This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

JavaScript Challenge-handshake authentication django app.

travis-ci.org/jedie/django-secure-js-login
coveralls.io/r/jedie/django-secure-js-login

First: The Secure-JS-Login is not a simple “send username + PBKDF2-SHA(password)” It is more a Challenge-handshake authentication protocol!

TODO:

  • fix “next_url” and all links in example project

The procedure:

Save a new user password:

client browser / JavaScript part:

#. user input a password
  1. init_pbkdf2_salt = SHA1(random data)
  2. pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)
  3. Client send init_pbkdf2_salt and pbkdf2_hash to the server

Server part:

  1. Server split pbkdf2_hash into: first_pbkdf2_part and second_pbkdf2_part
  2. encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)
  3. Save only encrypted_part and given init_pbkdf2_salt from client

Login - client browser / JavaScript part:

  1. Use request login

  2. server send html login form with a random server_challenge value

  3. User enters his username and password

  4. Ajax Request the init_pbkdf2_salt from server with the given username

  5. generate the auth data:

    1. pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)
    2. split pbkdf2_temp_hash into first_pbkdf2_part and second_pbkdf2_part
    3. cnonce = SHA1(random data)
    4. pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)
  6. send pbkdf2_hash, second_pbkdf2_part and cnonce to the server

validation on the server

  1. client POST data: pbkdf2_hash, second_pbkdf2_part and cnonce
  2. get transmitted server_challenge value from session
  3. get encrypted_part and salt from database via given username
  4. first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)
  5. test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)
  6. compare test_hash with transmitted pbkdf2_hash

secure?

Secure-JS-Login is not really secure in comparison to https! e.g. the client can’t validate if he really communicate with the server or with a Man-in-the-middle attack.

However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.

If you have https, you can combine it with Secure-JS-Login, similar to combine a digest auth with https.

More information: Warum Secure-JS-Login Sinn macht… (german only, sorry)

why?

Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.

The Problem: No Provider offers secured HTTP connection for little money :(

alternative solutions

  • Digest access authentication (implementation in django exist: django-digest):

    • pro

      • Browser implemented it, so no additional JavaScript needed
    • cons

      • Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)
      • used old MD5 hash

tryout

e.g.:

~ $ virtualenv secure-js-login-env
~ $ cd secure-js-login-env
~/secure-js-login-env $ source bin/activate

# install secure-js-login as "editable" to have access to example project server and unittests:

(secure-js-login-env)~/secure-js-login-env $ pip install -e git+git://github.com/jedie/django-secure-js-login.git#egg=django-secure-js-login

run example project server:
{{{
(secure-js-login-env)~/secure-js-login-env $ cd src/django-secure-js-login/
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./run_example_server.sh

run inittests:

(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py

to run the Live-Server-Tests, install selenium e.g.:

(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ pip install selenium
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py

Version compatibility

secure-js-login Django Python
>=v0.1.0 v1.7, v1.8 v2.7, v3.4

(These are the unittests variants. Maybe other versions are compatible, too.)

changelog

Used JavaScript Implementations

contact

Come into the conversation, besides the github communication features:

IRC #pylucid on freenode.net (Yes, the PyLucid channel…)
webchat https://webchat.freenode.net/?channels=pylucid
Release History

Release History

0.3a0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2.0

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1.0

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
django_secure_js_login-0.2.0-py2.py3-none-any.whl (72.6 kB) Copy SHA256 Checksum SHA256 3.4 Wheel May 9, 2015
django-secure-js-login-0.2.0.tar.gz (43.2 kB) Copy SHA256 Checksum SHA256 Source May 9, 2015

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting