Development

2026-06-13 10:02:51 -04:00 · 2026-06-13 10:02:51 -04:00 · 450c0081f7
commit 450c0081f7
parent 8a8e947fcf
9 changed files with 59 additions and 28 deletions
--- a/docker/routlin-portal/app/page.py
+++ b/docker/routlin-portal/app/page.py
@ -1,14 +1,29 @@
+import hashlib
+import hmac
 import ipaddress
 import sqlite3
 import time

-import bcrypt
 from flask import Blueprint, request, redirect
 import config_utils

-CREDENTIALS_DB  = f'{config_utils.CONFIGS_DIR}/.client-credentials'
+CREDENTIALS_DB   = f'{config_utils.CONFIGS_DIR}/.client-credentials'
 USER_TYPE_CAPTIVE = 0
-DIGEST_HASH_BCRYPT = 2
+DIGEST_HASH_SCRYPT = 2
+
+
+def _verify_scrypt(plaintext, stored):
+    try:
+        tag, n, r, p, salt_hex, hash_hex = stored.split(':')
+        if tag != 'scrypt':
+            return False
+        salt     = bytes.fromhex(salt_hex)
+        expected = bytes.fromhex(hash_hex)
+        h = hashlib.scrypt(plaintext.encode('utf-8'), salt=salt,
+                           n=int(n), r=int(r), p=int(p), dklen=len(expected))
+        return hmac.compare_digest(h, expected)
+    except Exception:
+        return False

 bp = Blueprint('portal', __name__)

@ -85,11 +100,8 @@ def _verify_credential(username, password, vlan_name):
        return False
    if row['expires_seconds'] > 0 and (row['date_set'] + row['expires_seconds']) < now:
        return False
-    if row['digest_type'] == DIGEST_HASH_BCRYPT:
-        try:
-            return bcrypt.checkpw(password.encode(), row['password'].encode())
-        except Exception:
-            return False
+    if row['digest_type'] == DIGEST_HASH_SCRYPT:
+        return _verify_scrypt(password, row['password'])
    return False