summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-07-02factored out parsing the responsesAzul
2012-07-02check for ready state and status before callbackAzul
2012-07-02changed indentation to the 2 spaces i loveAzul
2012-07-02added integration test for loginAzul
* added a small hook in srp to set a, A and Astr for testing * moved generic functions for tests to SpecHelper
2012-06-29Connection Header is not allowed according to xhr spec.Azul
Not sure if this was needed. Tests will throw exceptions when it's in but maybe some legacy browsers require it.
2012-06-29added tests for registration with jasmin and sinonAzul
2012-06-27adding license remark in readmeAzul
2012-06-27added Readme from the original project siteAzul
2009-08-15This adds a file 'utils.py' to simplify templating.ausiv4
Functions exist to create headers that include javascript files, and create javascript functions for login and registration. There are also functions that create login and registration forms. These functions don't necessarily account for everything a web developer might want to do, but it should simplify things for most developers and provide guidelines for developers who want to build on top of this functionality. Views.py now builds the login and register pages based on these functions. The register page now uses the login.html template, and the register.html template should be deleted in the next release.
2009-08-14Fixed bug in views.py, changed files named 'hash' to 'crypto' since it now ↵ausiv4
includes AES.
2009-08-13Added support for logins without javascript. This is configurable on a ↵ausiv4
site-by-site basis.
2009-08-12Rather than passing the necessary parameters to the SRP constructor, I've ↵ausiv4
made them hidden fields in the form. This way a bookmarklet will be able to read the fields, and authentication can be done without trusting the javascript sent by the server. I also organized urls.py
2009-08-12When upgrading the user from a non-srp account to an SRP account, the client ↵ausiv4
must send the server the password. I wasn't happy about doing this in plaintext, so I've incorporated slowAES on both the client and the server to encrypt the password before it is sent, using the key generated in the first SRP transaction.
2009-08-09Significant cleanup to srp.js.ausiv4
2009-08-08This adds upgrade functionality so that existing django apps can switch to SRP.ausiv4
If a user exists in the auth table but not the srp table, the server sends back the algorithm and salt needed to hash the password. The hashed password is used to authenticate the user. After the server authenticates the user and the user verifies the identity of the server, the user sends the password in plaintext. The server uses the plaintext password to calculate the verifier and stores. Finally, the client reinitiates the login process.
2009-08-07This update separates the register functionality from the login library. The ↵ausiv4
login script is now .3 kb smaller, but there is a new 1.1 kb register file. I think that registrations are rare enough relative to logins that this should be a worthwhile tradeoff. This also prepares a framework for importing an update file, which will allow existing installations to upgrade from less secure authentication protocols, so some of the overhead in srp.js that was added here will help reduce the size as we add the update functionality.
2009-08-06Changes were made to improve database efficiency and to use the django ↵ausiv4
authentication backend framework.
2009-08-04Removed debugging line from srp.jsausiv4
2009-08-04Improved documentation for srp.js.ausiv4
Made srpPath a part of the SRP object to reduce namespace clutter.
2009-08-04Now the import_hashes function checks to see whether the srp file is packed ↵ausiv4
or not, and loads the packed or unpacked hash files accordingly. It occurs to me that perhaps all of the hash functions should be put into a single object to reduce namespace pollution.
2009-08-04I've cleaned up the script path code so that it now packs properly. The path ↵ausiv4
to the srp script can be found in the global variable srpPath. If the server is using raw javascript files, this should be set to "srp.js". If the server is using packed files, this should be set to "srp.min.js".
2009-08-04I've started working on the feature that will allow existing servers to ↵ausiv4
upgrade to SRP. Currently, I've added functionality that will allow the importation of hash.min.js. This is made possible by some code that executes when the script is loaded. This particular code doesn't pack properly, so currently I'm having the pack script append it to the end (unpacked). This requires that clients use the packed version for two reasons. First, the unpacked code lacks the function that gets the source path. Second, it loads hash.min.js. The first problem can be fixed if I can figure out how to get the code to pack properly. The second problem can be solved by checking whether the current script is "srp.js" or "srp.min.js", and loading either (MD5.js & SHA1.js) or hash.min.js respectively. Next we will need to write code where the server detects users who exist in the auth.models.User table, but not the srp.models.User table.
2009-07-28Fixed srp.js for IE6.ausiv4
2009-07-28In this update we use jsPacker.pl to combine and compress javascript ausiv4
files. Instead of sending 6 javascript files totaling about 50KB, we now send 1 file totaling 21.1KB. After modifying any javascript files, run build-pack.sh to update srp.min.js. The login.html and register.html templates have been changed to send the one packed file. The file srp.js was modified so that it would pack properly. Necessary files from the perl version of packer are included, but they shouldn't be included on production web servers. The packer files are released under the LGPL.
2009-07-25Moved register and login page to templates rather than cluttering views.py. ↵ausiv4
Also added a 'key' function to the SRP javascript library, in case anyone wants to use K for encrypting communications.
2009-07-25Fixed views.py to work with the new library for registration. There were ↵ausiv4
minor errors in the library, which have also been addressed.
2009-07-25This commit makes major revisions to srp.js. The SRP library now works ausiv4
as a class. It is instantiated by: var srp = new SRP(username, password, server_type, base_url); Then it is run by calling: srp.register() to register a new user, and srp.identify() to authenticate an existing user. By default, a successful identification pops up an alert reading "Authentication Successful." To change this, set srp.success to a function. For example, srp.success = function() { alert("We win!"); } The same is true for error messages. By default, the SRP library sends the message to the user as an alert box, but web designers can replace the srp.error_message function to handle the error messages differently. The most significant part of making the SRP library into a class is that it cleans up the namespace. Instead of having tons of srp_Variables, we only add the SRP() function to the namespace, and all other variables are either private, public, or protected members of that class. A few minor edits were made to views.py to support logging in with the modified library. I haven't made the modifications to register yet, so it won't work for this revision. Oops.
2009-07-24Fixed error in jsbn.js, cleaned tables in login and register views.ausiv4
2009-07-24Added license to Tom Wu's jsbn libraries.ausiv4
2009-07-24Merge proper-random with trunk.ausiv4
2009-07-24Fixing previous mistakeausiv4
2009-07-24Not what I meant to do...ausiv4
2009-07-23testausiv4
2009-07-23Test commitausiv4
2009-07-23Ignore changes to settings.pyausiv4
2009-07-23First submission.ausiv4
2009-07-23please workausiv4