added more users and anonymous API

reduced time window to 3 seconds
2024-02-14 13:29:57 +08:00
parent 68c41b9b95
commit 852c3e82fc
2 changed files with 73 additions and 18 deletions
--- a/sspoc/server.py
+++ b/sspoc/server.py
@@ -23,7 +23,10 @@ class SessionData:
 app = Flask(__name__)

 users = {
-    "user": "password",
+    "user1": "password",
+    "user2": "password",
+    "user3": "password",
+    "user4  ": "password",
 }

 sessions: Dict[bytes, SessionData] = dict()
@@ -67,8 +70,9 @@ def token_required(f):
            response.status = 401
            response.data = "Token is invalid"
            return response
-        current_tick: int = int(time()) // 10
+        current_tick: int = int(time()) // 3
        valid_tokens = [
+            sha256(session.nonce + (current_tick + 1).to_bytes(8)).digest(),
            sha256(session.nonce + current_tick.to_bytes(8)).digest(),
            sha256(session.nonce + (current_tick - 1).to_bytes(8)).digest()
        ]
@@ -86,20 +90,34 @@ def login():
    response = flask.Response()
    if request.headers.get('Content-Type') != 'application/json':
        response.status = 415
+        response.data = "Wrong request content type"
        return response
    payload = json.loads(request.data)
    user = payload.get('username')
    if not user:
        response.status = 401
+        response.data = "Missing username from request"
        return response
    password = users.get(user)
-    if not password or password != payload.get('password'):
+    if not password:
        response.status = 401
+        response.data = "Wrong username"
        return response
+    suppliedPassword = payload.get('password')
+    if not suppliedPassword:
+        response.status = 401
+        response.data = "Missing password from request"
+        return response
+    elif suppliedPassword != password:
+        response.status = 401
+        response.data = "Wrong password"
+        return response
+
    sr = random.SystemRandom()
    nonce = sr.randbytes(16)
    public_key_header = request.headers.get('public-key', None)
    if not public_key_header:
+        response.data = "Missing public key header"
        response.status = 400
        return response
    pem_key = f'-----BEGIN PUBLIC KEY-----\n{public_key_header}\n-----END PUBLIC KEY-----\n'
@@ -142,11 +160,14 @@ def send_css(path):
    return send_from_directory('static/css', path)


-@app.route('/api/hello')
+@app.route('/api/whoami')
@token_required
-def send_hello(user):
+def whoami(user):
    return f'hello {user}'

+@app.route('/api/hello')
+def hello():
+    return 'hello anonymous'

 def main():
    app.run(host='0.0.0.0', port=1443, ssl_context='adhoc')