Resolve "Fix backend user account with bcrypt" (!11) · Merge requests · sed-paris / VisioManager

RAVERDY Pierre-Guillaume requested to merge 33-bcrypt into development Nov 28, 2020

name: Feature
about: New features or wider changes,

Closes #33

Description

To be done after merge of !10 (merged) thats adds sqllite3

This MR adds password hashing (not encyrption) in the database, adding an essential security practice. Plain passwords are neither stored nor displayed.

For references

A quick intro to bcrypt: http://zetcode.com/python/bcrypt/

Changelog

Added password hashing in database

How to test

Generate salt as explained in the documentation and export as envvar
make sure there is no db in the resources folder
create the initial db with `python3 init_db.py'. This is a bit long, did put maybe too many rounds with the salt.
Start the backend and frontend (python3 wsgi.pyand ng serve)
Connect using the default account superdsi/superdsi and check connected

Misc

More could be done to improve the design and flexibility of password updates, hashing, security... A good reference could be : https://variable-scope.com/posts/storing-and-verifying-passwords-with-sqlalchemy

Edited Nov 30, 2020 by RAVERDY Pierre-Guillaume

Resolve "Fix backend user account with bcrypt"

Merge request reports