Now checking password on login against db. Fixing bug in hashing js and changing db schema.

Adrien Anselme · Adrien Anselme · commit 1bb6482a84d5 · 2014-09-25T11:49:11.000+02:00
diff --git a/config/config.exs b/config/config.exs
@@ -16,13 +16,19 @@ config :phoenix, SbSso.Router,
   debug_errors: false,
   error_controller: SbSso.PageController
 
+config :phoenix, :sso,
+  payload_secret: "proutproutprout",
+  redirect_url: "http://localhost:8080/session/sso_login?"
+
 config :phoenix, :code_reloader,
   enabled: false
 
 config :logger, :console,
   format: "$time $metadata[$level] $message\n",
   metadata: [:request_id]
 
+config :bcrypt, [mechanism: :port, pool_size: 4]
+
 # Import environment specific config. Note, this must remain at the bottom of
 # this file to properly merge your previous config entries.
 import_config "#{Mix.env}.exs"
diff --git a/mix.exs b/mix.exs
@@ -13,7 +13,7 @@ defmodule SbSso.Mixfile do
   def application do
     [
       mod: { SbSso, [] },
-      applications: [:phoenix, :cowboy, :logger, :postgrex, :ecto, :erlsha2]
+      applications: [:phoenix, :cowboy, :logger, :postgrex, :ecto, :erlsha2, :bcrypt]
     ]
   end
 
@@ -28,7 +28,8 @@ defmodule SbSso.Mixfile do
       {:cowboy, "~> 1.0.0"},
       {:postgrex, ">= 0.0.0"},
       {:ecto, "~> 0.2.0"},
-      {:erlsha2, github: "vinoski/erlsha2"}
+      {:erlsha2, github: "vinoski/erlsha2"},
+      {:bcrypt, github: "smarkets/erlang-bcrypt"}
     ]
   end
 end
diff --git a/mix.lock b/mix.lock
@@ -1,4 +1,5 @@
-%{"cowboy": {:package, "1.0.0"},
+%{"bcrypt": {:git, "git://github.com/smarkets/erlang-bcrypt.git", "14641089aa8ad8f9c17886c3ecf534868a282431", []},
+  "cowboy": {:package, "1.0.0"},
   "cowlib": {:package, "1.0.0"},
   "decimal": {:package, "0.2.5"},
   "ecto": {:package, "0.2.5"},
diff --git a/priv/repo/migrations/20140921163148_create_users.exs b/priv/repo/migrations/20140921163148_create_users.exs
@@ -2,8 +2,8 @@ defmodule SbSso.Repo.Migrations.CreateUsers do
   use Ecto.Migration
 
   def up do
-    ["CREATE TABLE users(id serial primary key, email varchar(125), first_name varchar(50), last_name varchar(50), passwd_hash bytea, creation_datetime timestamp)",
-    "INSERT INTO users(email, first_name, last_name, creation_datetime) VALUES ('foo@bar.com', 'Foo', 'Bar', current_timestamp)"
+    ["CREATE TABLE users(id serial primary key, email varchar(125) unique not null, first_name varchar(50), last_name varchar(50), username varchar(50), passwd_hash varchar(64) not null, salt varchar(64) not null, creation_datetime timestamp)",
+    "INSERT INTO users(email, first_name, last_name, username, passwd_hash, salt, creation_datetime) VALUES ('foo@bar.com', 'Foo', 'Bar', 'foobar', '$2a$12$B.Ye..0ygflpgXsiQ8SOCOZsAd4GJEU2SDzHgMhLg5hLhLIP2BOc2', '$2a$12$B.Ye..0ygflpgXsiQ8SOCO', current_timestamp)"
     ]
   end
 
diff --git a/priv/static/js/forms.js b/priv/static/js/forms.js
@@ -6,7 +6,7 @@ function formhash(form, password, email) {
   p.type = "hidden"
 
   // Call sjcl HMAC-SHA256 with salt on the password
-  var key = sjcl.codec.utf8String.toBits(email + "springbeats.com");
+  var key = sjcl.codec.utf8String.toBits(email.value + "springbeats.com");
   var out = (new sjcl.misc.hmac(key, sjcl.hash.sha256)).mac(password.value);
   p.value = sjcl.codec.hex.fromBits(out)
 
diff --git a/web/controllers/crypto_helpers.ex b/web/controllers/crypto_helpers.ex
@@ -7,6 +7,17 @@ defmodule SbSso.CryptoHelpers do
 
   def generate_salt(num_bytes) do
     :crypto.bytes_to_integer(:crypto.strong_rand_bytes(num_bytes))
+  |> :erlang.integer_to_list
+  end
+
+  def generate_salt() do
+    {:ok, salt} = :bcrypt.gen_salt(30)
+    salt
+  end
+
+  def hash(password, salt) do
+    {:ok, h} = :bcrypt.hashpw(password, salt)
+    h
   end
 
 end
diff --git a/web/controllers/sso_controller.ex b/web/controllers/sso_controller.ex
@@ -1,54 +1,68 @@
 defmodule SbSso.SsoController do
   use Phoenix.Controller
-  alias SbSso.Router
-  alias SbSso.Repo
   alias SbSso.Queries
-  alias SbSso.Users
-
-  @my_secret "proutproutprout"
-  @discourse_url "http://localhost:8080/session/sso_login?"
+  alias SbSso.CryptoHelpers
 
   def show_login(conn, params) do
     render conn, "login", params: params
   end
 
+  @doc """
+  Given a map of parameters, check password and forward a signed payload
+  to caller url.
+  """
   def do_login(conn, params) do
-    sso = create_sso(params)
+    sso = authenticate(params)
     payload = URI.encode_query(sso)
               |> :base64.encode_to_string
               |> to_string
     sig = payload
-          |> sign(@my_secret)
-          |> String.downcase
+          |> CryptoHelpers.sign(get_secret())
     encoded_payload = URI.encode_www_form(payload)
-    url = @discourse_url <> "sso=" <> encoded_payload <> "&sig=" <> sig
-    IO.inspect(url)
+    url = get_url <> "sso=" <> encoded_payload <> "&sig=" <> sig
     redirect conn, url
   end
 
+  @doc """
+  Verify Payload signature and extract its content
+  """
   def parse(params) do
     sso = params["sso"]
-    sig = String.upcase( params["sig"] )
+    sig = params["sig"]
 
-    if sign(sso, get_secret()) !== sig do
+    if CryptoHelpers.sign(sso, get_secret()) !== sig do
       raise RuntimeError, message: "Bad signature for payload"
     end
 
     decoded = :base64.decode_to_string(sso) |> to_string
-    IO.inspect(decoded)
-    hquery = URI.decode_query(decoded)
+    URI.decode_query(decoded)
   end
 
-  defp create_sso(params) do
-    Map.merge(params, %{"name" => "sam", "external_id" => "hello123", "username" => "samsam"})
-  end
+  """
+  1.Retrieve user from DB
+  2.Hash the (already client-hashed) password in params using salt in DB
+  3.Compare this hash with the one stored in DB
+  """
+  defp authenticate(params) do
+    user = Queries.user_detail_from_email_query(params["email"])
+    expected_hash = user.passwd_hash
+    actual_hash = CryptoHelpers.hash(params["clienthash"], user.salt)
+
+    if actual_hash !== expected_hash do
+      raise RuntimeError, message: "Username/password mismatch"
+    end
 
-  defp sign(payload, sso_secret) do
-    to_string( :hmac.hexlify(:hmac.hmac256(sso_secret, payload)) )
+    # fill in the profile
+    name = user.first_name <> " " <> user.last_name
+    Map.merge(params, %{"name" => name, "external_id" => user.id, "username" => user.username})
   end
 
   defp get_secret do
-    @my_secret
+    Application.get_env(:phoenix, :sso)[:payload_secret]
+  end
+
+  defp get_url do
+    Application.get_env(:phoenix, :sso)[:redirect_url]
   end
 
 end
diff --git a/web/models/queries.ex b/web/models/queries.ex
@@ -17,4 +17,12 @@ defmodule SbSso.Queries do
             select: user
     Repo.all(query) |> List.first
   end
+
+  def user_detail_from_email_query(email) do
+    s_email = to_string(email)
+    query = from user in Users,
+            where: user.email == ^s_email,
+            select: user
+    Repo.all(query) |> List.first
+  end
 end
diff --git a/web/models/users.ex b/web/models/users.ex
@@ -5,7 +5,9 @@ defmodule SbSso.Users do
     field :email, :string
     field :first_name, :string
     field :last_name, :string
-    field :passwd_hash, :binary
+    field :username, :string
+    field :passwd_hash, :string
+    field :salt, :string
     field :creation_datetime, :datetime
   end
 end
diff --git a/web/templates/layout/application.html.eex b/web/templates/layout/application.html.eex
@@ -11,6 +11,8 @@
     <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css">
     <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap-theme.min.css">
     <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script>
+    <script src="/js/sjcl.js"></script>
+    <script src="/js/forms.js"></script>
     <link rel="stylesheet" href="/css/app.css">
     <link rel="stylesheet" href="/css/users.css">
   </head>
diff --git a/web/templates/sso/login.html.eex b/web/templates/sso/login.html.eex
@@ -16,9 +16,16 @@
     </div>
   </div>
 
+  <div class="form-group">
+    <label for="password" class="col-sm-2 control-label">Password</label>
+    <div class="col-sm-10">
+      <input type="password" id="password" placeholder="Password" class="form-control" name="password" required="required">
+    </div>
+  </div>
+
   <div class="form-group">
     <div class="col-sm-offset-2 col-sm-10">
-      <button type="submit" class="btn btn-warning">Login</button>
+      <input type="button" class="btn btn-warning" value="Login" onclick="formhash(this.form, this.form.password, this.form.email);" />
     </div>
   </div>
 

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ defmodule SbSso.Mixfile do`
`13`	`13`	`def application do`
`14`	`14`	`[`
`15`	`15`	`mod: { SbSso, [] },`
`16`		`- applications: [:phoenix, :cowboy, :logger, :postgrex, :ecto, :erlsha2]`
	`16`	`+ applications: [:phoenix, :cowboy, :logger, :postgrex, :ecto, :erlsha2, :bcrypt]`
`17`	`17`	`]`
`18`	`18`	`end`
`19`	`19`
`@@ -28,7 +28,8 @@ defmodule SbSso.Mixfile do`
`28`	`28`	`{:cowboy, "~> 1.0.0"},`
`29`	`29`	`{:postgrex, ">= 0.0.0"},`
`30`	`30`	`{:ecto, "~> 0.2.0"},`
`31`		`- {:erlsha2, github: "vinoski/erlsha2"}`
	`31`	`+ {:erlsha2, github: "vinoski/erlsha2"},`
	`32`	`+ {:bcrypt, github: "smarkets/erlang-bcrypt"}`
`32`	`33`	`]`
`33`	`34`	`end`
`34`	`35`	`end`
Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,8 @@ defmodule SbSso.Repo.Migrations.CreateUsers do`
`2`	`2`	`use Ecto.Migration`
`3`	`3`
`4`	`4`	`def up do`
`5`		`- ["CREATE TABLE users(id serial primary key, email varchar(125), first_name varchar(50), last_name varchar(50), passwd_hash bytea, creation_datetime timestamp)",`
`6`		`- "INSERT INTO users(email, first_name, last_name, creation_datetime) VALUES ('foo@bar.com', 'Foo', 'Bar', current_timestamp)"`
	`5`	`+ ["CREATE TABLE users(id serial primary key, email varchar(125) unique not null, first_name varchar(50), last_name varchar(50), username varchar(50), passwd_hash varchar(64) not null, salt varchar(64) not null, creation_datetime timestamp)",`
	`6`	`+ "INSERT INTO users(email, first_name, last_name, username, passwd_hash, salt, creation_datetime) VALUES ('foo@bar.com', 'Foo', 'Bar', 'foobar', '$2a$12$B.Ye..0ygflpgXsiQ8SOCOZsAd4GJEU2SDzHgMhLg5hLhLIP2BOc2', '$2a$12$B.Ye..0ygflpgXsiQ8SOCO', current_timestamp)"`
`7`	`7`	`]`
`8`	`8`	`end`
`9`	`9`