X-Git-Url: https://gitweb.ps.run/ps-cgit/blobdiff_plain/b826537cb4aa2358027ffcb1dd6a87274734e962..911d574250d3a2ae97f282fb8f466db2afa1cd64:/filters/simple-authentication.lua diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 5935d08..cc86b7e 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua @@ -12,17 +12,27 @@ -- -- +-- A list of password protected repositories along with the users who can access them. local protected_repos = { glouglou = { laurent = true, jason = true }, qt = { jason = true, bob = true } } +-- Please note that, in production, you'll want to replace this simple lookup +-- table with either a table of salted and hashed passwords (using something +-- smart like scrypt), or replace this table lookup with an external support, +-- such as consulting your system's pam / shadow system, or an external +-- database, or an external validating web service. For testing, or for +-- extremely low-security usage, you may be able, however, to get away with +-- compromising on hardcoding the passwords in cleartext, as we have done here. local users = { jason = "secretpassword", laurent = "s3cr3t", bob = "ilikelua" } +-- All cookies will be authenticated based on this secret. Make it something +-- totally random and impossible to guess. It should be large. local secret = "BE SURE TO CUSTOMIZE THIS STRING TO SOMETHING BIG AND RANDOM" @@ -45,7 +55,7 @@ function authenticate_post() redirect_to(redirect) - -- TODO: Implement time invariant string comparison function to mitigate timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if password == nil or password ~= post["password"] then set_cookie("cgitauth", "") else @@ -122,12 +132,7 @@ function filter_open(...) cgit["repo"] = select(9, ...) cgit["page"] = select(10, ...) cgit["url"] = select(11, ...) - - cgit["login"] = "" - for _ in cgit["url"]:gfind("/") do - cgit["login"] = cgit["login"] .. "../" - end - cgit["login"] = cgit["login"] .. "?p=login" + cgit["login"] = select(12, ...) end @@ -161,7 +166,7 @@ function url_encode(str) return "" end str = string.gsub(str, "\n", "\r\n") - str = string.gsub(str, "([^%w ])", function (c) return string.format("%%%02X", string.byte(c)) end) + str = string.gsub(str, "([^%w ])", function(c) return string.format("%%%02X", string.byte(c)) end) str = string.gsub(str, " ", "+") return str end @@ -222,7 +227,7 @@ function validate_value(cookie) return nil end - -- TODO: implement time invariant comparison to prevent against timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then return nil end