switch to email/password, hashlib.pbkdf2_hmac

web/db.py

@@ -15,9 +15,10 @@ def hash_pw(password, salt=None):
 	if salt is None:
 		salt = os.urandom(16)
 	h = hmac.new(salt, password.encode('utf-8'), hashlib.sha256)
-	hashed = h.hexdigest()
+	hashed = hashlib.pbkdf2_hmac('sha512', password.encode('utf-8'), salt, 100000)
+	hashed_hex = binascii.hexlify(hashed).decode()
 	salt_hex = binascii.hexlify(salt).decode()
-	return hashed, salt_hex
+	return hashed_hex, salt_hex
 
 class MomokoDB:
 	db = momoko.Pool(dsn='dbname=%s user=%s' % (config.database, config.db_user), size=2)
@@ -28,20 +29,20 @@ class MomokoDB:
 		return result
 
 	@tornado.gen.coroutine
-	def create_user(self, username, password):
-		hashed_password, salt = hash_pw(password)
-		sql = 'INSERT INTO users (username, password, salt) VALUES (%s, %s, %s) RETURNING id;'
-		cursor = yield self.execute(sql, username, hashed_password, salt)
+	def create_user(self, email, password):
+		hashed, salt = hash_pw(password)
+		sql = 'INSERT INTO users (email, password, salt) VALUES (%s, %s, %s) RETURNING id;'
+		cursor = yield self.execute(sql, email, hashed, salt)
 		return cursor.fetchone()['id']
 
 	@tornado.gen.coroutine
-	def check_user(self, username, password):
-		sql = 'SELECT id, username, password, salt FROM users WHERE username=%s;'
-		cursor = yield self.execute(sql, username)
+	def check_user(self, email, password):
+		sql = 'SELECT id, email, password, salt FROM users WHERE email=%s;'
+		cursor = yield self.execute(sql, email)
 		user = cursor.fetchone()
 		if not user:
 			return
-		salt = binascii.unhexlify(bytes(user['salt'], 'ascii'))
+		salt = binascii.unhexlify(user['salt'].encode())
 		hashed, _ = hash_pw(password, salt)
 		if hashed == user['password']:
 			return user
@@ -57,8 +58,8 @@ class MomokoDB:
 		return group_id
 
 	@tornado.gen.coroutine
-	def invite_user_group(self, username, group_id):
-		cursor = yield self.execute('SELECT id FROM users WHERE username = %s;', username)
+	def invite_user_group(self, email, group_id):
+		cursor = yield self.execute('SELECT id FROM users WHERE email = %s;', email)
 		user_id = cursor.fetchone()['id']
 		yield self.execute('INSERT INTO user_groups (user_id, group_id) VALUES(%s, %s);', user_id, group_id)
 

web/schema.sql

@@ -5,10 +5,10 @@ DROP TABLE IF EXISTS groups;
 
 CREATE TABLE users (
 	id serial PRIMARY KEY,
-	username varchar(32) NOT NULL,
-	password char(64) NOT NULL,
+	email varchar(64) NOT NULL,
+	password char(128) NOT NULL,
 	salt char(32) NOT NULL,
-	UNIQUE (username)
+	UNIQUE (email)
 );
 
 CREATE TABLE groups (

web/sysvitals_web.py

@@ -28,12 +28,12 @@ class BaseHandler(tornado.web.RequestHandler):
 		if user_id:
 			return {
 				'id': int(user_id),
-				'username': self.get_secure_cookie('username'),
+				'email': self.get_secure_cookie('email'),
 			}
 
-	def create_session(self, user_id, username):
+	def create_session(self, user_id, email):
 		self.set_secure_cookie('user_id', str(user_id))
-		self.set_secure_cookie('username', username)
+		self.set_secure_cookie('email', email)
 
 	@property
 	def db(self):
@@ -51,10 +51,10 @@ class RegisterHandler(BaseHandler):
 
 	@tornado.gen.coroutine
 	def post(self):
-		username = self.get_argument('username', '')
+		email = self.get_argument('email', '').lower()
 		password = self.get_argument('password', '')
-		user_id = yield self.db.create_user(username, password)
-		self.create_session(user_id, username)
+		user_id = yield self.db.create_user(email, password)
+		self.create_session(user_id, email)
 		self.redirect('/')
 
 class LoginHandler(BaseHandler):
@@ -64,11 +64,11 @@ class LoginHandler(BaseHandler):
 
 	@tornado.gen.coroutine
 	def post(self):
-		username = self.get_argument('username', '')
+		email = self.get_argument('email', '')
 		password = self.get_argument('password', '')
-		user = yield self.db.check_user(username, password)
+		user = yield self.db.check_user(email, password)
 		if user:
-			self.create_session(user['id'], user['username'])
+			self.create_session(user['id'], user['email'])
 			self.redirect('/')
 		else:
 			self.render('login.html')
@@ -117,7 +117,7 @@ class GroupInviteHandler(BaseHandler):
 	@tornado.gen.coroutine
 	def post(self):
 		group_id = int(self.get_body_argument('group'))
-		yield self.db.invite_user_group(self.get_body_argument('username'), group_id)
+		yield self.db.invite_user_group(self.get_body_argument('email'), group_id)
 		self.redirect('/')
 
 class CSSHandler(tornado.web.RequestHandler):

web/templates/groups.html

@@ -14,7 +14,7 @@
 	<br>
 	<form method="post" action="/groups/invite">
 		invite a user:
-		<input type="text" name="username" placeholder="username">
+		<input type="text" name="email" placeholder="email">
 		<select name="group">
 			{% for group in groups %}
 				<option value="{{ group['id'] }}">{{ group['name'] }}</option>

web/templates/login.html

@@ -8,8 +8,8 @@
 
 <h1>sign in</h1>
 <form action="" method="post">
-	<label for="username">username</label>
-	<input type="text" name="username" id="username">
+	<label for="email">email</label>
+	<input type="text" name="email" id="email">
 	<label for="password">password</label>
 	<input type="password" name="password" id="password">
 	<input type="submit" class="button" name="signin" value="sign in">

web/templates/register.html

@@ -8,8 +8,8 @@
 
 <h1>sign up</h1>
 <form action="" method="post">
-	<label for="username">username</label>
-	<input type="text" name="username" id="username">
+	<label for="email">email</label>
+	<input type="text" name="email" id="email">
 	<label for="password">password</label>
 	<input type="password" name="password" id="password">
 	<input type="submit" class="button" name="signup" value="sign up">