gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [taler-bank] branch master updated: roll our own mathcaptch

From: gnunet
Subject: [GNUnet-SVN] [taler-bank] branch master updated: roll our own mathcaptcha, the old one broke with django2
Date: Fri, 08 Dec 2017 22:41:33 +0100 
This is an automated email from the git hooks/post-receive script.

dold pushed a commit to branch master
in repository bank.

The following commit(s) were added to refs/heads/master by this push:
     new ca310cf  roll our own mathcaptcha, the old one broke with django2
ca310cf is described below

commit ca310cfd3a661f9729d9d773776310a70153769d
Author: Florian Dold <address@hidden>
AuthorDate: Fri Dec 8 22:40:57 2017 +0100

    roll our own mathcaptcha, the old one broke with django2
---
 setup.py                             |  1 -
 talerbank/app/templates/pin_tan.html |  6 +++++-
 talerbank/app/views.py               | 36 +++++++++++++++++++++++-------------
 3 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/setup.py b/setup.py
index 7a2a0f0..4bfdc5c 100755
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,6 @@ setup(name='talerbank',
       license='GPL',
       packages=find_packages(),
       install_requires=["django>=1.9",
-                        "django-simple-math-captcha",
                         "psycopg2",
                         "requests",
                         "uWSGI",
diff --git a/talerbank/app/templates/pin_tan.html 
b/talerbank/app/templates/pin_tan.html
index 5b07afb..fe8828b 100644
--- a/talerbank/app/templates/pin_tan.html
+++ b/talerbank/app/templates/pin_tan.html
@@ -36,9 +36,13 @@
     To prove that you are the account owner, please answer the
     following &quot;security question&quot; (*):
   </p>
+  <p>
+    What is {{ question }} ?
+  </p>
   <form method="post" action="{{ url('pin-verify') }}">
     <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}" />
-    {{ form.pin }}
+    <input type="text" name="pin_0" value="" />
+    <input type="hidden" name="pin_1" value="{{ hashed_answer }}" />
     <input type="hidden" name="question_url" value="{{ request.get_full_path() 
}}" />
     <input type="submit" value="Ok" />
   </form>
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index b222aa6..85070f5 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -41,7 +41,6 @@ from django.http import (JsonResponse, HttpResponse,
 from django.shortcuts import render, redirect
 from validictory.validator import (RequiredFieldValidationError as RFVE,
                                    FieldValidationError as FVE)
-from simplemathcaptcha.fields import MathCaptchaField, MathCaptchaWidget
 from .models import BankAccount, BankTransaction
 from .amount import Amount, CurrencyMismatch, BadFormatAmount
 from .schemas import (validate_pin_tan_args, check_withdraw_session,
@@ -161,11 +160,22 @@ def profile_page(request):
     return response
 
 
-class Pin(forms.Form):
-    pin = MathCaptchaField(
-        widget=MathCaptchaWidget(
-            attrs=dict(autocomplete="off", autofocus=True),
-            question_tmpl="<div lang=\"en\">What is %(num1)i %(operator)s 
%(num2)i ?</div>"))
+def hash_answer(ans):
+    hasher = hashlib.new("sha1")
+    hasher.update(settings.SECRET_KEY.encode("utf-8"))
+    hasher.update(ans.encode("utf-8"))
+    return hasher.hexdigest()
+
+def make_question():
+    num1 = random.randint(1, 10)
+    op = random.choice(("*", "+"))
+    num2 = random.randint(1, 10)
+    if op == "*":
+        answer = str(num1 * num2)
+    else:
+        answer = str(num1 + num2)
+    question = "{} {} {}".format(num1, op, num2)
+    return question, hashed_answer
 
 
 @require_GET
@@ -192,22 +202,22 @@ def pin_tan_question(request):
         account_number=user_account.account_no
     )
     previous_failed = get_session_flag(request, "captcha_failed")
+    question, hashed_answer = make_question()
     context = dict(
-        form=Pin(auto_id=False),
+        question=question,
+        hashed_answer=hash_answer,
         amount=amount.stringify(settings.TALER_DIGITS),
         previous_failed=previous_failed,
         exchange=request.GET["exchange"])
     return render(request, "pin_tan.html", context)
 
+
 @require_POST
 @login_required
 def pin_tan_verify(request):
-    hasher = hashlib.new("sha1")
-    hasher.update(settings.SECRET_KEY.encode("utf-8"))
-    # pin_0 is the answer given by the user
-    hasher.update(request.POST.get("pin_0", "").encode("utf-8"))
-    hashed_attempt = hasher.hexdigest()
-    if hashed_attempt != request.POST.get("pin_1"):
+    hashed_attempt = hash_answer(request.POST.get("pin_0", ""))
+    hashed_solution = request.POST.get("pin_1", "")
+    if hashed_attempt != hashed_solution:
         LOGGER.warning("Wrong CAPTCHA answer: %s vs %s",
                        type(hashed_attempt),
                        type(request.POST.get("pin_1")))

-- 
To stop receiving notification emails like this one, please contact
address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]