Merge pull request #53 from Oloty/master

PBKDF2 => scrypt; fixed postbit bug

flaskbb/forum/views.py

@@ -188,7 +188,7 @@ def lock_topic(topic_id, slug=None):
     # TODO: Bulk lock
 
     if not can_moderate(user=current_user, forum=topic.forum):
-        flash("Yo do not have the permissions to lock this topic", "danger")
+        flash("You do not have the permissions to lock this topic", "danger")
         return redirect(topic.url)
 
     topic.locked = True

flaskbb/templates/forum/topic.html

@@ -149,7 +149,7 @@
                     <a href="{{ url_for('user.new_message') }}?to_user={{ post.user.username }}">PM</a>
                     {% endif %}
                     {% if post.user.website %}
-                    | <a href="{{post.user.website}}">Website</a>
+                    {% if current_user.is_authenticated() %}| {% endif %}<a href="{{post.user.website}}">Website</a>
                     {% endif %}
                 </span>
 

flaskbb/user/models.py

@@ -13,7 +13,7 @@ from datetime import datetime
 
 from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
 from itsdangerous import SignatureExpired
-from werkzeug import generate_password_hash, check_password_hash
+from flask.ext.scrypt import generate_random_salt, generate_password_hash, check_password_hash
 from flask import current_app, url_for
 from flask.ext.login import UserMixin, AnonymousUserMixin
 from flaskbb.extensions import db, cache
@@ -80,7 +80,8 @@ class User(db.Model, UserMixin):
     id = db.Column(db.Integer, primary_key=True)
     username = db.Column(db.String(200), unique=True, nullable=False)
     email = db.Column(db.String(200), unique=True, nullable=False)
-    _password = db.Column('password', db.String(120), nullable=False)
+    _password = db.Column('password', db.String(88), nullable=False)
+    salt = db.Column(db.String(172), nullable=False)
     date_joined = db.Column(db.DateTime, default=datetime.utcnow())
     lastseen = db.Column(db.DateTime, default=datetime.utcnow())
     birthday = db.Column(db.DateTime)
@@ -166,15 +167,21 @@ class User(db.Model, UserMixin):
         """
         return "<{} {}>".format(self.__class__.__name__, self.username)
 
+    def _get_salt(self):
+        return self.salt
+
+    def _set_salt(self):
+        self.salt = generate_random_salt(128) #128-bit salt
+
     def _get_password(self):
         """Returns the hashed password"""
         return self._password
 
     def _set_password(self, password):
         """Generates a password hash for the provided password"""
-        self._password = generate_password_hash(password)
+        self._set_salt()
+        self._password = generate_password_hash(password, self._get_salt())
 
-    # Hide password encryption by exposing password field only.
     password = db.synonym('_password',
                           descriptor=property(_get_password,
                                               _set_password))
@@ -184,7 +191,7 @@ class User(db.Model, UserMixin):
 
         if self.password is None:
             return False
-        return check_password_hash(self.password, password)
+        return check_password_hash(password, self.password, self._get_salt())
 
     @classmethod
     def authenticate(cls, login, password):

requirements.txt

@@ -8,6 +8,7 @@ Flask-Migrate==1.2.0
 Flask-Plugins==1.4
 Flask-SQLAlchemy==1.0
 Flask-Script==2.0.5
+Flask-Scrypt==0.1.3.6
 Flask-Themes2==0.1.3
 Flask-WTF==0.9.5
 Jinja2==2.7.2