[Libwebsockets] generic-sessions update
Andy Green
andy at warmcat.com
Tue May 31 03:42:24 CEST 2016
Hi -
A big update to the generic-sessions stuff, it's still not quite
complete but almost at "0.1" state now. (You'll need to nuke the old
lws.sqlite3 if you have one due to schema changes).
- user db working, self-registration from the web with email
verification, login / logout as user or admin
- registration and forgot password emails sent using SMTP on localhost
- JS dynamic serverside username and email validation in the
registration form, also password length and both the same checks on client
- restrict to one account per registered email
- removed LWS_WITH_GENERIC_SESSIONS from automatically being applied
with LWS_WITH_LWSWS. You now need to give -DLWS_WITH_GENERIC_SESSIONS
at cmake.
- User registration and login as the registered user, logout is working
- Added a per-vhost confounder that goes in the per-vhost config for
generic-sessions
"confounder": "Change to <=31 chars of junk";
When the password is accepted, a 20-byte random salt is generated,
and an aggregation formed
password-confounder-salt
which is then hashed and stored in the user db along with the salt.
The confounder isn't stored in the db, and if your config dir is
root:root 0700, this makes it harder for a non-root attacker to get the
info he needs to try to reverse the hashed passwords even against a
dictionary.
- Unified login, logout and registration into a single div in the
example html, the main part of that is in
/usr/share/libwebsockets-test-server/generic-sessions/index.html now
(from ./plugins/index.html)
The missing pieces now before it's "complete enough" AFAIK are:
- a change user settings form, which will double as where you go after
completing the "forgot password" flow (it sends you by email a link that
will log you in, and processes it correctly giving you a cookie, but
takes you to a blank page right now).
- an api to expose the logged-in user to other plugins cleanly
-Andy
More information about the Libwebsockets
mailing list