| Age | Commit message (Collapse) | Author | 
|---|
|  | made them hidden fields in the form. This way a bookmarklet will be
able to read the fields, and authentication can be done without trusting the javascript sent by the server.
I also organized urls.py | 
|  | must send the server the password. I wasn't happy about doing this
in plaintext, so I've incorporated slowAES on both the client and the server to encrypt the password before it is sent, using the key generated 
in the first SRP transaction. | 
|  | If a user exists in the auth table but not the srp table, the server sends back the algorithm and salt needed to hash the password. The hashed 
password is used to authenticate the user.
After the server authenticates the user and the user verifies the identity of the server, the user sends the password in plaintext. The server 
uses the plaintext password to calculate the verifier and stores. Finally, the client reinitiates the login process. | 
|  | login script is now .3 kb smaller, but there is a new 1.1 kb
register file. I think that registrations are rare enough relative to logins that this should be a worthwhile tradeoff. This also prepares a 
framework for importing an update file, which will allow existing installations to upgrade from less secure authentication protocols, so some of 
the overhead in srp.js that was added here will help reduce the size as we add the update functionality. | 
|  | authentication backend framework. | 
|  | files. Instead of sending 6 javascript files totaling about 50KB, we 
now send 1 file totaling 21.1KB. 
After modifying any javascript files, run build-pack.sh to update 
srp.min.js. 
The login.html and register.html templates have been changed to send 
the one packed file. The file srp.js was modified so that it would pack 
properly.
Necessary files from the perl version of packer are included, but they 
shouldn't be included on production web servers. The packer files are 
released under the LGPL. | 
|  | Also added a 'key' function to the SRP javascript library, in case anyone wants to use K for encrypting communications. | 
|  | minor errors in the library, which have also been addressed. | 
|  | as a class. It is instantiated by:
var srp = new SRP(username, password, server_type, base_url);
Then it is run by calling:
srp.register() 
to register a new user, and
srp.identify()
to authenticate an existing user. By default, a successful 
identification pops up an alert reading "Authentication Successful."
To change this, set srp.success to a function. For example,
srp.success = function()
{
	alert("We win!");
}
The same is true for error messages. By default, the SRP library sends 
the message to the user as an alert box, but web designers can replace
the srp.error_message function to handle the error messages differently.
The most significant part of making the SRP library into a class is that 
it cleans up the namespace. Instead of having tons of srp_Variables, we 
only add the SRP() function to the namespace, and all other variables 
are either private, public, or protected members of that class.
A few minor edits were made to views.py to support logging in with the 
modified library. I haven't made the modifications to register yet, so 
it won't work for this revision. Oops. | 
|  |  | 
|  |  | 
|  |  |