tanner/image-drop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tanner:7e11b2d531f31b28d31bfc66810a2e291a8fd8f6
Branches Tags
tanner:master
..
compare: tanner:master
Branches Tags
tanner:master

2 Commits
7e11b2d531 ... master

Author SHA1 Message Date
Tanner Collin
a5aa45759c Use - as hash delimiter instead 2025-11-23 12:12:16 -07:00
Tanner Collin
c5b161487b Reorder Dockerfile 2025-11-23 11:36:12 -07:00
3 changed files with 11 additions and 8 deletions
Expand all files Collapse all files

7
Dockerfile
View File

@@ -6,13 +6,14 @@ WORKDIR /image_drop
ENV PYTHONDONTWRITEBYTECODE=1 \ ENV PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1 PYTHONUNBUFFERED=1
# Copy app code
COPY . /image_drop
# Install Python deps # Install Python deps
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt \ RUN pip install --no-cache-dir -r requirements.txt \
&& pip install --no-cache-dir python-multipart && pip install --no-cache-dir python-multipart
# Copy app code
COPY . /image_drop
# Data dir for SQLite (state.db) # Data dir for SQLite (state.db)
#RUN mkdir -p /data #RUN mkdir -p /data

7
app/app.py
View File

@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
salt = os.urandom(16) salt = os.urandom(16)
iterations = 200_000 iterations = 200_000
dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations) dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}" # use - as the delimiter to avoid Docker env variable substitution
return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
except Exception: except Exception:
return "" return ""
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
if not pw or not stored: if not pw or not stored:
return False return False
try: try:
algo, iter_s, salt_hex, hash_hex = stored.split("$") algo, iter_s, salt_hex, hash_hex = stored.split("-")
if algo != 'pbkdf2_sha256': if algo != 'pbkdf2_sha256':
return False return False
iterations = int(iter_s) iterations = int(iter_s)
@@ -901,7 +902,7 @@ async def api_login(request: Request) -> JSONResponse:
stored_password = SETTINGS.admin_password stored_password = SETTINGS.admin_password
password_ok = False password_ok = False
if stored_password.startswith("pbkdf2_sha256$"): if stored_password.startswith("pbkdf2_sha256-"):
password_ok = _verify_password(stored_password, password) password_ok = _verify_password(stored_password, password)
else: else:
password_ok = (password == stored_password) password_ok = (password == stored_password)

5
app/config.py
View File

@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
salt = os.urandom(16) salt = os.urandom(16)
iterations = 200_000 iterations = 200_000
dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations) dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}" # use - as the delimiter to avoid Docker env variable substitution
return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
except Exception: except Exception:
return "" return ""
@@ -46,7 +47,7 @@ def load_settings() -> Settings:
except Exception: except Exception:
pass pass
admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
if not admin_password.startswith("pbkdf2_sha256$"): if not admin_password.startswith("pbkdf2_sha256-"):
print("="*60) print("="*60)
print("WARNING: ADMIN_PASSWORD is in plaintext.") print("WARNING: ADMIN_PASSWORD is in plaintext.")
print("For better security, use the hashed password below in your .env file:") print("For better security, use the hashed password below in your .env file:")