]
API: update instead of addToForm
addToForm was an attempt to not use ajax but just the normal form submit.
Turns out it's easy to add hidden fields to the form but quite cumbersome to remove the password fields from teh form so they are not submitted over the eventually untrusted channel.
So we use ajax for updates just like for signup.
Azul [Fri, 23 Nov 2012 14:33:33 +0000 (15:33 +0100)]
addToForm: add the srp signup data to an existing form
Azul [Thu, 22 Nov 2012 12:01:22 +0000 (13:01 +0100)]
don't cache password and login
Azul [Thu, 22 Nov 2012 11:56:12 +0000 (12:56 +0100)]
catch empty responses
Azul [Thu, 22 Nov 2012 11:49:46 +0000 (12:49 +0100)]
using done/fail instead of success/error, handing all properties to fail
Azul [Tue, 20 Nov 2012 11:43:34 +0000 (12:43 +0100)]
all request should go to absolute paths
They should be independent of the url we're serving the page from
Azul [Tue, 20 Nov 2012 11:37:23 +0000 (12:37 +0100)]
make sure we get the current password and login
Azul [Tue, 20 Nov 2012 11:25:17 +0000 (12:25 +0100)]
make sure srp.login also works as a callback
Azul [Tue, 20 Nov 2012 09:52:45 +0000 (10:52 +0100)]
sending the parsed json object to the error handler
Azul [Tue, 20 Nov 2012 09:51:54 +0000 (10:51 +0100)]
Merge branch 'feature/clean-srp' into develop
Azul [Mon, 19 Nov 2012 17:11:20 +0000 (18:11 +0100)]
further cleanup
Azul [Mon, 19 Nov 2012 16:49:18 +0000 (17:49 +0100)]
removed the SRP class - using just a plain srp object now
Azul [Mon, 19 Nov 2012 16:36:49 +0000 (17:36 +0100)]
first step at cleaning up the srp
Azul [Mon, 19 Nov 2012 14:58:46 +0000 (15:58 +0100)]
works - but not quite what i want. Exposing jqXHR to error function
Azul [Wed, 14 Nov 2012 11:34:45 +0000 (12:34 +0100)]
Merge branch 'release/0.2.0'
Azul [Wed, 14 Nov 2012 11:28:57 +0000 (12:28 +0100)]
Merge branch 'feature/cleanup-non-restful' into develop
Azul [Wed, 14 Nov 2012 11:28:36 +0000 (12:28 +0100)]
cleaned up unused parser functions
Azul [Wed, 14 Nov 2012 11:21:00 +0000 (12:21 +0100)]
removed outdated django remote and all related files
Also cleaned up the specs a bit
Azul [Mon, 12 Nov 2012 10:17:13 +0000 (11:17 +0100)]
Merge branch 'feature-updated_json_api' into develop
Azul [Mon, 12 Nov 2012 10:14:58 +0000 (11:14 +0100)]
adopting tests to new .json urls
Azul [Mon, 12 Nov 2012 10:14:47 +0000 (11:14 +0100)]
specifying charset and fetching jquery remotely
This way you don't have to add jquery to the lib dir for specs to work
Azul [Fri, 9 Nov 2012 14:04:48 +0000 (15:04 +0100)]
Merge branch 'master' into feature-updated_json_api
Azul [Tue, 30 Oct 2012 14:09:13 +0000 (15:09 +0100)]
we're expecting json responses - so put .json in the url
Azul [Fri, 19 Oct 2012 16:01:04 +0000 (18:01 +0200)]
don't expect create to return an ok
* it returns the user
* it will return errors if sth. goes wrong.
Azul [Fri, 19 Oct 2012 16:00:22 +0000 (18:00 +0200)]
require srp.js first and the remotes afterwards
Azul [Fri, 19 Oct 2012 15:49:53 +0000 (17:49 +0200)]
added success and error callbacks to register
Azul [Wed, 17 Oct 2012 10:06:37 +0000 (12:06 +0200)]
hand success and error messages to identify by default
also cleaned up some other parts that were not needed anymore
Azul [Tue, 16 Oct 2012 15:24:12 +0000 (17:24 +0200)]
use M2 as the key for the server auth
Azul [Tue, 16 Oct 2012 15:06:35 +0000 (17:06 +0200)]
not caching x,V,salt to avoid conflicts
Azul [Tue, 16 Oct 2012 13:20:57 +0000 (15:20 +0200)]
added unit tests for session calculations
Azul [Mon, 15 Oct 2012 10:54:24 +0000 (12:54 +0200)]
expecting the salt to be send with key salt
Azul [Mon, 15 Oct 2012 09:14:28 +0000 (11:14 +0200)]
Merge branch 'feature-jquery-remote' into develop
Azul [Mon, 15 Oct 2012 09:10:35 +0000 (11:10 +0200)]
all rest tests passing, using proper verbs
Azul [Sun, 14 Oct 2012 14:24:10 +0000 (16:24 +0200)]
calculating the right M and M2!
still missing some error handling, this in Django specs and the right http verbs
Azul [Sun, 14 Oct 2012 13:30:51 +0000 (15:30 +0200)]
got SRP v6a test setup and basic rest flow to work
* still need to fix the algo for auth
* Also need to get the http verbs right
Azul [Fri, 12 Oct 2012 16:52:53 +0000 (18:52 +0200)]
got signup to work in accordance with py srp
Azul [Tue, 2 Oct 2012 12:29:47 +0000 (14:29 +0200)]
using jquery for signup post now. login still pending
Azul [Tue, 2 Oct 2012 12:29:20 +0000 (14:29 +0200)]
fixed restful signup test
Azul [Tue, 21 Aug 2012 16:07:36 +0000 (18:07 +0200)]
first round of making jslint happy
Azul [Tue, 21 Aug 2012 15:59:11 +0000 (17:59 +0200)]
moved srp-js files from lib to src
Azul [Tue, 21 Aug 2012 15:14:06 +0000 (17:14 +0200)]
moved on with refactoring
* srp_register now is part of srp.js
* moved server specific stuff into plainXHR (such as fetching the seed from the server)
* fixed tests
Azul [Mon, 13 Aug 2012 09:45:51 +0000 (11:45 +0200)]
seperated session from the srp flow - login tests pass, signup fail
Azul [Sat, 4 Aug 2012 14:41:01 +0000 (16:41 +0200)]
started implementing a restful signup
Azul [Sat, 4 Aug 2012 14:01:05 +0000 (16:01 +0200)]
copied jqueryRest and restful specs from django
no real change yet
Azul [Fri, 3 Aug 2012 18:37:11 +0000 (20:37 +0200)]
moved all xhr related stuff to a seperate class
We can replace this if we want to use jquery ajax or similar. Also this has all the urls so it's super easy to overwrite
Azul [Fri, 20 Jul 2012 15:07:48 +0000 (17:07 +0200)]
expose function to create salt
Azul [Fri, 20 Jul 2012 12:21:22 +0000 (14:21 +0200)]
calcV to calculate verifier, do not use srp_url or srp_server anymore
We can easily overwrite the corresponding functions
Azul [Fri, 20 Jul 2012 09:18:47 +0000 (11:18 +0200)]
moved src to lib and use relative path in require_tree
Azul [Fri, 20 Jul 2012 09:15:05 +0000 (11:15 +0200)]
Merge branch 'master' of git://github.com/leapcode/srp-js
Azul [Fri, 20 Jul 2012 09:12:22 +0000 (11:12 +0200)]
added an index file to use with sprockets
Azul [Fri, 20 Jul 2012 09:12:22 +0000 (11:12 +0200)]
added an index file to use with sprockets
Azul [Fri, 20 Jul 2012 08:56:36 +0000 (10:56 +0200)]
INCOMPATIBLE: major restructuring of the repository
* removed Django code - we're keeping the tests - so I hope the two can still be used together
* removed js packer - everyone has their own packaging strategy these days
* cleaned up the repository - we only have js so javascript directory does not make much sense
Azul [Mon, 2 Jul 2012 15:50:33 +0000 (17:50 +0200)]
reject server response with error message if B=0
Azul [Mon, 2 Jul 2012 15:39:56 +0000 (17:39 +0200)]
expectRequest and respond{JSON,XML} functions to simplify the tests
Azul [Mon, 2 Jul 2012 15:18:57 +0000 (17:18 +0200)]
refactoring the tests a bit
Azul [Mon, 2 Jul 2012 12:41:33 +0000 (14:41 +0200)]
parsing JSON responses tested and fixed
Azul [Mon, 2 Jul 2012 12:26:44 +0000 (14:26 +0200)]
factored out parsing the responses
Azul [Mon, 2 Jul 2012 10:25:38 +0000 (12:25 +0200)]
check for ready state and status before callback
Azul [Mon, 2 Jul 2012 10:20:56 +0000 (12:20 +0200)]
changed indentation to the 2 spaces i love
Azul [Mon, 2 Jul 2012 10:09:30 +0000 (12:09 +0200)]
added integration test for login
* added a small hook in srp to set a, A and Astr for testing
* moved generic functions for tests to SpecHelper
Azul [Fri, 29 Jun 2012 12:49:46 +0000 (14:49 +0200)]
Connection Header is not allowed according to xhr spec.
Not sure if this was needed. Tests will throw exceptions when it's in but maybe some legacy browsers require it.
Azul [Fri, 29 Jun 2012 12:46:42 +0000 (14:46 +0200)]
added tests for registration with jasmin and sinon
Azul [Wed, 27 Jun 2012 10:39:45 +0000 (12:39 +0200)]
adding license remark in readme
Azul [Wed, 27 Jun 2012 10:24:40 +0000 (12:24 +0200)]
added Readme from the original project site
ausiv4 [Sat, 15 Aug 2009 23:15:31 +0000 (23:15 +0000)]
This adds a file 'utils.py' to simplify templating.
Functions exist to create headers that include javascript files, and create javascript functions for login and registration. There are also
functions that create login and registration forms.
These functions don't necessarily account for everything a web developer might want to do, but it should simplify things for most developers and
provide guidelines for developers who want to build on top of this functionality.
Views.py now builds the login and register pages based on these functions. The register page now uses the login.html template, and the
register.html template should be deleted in the next release.
ausiv4 [Fri, 14 Aug 2009 14:04:57 +0000 (14:04 +0000)]
Fixed bug in views.py, changed files named 'hash' to 'crypto' since it now includes AES.
ausiv4 [Thu, 13 Aug 2009 01:23:34 +0000 (01:23 +0000)]
Added support for logins without javascript. This is configurable on a site-by-site basis.
ausiv4 [Wed, 12 Aug 2009 23:30:24 +0000 (23:30 +0000)]
Rather than passing the necessary parameters to the SRP constructor, I've made them hidden fields in the form. This way a bookmarklet will be
able to read the fields, and authentication can be done without trusting the javascript sent by the server.
I also organized urls.py
ausiv4 [Wed, 12 Aug 2009 17:01:23 +0000 (17:01 +0000)]
When upgrading the user from a non-srp account to an SRP account, the client must send the server the password. I wasn't happy about doing this
in plaintext, so I've incorporated slowAES on both the client and the server to encrypt the password before it is sent, using the key generated
in the first SRP transaction.
ausiv4 [Sun, 9 Aug 2009 00:57:03 +0000 (00:57 +0000)]
Significant cleanup to srp.js.
ausiv4 [Sat, 8 Aug 2009 20:50:53 +0000 (20:50 +0000)]
This adds upgrade functionality so that existing django apps can switch to SRP.
If a user exists in the auth table but not the srp table, the server sends back the algorithm and salt needed to hash the password. The hashed
password is used to authenticate the user.
After the server authenticates the user and the user verifies the identity of the server, the user sends the password in plaintext. The server
uses the plaintext password to calculate the verifier and stores. Finally, the client reinitiates the login process.
ausiv4 [Fri, 7 Aug 2009 03:38:03 +0000 (03:38 +0000)]
This update separates the register functionality from the login library. The login script is now .3 kb smaller, but there is a new 1.1 kb
register file. I think that registrations are rare enough relative to logins that this should be a worthwhile tradeoff. This also prepares a
framework for importing an update file, which will allow existing installations to upgrade from less secure authentication protocols, so some of
the overhead in srp.js that was added here will help reduce the size as we add the update functionality.
ausiv4 [Thu, 6 Aug 2009 23:54:46 +0000 (23:54 +0000)]
Changes were made to improve database efficiency and to use the django authentication backend framework.
ausiv4 [Tue, 4 Aug 2009 17:17:29 +0000 (17:17 +0000)]
Removed debugging line from srp.js