From 2db12f2522761b22c32b3dc9a45d7b2e10fc182b Mon Sep 17 00:00:00 2001
From: piernov <piernov@piernov.org>
Date: Fri, 6 Oct 2017 00:51:37 +0200
Subject: [PATCH] Store hashed password instead of clear-text in database using
 passlib with argon2 Old password are hashed and updated in database
 automatically upon login

---
 jm2l/models.py | 8 +++++++-
 jm2l/views.py  | 4 +++-
 setup.py       | 4 +++-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/jm2l/models.py b/jm2l/models.py
index 930a4f5..b4b3067 100644
--- a/jm2l/models.py
+++ b/jm2l/models.py
@@ -33,6 +33,8 @@ from sqlalchemy.orm import (
 from zope.sqlalchemy import ZopeTransactionExtension
 from jm2l.const import CurrentYear
 
+from passlib.hash import argon2
+
 DBSession = scoped_session(sessionmaker(extension=ZopeTransactionExtension()))
 Base = declarative_base()
 
@@ -247,7 +249,11 @@ class User(Base):
         return MediaPath().get_thumb('users', self.uid)
     
     def verify_password(self, password):
-        return self.password == password
+        if not argon2.identify(self.password): # Update existing clear-text password
+            self.password = argon2.using(rounds=4).hash(self.password)
+            DBSession.merge(self)
+
+        return argon2.verify(password, self.password)
 
 class TiersOpt(Base):
     __tablename__ = 'tiers_opt'
diff --git a/jm2l/views.py b/jm2l/views.py
index b2f6fe0..846f51d 100644
--- a/jm2l/views.py
+++ b/jm2l/views.py
@@ -33,6 +33,8 @@ import shutil
 import glob
 from jm2l.const import CurrentYear
 
+from passlib.hash import argon2
+
 ## =-=- Here, We keep some usefull function -=-=
 def remove_accents(input_str):
     """ This function is intended to remove all accent from input unicode string """
@@ -1155,7 +1157,7 @@ def Modal(request):
             response = render_to_response('jm2l:templates/modals_js.mako', 
                 {'modtype':modtype},
                 request=request)
-            request.user.password = form.password.data
+            request.user.password = argon2.using(rounds=4).hash(form.password.data)
             DBSession.merge(request.user)
             response.content_type = 'text/javascript'
             return response
diff --git a/setup.py b/setup.py
index 5d0df3d..0c3e4f6 100644
--- a/setup.py
+++ b/setup.py
@@ -32,7 +32,9 @@ requires = [
     'pyramid_mailer',
     'apscheduler',
     'qrcode',
-    'reportlab'
+    'reportlab',
+    'passlib',
+    'argon2_cffi'
     ]
 
 setup(name='JM2L',