srp_js.git
21 months agoAdd .gitlab-ci.yml master
azul [Thu, 25 Jan 2018 08:42:26 +0000 (00:42 -0800)]
Add .gitlab-ci.yml

21 months agoVersion 0.5.0 - upgrade dependencies
Azul [Thu, 25 Jan 2018 08:17:45 +0000 (09:17 +0100)]
Version 0.5.0 - upgrade dependencies

Upgrade all dependencies. In particular to avoid a jquery vulnerability.

4 years agoMerge remote-tracking branch 'alster/feature/extra-signup-params'
Azul [Thu, 17 Sep 2015 17:48:36 +0000 (19:48 +0200)]
Merge remote-tracking branch 'alster/feature/extra-signup-params'

4 years agoMerge remote-tracking branch 'alster/add-ci' into master
Azul [Thu, 17 Sep 2015 17:48:11 +0000 (19:48 +0200)]
Merge remote-tracking branch 'alster/add-ci' into master

4 years agoAllow extra signup params from account
kaeff [Tue, 8 Sep 2015 23:13:34 +0000 (01:13 +0200)]
Allow extra signup params from account

For the feature/invite-codes in leap_web, we need to be able to pass an
extra parameter (the invite code) from the signup form to the server.
This approach allows the consumer of SRP to specify a custom
implementation of Account that returns arbitrary `loginParams`, and
Session will pass them on so that they become part of the XHR.

- Split session.signup into signup and update to restrict extra params
  to signup only

4 years agoBump version to 0.4.0
kaeff [Wed, 16 Sep 2015 21:02:03 +0000 (23:02 +0200)]
Bump version to 0.4.0

4 years agoRemove jasmine html runner & outdated libs
kaeff [Wed, 16 Sep 2015 00:32:01 +0000 (02:32 +0200)]
Remove jasmine html runner & outdated libs

4 years agoRun tests via cli using karma & PhantomJS for Travis
kaeff [Wed, 16 Sep 2015 00:12:50 +0000 (02:12 +0200)]
Run tests via cli using karma & PhantomJS for Travis

Instead of jasmine's HTML runner, use karma to run specs. karma & all
other dependencies are installed via npm and executed via node.js. This
allows TravisCI to execute the test, and as a side effect, bumps the
versions on the testing toolchain.

- Install node.js
- Run `npm install` once to download dependencies.
- Run `npm test` to run all tests

Things to bear in mind:
- This commit adds general project information in `package.js`
- `karma.conf.js` specifies the order in which src, spec and lib files
  are loaded
- Switch to jasmine spies instead of sinon

6 years agoMerge pull request #4 from azul/bugfix/utf8-in-sha
jessib [Mon, 14 Oct 2013 17:27:08 +0000 (10:27 -0700)]
Merge pull request #4 from azul/bugfix/utf8-in-sha

properly treat utf8 chars in password

6 years agoproperly treat utf8 chars in password
Azul [Mon, 14 Oct 2013 09:43:34 +0000 (11:43 +0200)]
properly treat utf8 chars in password

utf-8 encoding used to be bundled with the SHA256 library. However we
only want to utf8 encode strings that are actual user input. We do not
want to encode the bytearrays that are used when hashing the hex values
calculated during for SRP.

So I separated the utf-8 encoding and the sha256 hashing.

6 years agoMerge pull request #3 from azul/feature/use-token-auth
jessib [Thu, 26 Sep 2013 17:05:52 +0000 (10:05 -0700)]
Merge pull request #3 from azul/feature/use-token-auth

use token from the form to submit password update

6 years agouse token from the form to submit password update
Azul [Tue, 24 Sep 2013 08:05:15 +0000 (10:05 +0200)]
use token from the form to submit password update

6 years agoalso zeroprefix the salt if needed
Azul [Fri, 12 Jul 2013 10:29:40 +0000 (12:29 +0200)]
also zeroprefix the salt if needed

Now what else can you possibly zeroprefix?
This should be it - shouldn't it?

6 years agoprefix incoming B too
Azul [Fri, 12 Jul 2013 10:10:29 +0000 (12:10 +0200)]
prefix incoming B too

6 years agoalso prefix our own toString(16) hex values
Azul [Fri, 12 Jul 2013 09:50:45 +0000 (11:50 +0200)]
also prefix our own toString(16) hex values

6 years agothe 0 prefix in hex is essential for building the M and M2 strings
Azul [Fri, 12 Jul 2013 09:32:01 +0000 (11:32 +0200)]
the 0 prefix in hex is essential for building the M and M2 strings

6 years agoMerge pull request #2 from elijh/feature/always-use-v1
azul [Sat, 6 Jul 2013 14:47:19 +0000 (07:47 -0700)]
Merge pull request #2 from elijh/feature/always-use-v1

always use the API-only controller for all requests.

6 years agoalways use the API-only controller for all requests.
elijah [Thu, 4 Jul 2013 10:51:16 +0000 (03:51 -0700)]
always use the API-only controller for all requests.

6 years agoMerge pull request #1 from azul/refactor/separate-session
jessib [Mon, 24 Jun 2013 17:32:58 +0000 (10:32 -0700)]
Merge pull request #1 from azul/refactor/separate-session

Refactor/separate session

6 years agorefactor: separate account from session
Azul [Sat, 22 Jun 2013 14:17:45 +0000 (16:17 +0200)]
refactor: separate account from session

6 years agorefactor: rename constants to calculate and clean up hash usage
Azul [Sat, 22 Jun 2013 13:14:14 +0000 (15:14 +0200)]
refactor: rename constants to calculate and clean up hash usage

6 years agorefactor: separate calculations from session
Azul [Sat, 22 Jun 2013 12:53:13 +0000 (14:53 +0200)]
refactor: separate calculations from session

6 years agofix bug wrt zero padding of hashes
Azul [Thu, 20 Jun 2013 15:28:55 +0000 (17:28 +0200)]
fix bug wrt zero padding of hashes

6 years agoMerge branch 'release/0.3.0'
Azul [Wed, 20 Mar 2013 11:51:56 +0000 (12:51 +0100)]
Merge branch 'release/0.3.0'

6 years agoadded version file
Azul [Wed, 20 Mar 2013 11:51:26 +0000 (12:51 +0100)]
added version file

6 years agouse a proper random a for the handshake
Azul [Wed, 20 Mar 2013 11:49:34 +0000 (12:49 +0100)]
use a proper random a for the handshake

6 years agoAPI: update instead of addToForm
Azul [Sun, 25 Nov 2012 11:55:00 +0000 (12:55 +0100)]
API: update instead of addToForm

addToForm was an attempt to not use ajax but just the normal form submit.

Turns out it's easy to add hidden fields to the form but quite cumbersome to remove the password fields from teh form so they are not submitted over the eventually untrusted channel.

So we use ajax for updates just like for signup.

6 years agoaddToForm: add the srp signup data to an existing form
Azul [Fri, 23 Nov 2012 14:33:33 +0000 (15:33 +0100)]
addToForm: add the srp signup data to an existing form

6 years agodon't cache password and login
Azul [Thu, 22 Nov 2012 12:01:22 +0000 (13:01 +0100)]
don't cache password and login

6 years agocatch empty responses
Azul [Thu, 22 Nov 2012 11:56:12 +0000 (12:56 +0100)]
catch empty responses

6 years agousing done/fail instead of success/error, handing all properties to fail
Azul [Thu, 22 Nov 2012 11:49:46 +0000 (12:49 +0100)]
using done/fail instead of success/error, handing all properties to fail

6 years agoall request should go to absolute paths
Azul [Tue, 20 Nov 2012 11:43:34 +0000 (12:43 +0100)]
all request should go to absolute paths

They should be independent of the url we're serving the page from

6 years agomake sure we get the current password and login
Azul [Tue, 20 Nov 2012 11:37:23 +0000 (12:37 +0100)]
make sure we get the current password and login

6 years agomake sure srp.login also works as a callback
Azul [Tue, 20 Nov 2012 11:25:17 +0000 (12:25 +0100)]
make sure srp.login also works as a callback

6 years agosending the parsed json object to the error handler
Azul [Tue, 20 Nov 2012 09:52:45 +0000 (10:52 +0100)]
sending the parsed json object to the error handler

6 years agoMerge branch 'feature/clean-srp' into develop
Azul [Tue, 20 Nov 2012 09:51:54 +0000 (10:51 +0100)]
Merge branch 'feature/clean-srp' into develop

6 years agofurther cleanup
Azul [Mon, 19 Nov 2012 17:11:20 +0000 (18:11 +0100)]
further cleanup

6 years agoremoved the SRP class - using just a plain srp object now
Azul [Mon, 19 Nov 2012 16:49:18 +0000 (17:49 +0100)]
removed the SRP class - using just a plain srp object now

6 years agofirst step at cleaning up the srp
Azul [Mon, 19 Nov 2012 16:36:49 +0000 (17:36 +0100)]
first step at cleaning up the srp

6 years agoworks - but not quite what i want. Exposing jqXHR to error function
Azul [Mon, 19 Nov 2012 14:58:46 +0000 (15:58 +0100)]
works - but not quite what i want. Exposing jqXHR to error function

6 years agoMerge branch 'release/0.2.0'
Azul [Wed, 14 Nov 2012 11:34:45 +0000 (12:34 +0100)]
Merge branch 'release/0.2.0'

6 years agoMerge branch 'feature/cleanup-non-restful' into develop
Azul [Wed, 14 Nov 2012 11:28:57 +0000 (12:28 +0100)]
Merge branch 'feature/cleanup-non-restful' into develop

6 years agocleaned up unused parser functions
Azul [Wed, 14 Nov 2012 11:28:36 +0000 (12:28 +0100)]
cleaned up unused parser functions

6 years agoremoved outdated django remote and all related files
Azul [Wed, 14 Nov 2012 11:21:00 +0000 (12:21 +0100)]
removed outdated django remote and all related files

Also cleaned up the specs a bit

7 years agoMerge branch 'feature-updated_json_api' into develop
Azul [Mon, 12 Nov 2012 10:17:13 +0000 (11:17 +0100)]
Merge branch 'feature-updated_json_api' into develop

7 years agoadopting tests to new .json urls
Azul [Mon, 12 Nov 2012 10:14:58 +0000 (11:14 +0100)]
adopting tests to new .json urls

7 years agospecifying charset and fetching jquery remotely
Azul [Mon, 12 Nov 2012 10:14:47 +0000 (11:14 +0100)]
specifying charset and fetching jquery remotely

This way you don't have to add jquery to the lib dir for specs to work

7 years agoMerge branch 'master' into feature-updated_json_api
Azul [Fri, 9 Nov 2012 14:04:48 +0000 (15:04 +0100)]
Merge branch 'master' into feature-updated_json_api

7 years agowe're expecting json responses - so put .json in the url
Azul [Tue, 30 Oct 2012 14:09:13 +0000 (15:09 +0100)]
we're expecting json responses - so put .json in the url

7 years agodon't expect create to return an ok
Azul [Fri, 19 Oct 2012 16:01:04 +0000 (18:01 +0200)]
don't expect create to return an ok

* it returns the user
* it will return errors if sth. goes wrong.

7 years agorequire srp.js first and the remotes afterwards
Azul [Fri, 19 Oct 2012 16:00:22 +0000 (18:00 +0200)]
require srp.js first and the remotes afterwards

7 years agoadded success and error callbacks to register
Azul [Fri, 19 Oct 2012 15:49:53 +0000 (17:49 +0200)]
added success and error callbacks to register

7 years agohand success and error messages to identify by default
Azul [Wed, 17 Oct 2012 10:06:37 +0000 (12:06 +0200)]
hand success and error messages to identify by default

also cleaned up some other parts that were not needed anymore

7 years agouse M2 as the key for the server auth
Azul [Tue, 16 Oct 2012 15:24:12 +0000 (17:24 +0200)]
use M2 as the key for the server auth

7 years agonot caching x,V,salt to avoid conflicts
Azul [Tue, 16 Oct 2012 15:06:35 +0000 (17:06 +0200)]
not caching x,V,salt to avoid conflicts

7 years agoadded unit tests for session calculations
Azul [Tue, 16 Oct 2012 13:20:57 +0000 (15:20 +0200)]
added unit tests for session calculations

7 years agoexpecting the salt to be send with key salt
Azul [Mon, 15 Oct 2012 10:54:24 +0000 (12:54 +0200)]
expecting the salt to be send with key salt

7 years agoMerge branch 'feature-jquery-remote' into develop
Azul [Mon, 15 Oct 2012 09:14:28 +0000 (11:14 +0200)]
Merge branch 'feature-jquery-remote' into develop

7 years agoall rest tests passing, using proper verbs
Azul [Mon, 15 Oct 2012 09:10:35 +0000 (11:10 +0200)]
all rest tests passing, using proper verbs

7 years agocalculating the right M and M2!
Azul [Sun, 14 Oct 2012 14:24:10 +0000 (16:24 +0200)]
calculating the right M and M2!

still missing some error handling, this in Django specs and the right http verbs

7 years agogot SRP v6a test setup and basic rest flow to work
Azul [Sun, 14 Oct 2012 13:30:51 +0000 (15:30 +0200)]
got SRP v6a test setup and basic rest flow to work

* still need to fix the algo for auth
* Also need to get the http verbs right

7 years agogot signup to work in accordance with py srp
Azul [Fri, 12 Oct 2012 16:52:53 +0000 (18:52 +0200)]
got signup to work in accordance with py srp

7 years agousing jquery for signup post now. login still pending
Azul [Tue, 2 Oct 2012 12:29:47 +0000 (14:29 +0200)]
using jquery for signup post now. login still pending

7 years agofixed restful signup test
Azul [Tue, 2 Oct 2012 12:29:20 +0000 (14:29 +0200)]
fixed restful signup test

7 years agofirst round of making jslint happy
Azul [Tue, 21 Aug 2012 16:07:36 +0000 (18:07 +0200)]
first round of making jslint happy

7 years agomoved srp-js files from lib to src
Azul [Tue, 21 Aug 2012 15:59:11 +0000 (17:59 +0200)]
moved srp-js files from lib to src

7 years agomoved on with refactoring
Azul [Tue, 21 Aug 2012 15:14:06 +0000 (17:14 +0200)]
moved on with refactoring

* srp_register now is part of srp.js
* moved server specific stuff into plainXHR (such as fetching the seed from the server)
* fixed tests

7 years agoseperated session from the srp flow - login tests pass, signup fail
Azul [Mon, 13 Aug 2012 09:45:51 +0000 (11:45 +0200)]
seperated session from the srp flow - login tests pass, signup fail

7 years agostarted implementing a restful signup
Azul [Sat, 4 Aug 2012 14:41:01 +0000 (16:41 +0200)]
started implementing a restful signup

7 years agocopied jqueryRest and restful specs from django
Azul [Sat, 4 Aug 2012 14:01:05 +0000 (16:01 +0200)]
copied jqueryRest and restful specs from django

no real change yet

7 years agomoved all xhr related stuff to a seperate class
Azul [Fri, 3 Aug 2012 18:37:11 +0000 (20:37 +0200)]
moved all xhr related stuff to a seperate class

We can replace this if we want to use jquery ajax or similar. Also this has all the urls so it's super easy to overwrite

7 years agoexpose function to create salt
Azul [Fri, 20 Jul 2012 15:07:48 +0000 (17:07 +0200)]
expose function to create salt

7 years agocalcV to calculate verifier, do not use srp_url or srp_server anymore
Azul [Fri, 20 Jul 2012 12:21:22 +0000 (14:21 +0200)]
calcV to calculate verifier, do not use srp_url or srp_server anymore

We can easily overwrite the corresponding functions

7 years agomoved src to lib and use relative path in require_tree
Azul [Fri, 20 Jul 2012 09:18:47 +0000 (11:18 +0200)]
moved src to lib and use relative path in require_tree

7 years agoMerge branch 'master' of git://github.com/leapcode/srp-js
Azul [Fri, 20 Jul 2012 09:15:05 +0000 (11:15 +0200)]
Merge branch 'master' of git://github.com/leapcode/srp-js

7 years agoadded an index file to use with sprockets
Azul [Fri, 20 Jul 2012 09:12:22 +0000 (11:12 +0200)]
added an index file to use with sprockets

7 years agoadded an index file to use with sprockets
Azul [Fri, 20 Jul 2012 09:12:22 +0000 (11:12 +0200)]
added an index file to use with sprockets

7 years agoINCOMPATIBLE: major restructuring of the repository
Azul [Fri, 20 Jul 2012 08:56:36 +0000 (10:56 +0200)]
INCOMPATIBLE: major restructuring of the repository

* removed Django code - we're keeping the tests - so I hope the two can still be used together
* removed js packer - everyone has their own packaging strategy these days
* cleaned up the repository - we only have js so javascript directory does not make much sense

7 years agoreject server response with error message if B=0
Azul [Mon, 2 Jul 2012 15:50:33 +0000 (17:50 +0200)]
reject server response with error message if B=0

7 years agoexpectRequest and respond{JSON,XML} functions to simplify the tests
Azul [Mon, 2 Jul 2012 15:39:56 +0000 (17:39 +0200)]
expectRequest and respond{JSON,XML} functions to simplify the tests

7 years agorefactoring the tests a bit
Azul [Mon, 2 Jul 2012 15:18:57 +0000 (17:18 +0200)]
refactoring the tests a bit

7 years agoparsing JSON responses tested and fixed
Azul [Mon, 2 Jul 2012 12:41:33 +0000 (14:41 +0200)]
parsing JSON responses tested and fixed

7 years agofactored out parsing the responses
Azul [Mon, 2 Jul 2012 12:26:44 +0000 (14:26 +0200)]
factored out parsing the responses

7 years agocheck for ready state and status before callback
Azul [Mon, 2 Jul 2012 10:25:38 +0000 (12:25 +0200)]
check for ready state and status before callback

7 years agochanged indentation to the 2 spaces i love
Azul [Mon, 2 Jul 2012 10:20:56 +0000 (12:20 +0200)]
changed indentation to the 2 spaces i love

7 years agoadded integration test for login
Azul [Mon, 2 Jul 2012 10:09:30 +0000 (12:09 +0200)]
added integration test for login

* added a small hook in srp to set a, A and Astr for testing
* moved generic functions for tests to SpecHelper

7 years agoConnection Header is not allowed according to xhr spec.
Azul [Fri, 29 Jun 2012 12:49:46 +0000 (14:49 +0200)]
Connection Header is not allowed according to xhr spec.

Not sure if this was needed. Tests will throw exceptions when it's in but maybe some legacy browsers require it.

7 years agoadded tests for registration with jasmin and sinon
Azul [Fri, 29 Jun 2012 12:46:42 +0000 (14:46 +0200)]
added tests for registration with jasmin and sinon

7 years agoadding license remark in readme
Azul [Wed, 27 Jun 2012 10:39:45 +0000 (12:39 +0200)]
adding license remark in readme

7 years agoadded Readme from the original project site
Azul [Wed, 27 Jun 2012 10:24:40 +0000 (12:24 +0200)]
added Readme from the original project site

10 years agoThis adds a file 'utils.py' to simplify templating.
ausiv4 [Sat, 15 Aug 2009 23:15:31 +0000 (23:15 +0000)]
This adds a file 'utils.py' to simplify templating.

Functions exist to create headers that include javascript files, and create javascript functions for login and registration. There are also
functions that create login and registration forms.

These functions don't necessarily account for everything a web developer might want to do, but it should simplify things for most developers and
provide guidelines for developers who want to build on top of this functionality.

Views.py now builds the login and register pages based on these functions. The register page now uses the login.html template, and the
register.html template should be deleted in the next release.

10 years agoFixed bug in views.py, changed files named 'hash' to 'crypto' since it now includes...
ausiv4 [Fri, 14 Aug 2009 14:04:57 +0000 (14:04 +0000)]
Fixed bug in views.py, changed files named 'hash' to 'crypto' since it now includes AES.

10 years agoAdded support for logins without javascript. This is configurable on a site-by-site...
ausiv4 [Thu, 13 Aug 2009 01:23:34 +0000 (01:23 +0000)]
Added support for logins without javascript. This is configurable on a site-by-site basis.

10 years agoRather than passing the necessary parameters to the SRP constructor, I've made them...
ausiv4 [Wed, 12 Aug 2009 23:30:24 +0000 (23:30 +0000)]
Rather than passing the necessary parameters to the SRP constructor, I've made them hidden fields in the form. This way a bookmarklet will be
able to read the fields, and authentication can be done without trusting the javascript sent by the server.

I also organized urls.py

10 years agoWhen upgrading the user from a non-srp account to an SRP account, the client must...
ausiv4 [Wed, 12 Aug 2009 17:01:23 +0000 (17:01 +0000)]
When upgrading the user from a non-srp account to an SRP account, the client must send the server the password. I wasn't happy about doing this
in plaintext, so I've incorporated slowAES on both the client and the server to encrypt the password before it is sent, using the key generated
in the first SRP transaction.

10 years agoSignificant cleanup to srp.js.
ausiv4 [Sun, 9 Aug 2009 00:57:03 +0000 (00:57 +0000)]
Significant cleanup to srp.js.

10 years agoThis adds upgrade functionality so that existing django apps can switch to SRP.
ausiv4 [Sat, 8 Aug 2009 20:50:53 +0000 (20:50 +0000)]
This adds upgrade functionality so that existing django apps can switch to SRP.

If a user exists in the auth table but not the srp table, the server sends back the algorithm and salt needed to hash the password. The hashed
password is used to authenticate the user.

After the server authenticates the user and the user verifies the identity of the server, the user sends the password in plaintext. The server
uses the plaintext password to calculate the verifier and stores. Finally, the client reinitiates the login process.

10 years agoThis update separates the register functionality from the login library. The login...
ausiv4 [Fri, 7 Aug 2009 03:38:03 +0000 (03:38 +0000)]
This update separates the register functionality from the login library. The login script is now .3 kb smaller, but there is a new 1.1 kb
register file. I think that registrations are rare enough relative to logins that this should be a worthwhile tradeoff. This also prepares a
framework for importing an update file, which will allow existing installations to upgrade from less secure authentication protocols, so some of
the overhead in srp.js that was added here will help reduce the size as we add the update functionality.

10 years agoChanges were made to improve database efficiency and to use the django authentication...
ausiv4 [Thu, 6 Aug 2009 23:54:46 +0000 (23:54 +0000)]
Changes were made to improve database efficiency and to use the django authentication backend framework.

10 years agoRemoved debugging line from srp.js
ausiv4 [Tue, 4 Aug 2009 17:17:29 +0000 (17:17 +0000)]
Removed debugging line from srp.js