From 2e74425108da1c8913f2400eeebcc6301026a8c1 Mon Sep 17 00:00:00 2001
From: Yax <1949284+kianby@users.noreply.github.com>
Date: Mon, 31 Jan 2022 12:56:18 +0100
Subject: [PATCH] add config for web login

---
 config.ini                      |  5 +++++
 run.py                          |  2 ++
 stacosys/conf/config.py         |  3 +++
 stacosys/interface/web/admin.py | 10 +++++++---
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/config.ini b/config.ini
index 80f7e56..fda705f 100755
--- a/config.ini
+++ b/config.ini
@@ -34,3 +34,8 @@ ssl = false
 port = 587
 login = blog@mydomain.com
 password = MYPASSWORD
+
+[web]
+username = admin
+; SHA-256 hashed password (https://coding.tools/sha256)
+password = 8C6976E5B5410415BDE908BD4DEE15DFB167A9C873FC4BB8A81F6F2AB448A918
diff --git a/run.py b/run.py
index b1b3fa9..03cb94b 100644
--- a/run.py
+++ b/run.py
@@ -108,6 +108,8 @@ def stacosys_server(config_pathname):
     app.config.update(SITE_REDIRECT=conf.get(ConfigParameter.SITE_REDIRECT))
     app.config.update(SITE_URL=conf.get(ConfigParameter.SITE_URL))
     app.config.update(LANG=conf.get(ConfigParameter.LANG))
+    app.config.update(WEB_USERNAME=conf.get(ConfigParameter.WEB_USERNAME))
+    app.config.update(WEB_PASSWORD=conf.get(ConfigParameter.WEB_PASSWORD))
     logger.info(f"start interfaces {api} {form} {admin}")
 
     # start Flask
diff --git a/stacosys/conf/config.py b/stacosys/conf/config.py
index 9793aca..cb68c0b 100644
--- a/stacosys/conf/config.py
+++ b/stacosys/conf/config.py
@@ -37,6 +37,9 @@ class ConfigParameter(Enum):
     SITE_ADMIN_EMAIL = "site.admin_email"
     SITE_REDIRECT = "site.redirect"
 
+    WEB_USERNAME = "web.username"
+    WEB_PASSWORD = "web.password"
+
 
 class Config:
     def __init__(self):
diff --git a/stacosys/interface/web/admin.py b/stacosys/interface/web/admin.py
index 32104e5..c4d7a3c 100644
--- a/stacosys/interface/web/admin.py
+++ b/stacosys/interface/web/admin.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 
+import hashlib
 import logging
 
 from flask import request, redirect, flash, render_template, session
@@ -10,7 +11,10 @@ from stacosys.interface import app
 
 logger = logging.getLogger(__name__)
 
-user = {"username": "admin", "password": "toto"}
+
+def is_login_ok(username, password):
+    hashed = hashlib.sha256(password.encode()).hexdigest().upper()
+    return app.config.get("WEB_USERNAME") == username and app.config.get("WEB_PASSWORD") == hashed
 
 
 @app.route('/web/login', methods=['POST', 'GET'])
@@ -18,7 +22,7 @@ def login():
     if request.method == 'POST':
         username = request.form.get('username')
         password = request.form.get('password')
-        if username == user['username'] and password == user['password']:
+        if is_login_ok(username, password):
             session['user'] = username
             return redirect('/web/admin')
 
@@ -36,7 +40,7 @@ def logout():
 
 @app.route("/web/admin", methods=["GET"])
 def admin_homepage():
-    if not ('user' in session and session['user'] == user['username']):
+    if not ('user' in session and session['user'] == app.config.get("WEB_USERNAME")):
         flash("Vous avez été déconnecté.")
         return redirect('/web/login')