diff --git a/auth.py b/auth.py index bc7725e..0e1df90 100644 --- a/auth.py +++ b/auth.py @@ -25,7 +25,28 @@ def get_session(request): return sessioninfo[0] + (sessionid,) def check_pw(uid, password): - pass + userquery = database.fetch("SELECT uid, password FROM user WHERE username=?", [username]) + + # STOP TIMING ATTACKS + time.sleep(secrets.randbelow(100)/50) + + if len(userquery) == 0: + return render_template("auth/login.html", + response=f"Der Nutzername >{username} oder das Passwort ist falsch.", + username=username) + + uidquery = userquery[0][0] + passquery = userquery[0][1] + + passform = str(request.form['pass']) + passform = passform.encode("utf8") + passcorrect = bcrypt.checkpw(passform, passquery) + + if not passcorrect: + return render_template("auth/login.html", + response=f"Der Nutzername {username} oder das >Passwort ist falsch.", + username=username) + @app.route("/auth/headerbar") def headerbar(): diff --git a/database.py b/database.py index f834a42..43bf972 100644 --- a/database.py +++ b/database.py @@ -9,12 +9,16 @@ def execute(query, data): connection.commit() connection.close() -def fetch(query, data): +def fetch(query, data, many=True): connection = sqlite3.connect("kver.db") cursor = connection.cursor() result = cursor.execute(query, data) - result = result.fetchall() + + if many: + result = result.fetchall() + else: + result = result.fetchone() connection.close()