[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-bank] branch master updated: roll our own mathcaptch
From: |
gnunet |
Subject: |
[GNUnet-SVN] [taler-bank] branch master updated: roll our own mathcaptcha, the old one broke with django2 |
Date: |
Fri, 08 Dec 2017 22:41:33 +0100 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository bank.
The following commit(s) were added to refs/heads/master by this push:
new ca310cf roll our own mathcaptcha, the old one broke with django2
ca310cf is described below
commit ca310cfd3a661f9729d9d773776310a70153769d
Author: Florian Dold <address@hidden>
AuthorDate: Fri Dec 8 22:40:57 2017 +0100
roll our own mathcaptcha, the old one broke with django2
---
setup.py | 1 -
talerbank/app/templates/pin_tan.html | 6 +++++-
talerbank/app/views.py | 36 +++++++++++++++++++++++-------------
3 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/setup.py b/setup.py
index 7a2a0f0..4bfdc5c 100755
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,6 @@ setup(name='talerbank',
license='GPL',
packages=find_packages(),
install_requires=["django>=1.9",
- "django-simple-math-captcha",
"psycopg2",
"requests",
"uWSGI",
diff --git a/talerbank/app/templates/pin_tan.html
b/talerbank/app/templates/pin_tan.html
index 5b07afb..fe8828b 100644
--- a/talerbank/app/templates/pin_tan.html
+++ b/talerbank/app/templates/pin_tan.html
@@ -36,9 +36,13 @@
To prove that you are the account owner, please answer the
following "security question" (*):
</p>
+ <p>
+ What is {{ question }} ?
+ </p>
<form method="post" action="{{ url('pin-verify') }}">
<input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}" />
- {{ form.pin }}
+ <input type="text" name="pin_0" value="" />
+ <input type="hidden" name="pin_1" value="{{ hashed_answer }}" />
<input type="hidden" name="question_url" value="{{ request.get_full_path()
}}" />
<input type="submit" value="Ok" />
</form>
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index b222aa6..85070f5 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -41,7 +41,6 @@ from django.http import (JsonResponse, HttpResponse,
from django.shortcuts import render, redirect
from validictory.validator import (RequiredFieldValidationError as RFVE,
FieldValidationError as FVE)
-from simplemathcaptcha.fields import MathCaptchaField, MathCaptchaWidget
from .models import BankAccount, BankTransaction
from .amount import Amount, CurrencyMismatch, BadFormatAmount
from .schemas import (validate_pin_tan_args, check_withdraw_session,
@@ -161,11 +160,22 @@ def profile_page(request):
return response
-class Pin(forms.Form):
- pin = MathCaptchaField(
- widget=MathCaptchaWidget(
- attrs=dict(autocomplete="off", autofocus=True),
- question_tmpl="<div lang=\"en\">What is %(num1)i %(operator)s
%(num2)i ?</div>"))
+def hash_answer(ans):
+ hasher = hashlib.new("sha1")
+ hasher.update(settings.SECRET_KEY.encode("utf-8"))
+ hasher.update(ans.encode("utf-8"))
+ return hasher.hexdigest()
+
+def make_question():
+ num1 = random.randint(1, 10)
+ op = random.choice(("*", "+"))
+ num2 = random.randint(1, 10)
+ if op == "*":
+ answer = str(num1 * num2)
+ else:
+ answer = str(num1 + num2)
+ question = "{} {} {}".format(num1, op, num2)
+ return question, hashed_answer
@require_GET
@@ -192,22 +202,22 @@ def pin_tan_question(request):
account_number=user_account.account_no
)
previous_failed = get_session_flag(request, "captcha_failed")
+ question, hashed_answer = make_question()
context = dict(
- form=Pin(auto_id=False),
+ question=question,
+ hashed_answer=hash_answer,
amount=amount.stringify(settings.TALER_DIGITS),
previous_failed=previous_failed,
exchange=request.GET["exchange"])
return render(request, "pin_tan.html", context)
+
@require_POST
@login_required
def pin_tan_verify(request):
- hasher = hashlib.new("sha1")
- hasher.update(settings.SECRET_KEY.encode("utf-8"))
- # pin_0 is the answer given by the user
- hasher.update(request.POST.get("pin_0", "").encode("utf-8"))
- hashed_attempt = hasher.hexdigest()
- if hashed_attempt != request.POST.get("pin_1"):
+ hashed_attempt = hash_answer(request.POST.get("pin_0", ""))
+ hashed_solution = request.POST.get("pin_1", "")
+ if hashed_attempt != hashed_solution:
LOGGER.warning("Wrong CAPTCHA answer: %s vs %s",
type(hashed_attempt),
type(request.POST.get("pin_1")))
--
To stop receiving notification emails like this one, please contact
address@hidden
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [taler-bank] branch master updated: roll our own mathcaptcha, the old one broke with django2,
gnunet <=