38 lines
1.2 KiB
Python
38 lines
1.2 KiB
Python
import base64
|
|
import hashlib
|
|
|
|
|
|
def _salt_for_username(username: str) -> bytes:
|
|
return hashlib.sha256(username.encode('utf-8')).digest()
|
|
|
|
|
|
def _derive_password(password_plain: str, salt: bytes) -> bytes:
|
|
return hashlib.pbkdf2_hmac('sha256', password_plain.encode('utf-8'), salt, 100_000, dklen=32)
|
|
|
|
|
|
def get_user_by_username(username: str):
|
|
"""
|
|
Placeholder for ES lookup. Returns fixed JSON for a demo user.
|
|
In production this should query ES with the given mapping.
|
|
|
|
Demo user:
|
|
- username: admin
|
|
- password: Password123! (stored as PBKDF2-derived secret only)
|
|
- user_id: 1
|
|
- premission: 0 (admin)
|
|
"""
|
|
if username != 'admin':
|
|
return None
|
|
|
|
salt = _salt_for_username(username)
|
|
# Demo: derive and store secret from a known password for the placeholder
|
|
derived = _derive_password('Password123!', salt)
|
|
return {
|
|
'user_id': 1,
|
|
'username': 'admin',
|
|
# Store only the derived secret, not the plaintext password
|
|
'password': base64.b64encode(derived).decode('ascii'),
|
|
'premission': 0,
|
|
# Expose salt to the client during challenge so both sides derive consistently
|
|
'salt': base64.b64encode(salt).decode('ascii'),
|
|
} |