Make root handling sane again.

[ps-cgit] / filters / simple-authentication.lua

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index 5935d080f87e0388a2dfdcf9b8b1586f93c186d5..cc86b7e3d76f491e8ea40ac30320c3dc3eca4876 100644 (file)
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -12,17 +12,27 @@
 --
 --
 
+-- A list of password protected repositories along with the users who can access them.
 local protected_repos = {
        glouglou        = { laurent = true, jason = true },
        qt              = { jason = true, bob = true }
 }
 
+-- Please note that, in production, you'll want to replace this simple lookup
+-- table with either a table of salted and hashed passwords (using something
+-- smart like scrypt), or replace this table lookup with an external support,
+-- such as consulting your system's pam / shadow system, or an external
+-- database, or an external validating web service. For testing, or for
+-- extremely low-security usage, you may be able, however, to get away with
+-- compromising on hardcoding the passwords in cleartext, as we have done here.
 local users = {
        jason           = "secretpassword",
        laurent         = "s3cr3t",
        bob             = "ilikelua"
 }
 
+-- All cookies will be authenticated based on this secret. Make it something
+-- totally random and impossible to guess. It should be large.
 local secret = "BE SURE TO CUSTOMIZE THIS STRING TO SOMETHING BIG AND RANDOM"
 
 
@@ -45,7 +55,7 @@ function authenticate_post()
 
        redirect_to(redirect)
 
-       -- TODO: Implement time invariant string comparison function to mitigate timing attack.
+       -- Lua hashes strings, so these comparisons are time invariant.
        if password == nil or password ~= post["password"] then
                set_cookie("cgitauth", "")
        else
@@ -122,12 +132,7 @@ function filter_open(...)
        cgit["repo"] = select(9, ...)
        cgit["page"] = select(10, ...)
        cgit["url"] = select(11, ...)
-
-       cgit["login"] = ""
-       for _ in cgit["url"]:gfind("/") do
-               cgit["login"] = cgit["login"] .. "../"
-       end
-       cgit["login"] = cgit["login"] .. "?p=login"
+       cgit["login"] = select(12, ...)
 
 end
 
@@ -161,7 +166,7 @@ function url_encode(str)
                return ""
        end
        str = string.gsub(str, "\n", "\r\n")
-       str = string.gsub(str, "([^%w ])", function (c) return string.format("%%%02X", string.byte(c)) end)
+       str = string.gsub(str, "([^%w ])", function(c) return string.format("%%%02X", string.byte(c)) end)
        str = string.gsub(str, " ", "+")
        return str
 end
@@ -222,7 +227,7 @@ function validate_value(cookie)
                return nil
        end
 
-       -- TODO: implement time invariant comparison to prevent against timing attack.
+       -- Lua hashes strings, so these comparisons are time invariant.
        if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end