From 0fc604e7b481f4c3c8dcc9353bab728eaa59b3ee Mon Sep 17 00:00:00 2001
From: azivner <adam.zivner@gmail.com>
Date: Sun, 17 Sep 2017 00:18:03 -0400
Subject: [PATCH] fixed changing password

---
 src/change_password.py  | 38 ++++++++++++++++++++------------------
 src/password_api.py     | 15 ---------------
 static/js/encryption.js | 20 +++++++++++---------
 static/js/settings.js   |  4 ++++
 4 files changed, 35 insertions(+), 42 deletions(-)

diff --git a/src/change_password.py b/src/change_password.py
index 41d0e186f..7291eb779 100644
--- a/src/change_password.py
+++ b/src/change_password.py
@@ -1,15 +1,16 @@
+import hashlib
+
 import src.config_provider
 import src.sql
 import base64
 from Crypto.Cipher import AES
 from Crypto.Util import Counter
-import binascii
 
 import src.my_scrypt
 
 
 def change_password(current_password, new_password):
-    current_password_hash = binascii.hexlify(src.my_scrypt.getVerificationHash(current_password))
+    current_password_hash = base64.b64encode(src.my_scrypt.getVerificationHash(current_password))
 
     if current_password_hash != src.sql.getOption('password_verification_hash'):
         return {
@@ -17,41 +18,42 @@ def change_password(current_password, new_password):
             'message': "Given current password doesn't match hash"
         }
 
-    current_password_encryption_key = src.my_scrypt.getPasswordDerivedKey(current_password)
+    current_password_derived_key = src.my_scrypt.getPasswordDerivedKey(current_password)
 
-    new_password_verification_key = binascii.hexlify(src.my_scrypt.getVerificationHash(new_password))
+    new_password_verification_key = base64.b64encode(src.my_scrypt.getVerificationHash(new_password))
     new_password_encryption_key = src.my_scrypt.getPasswordDerivedKey(new_password)
 
-    encrypted_notes = src.sql.getResults("select note_id, note_title, note_text from notes where encryption = 1")
-
     def decrypt(encrypted_base64):
         encrypted_bytes = base64.b64decode(encrypted_base64)
 
-        aes = get_aes(current_password_encryption_key)
-        return aes.decrypt(encrypted_bytes)
+        aes = get_aes(current_password_derived_key)
+        return aes.decrypt(encrypted_bytes)[4:]
 
     def encrypt(plain_text):
         aes = get_aes(new_password_encryption_key)
-        encryptedBytes = aes.encrypt(plain_text)
 
-        return base64.b64encode(encryptedBytes)
+        digest = hashlib.sha256(plain_text).digest()[:4]
+
+        encrypted_bytes = aes.encrypt(digest + plain_text)
+
+        return base64.b64encode(encrypted_bytes)
 
     def get_aes(key):
         return AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=5))
 
-    for note in encrypted_notes:
-        decrypted_title = decrypt(note['note_title'])
-        decrypted_text = decrypt(note['note_text'])
+    encrypted_data_key = src.sql.getOption('encrypted_data_key')
 
-        re_encrypted_title = encrypt(decrypted_title)
-        re_encrypted_text = encrypt(decrypted_text)
+    decrypted_data_key = decrypt(encrypted_data_key)
 
-        src.sql.execute("update notes set note_title = ?, note_text = ? where note_id = ?",
-                        [re_encrypted_title, re_encrypted_text, note['note_id']])
+    new_encrypted_data_key = encrypt(decrypted_data_key)
+
+    src.sql.setOption('encrypted_data_key', new_encrypted_data_key)
 
     src.sql.setOption('password_verification_hash', new_password_verification_key)
+
     src.sql.commit()
 
     return {
-        'success': True
+        'success': True,
+        'new_encrypted_data_key': new_encrypted_data_key
     }
\ No newline at end of file
diff --git a/src/password_api.py b/src/password_api.py
index 25500287f..143c59534 100644
--- a/src/password_api.py
+++ b/src/password_api.py
@@ -7,21 +7,6 @@ import change_password
 
 password_api = Blueprint('password_api', __name__)
 
-@password_api.route('/password/verify', methods = ['POST'])
-@login_required
-def verifyPassword():
-    req = request.get_json(force=True)
-
-    hashedPassword = sql.getOption('password_verification_hash')
-    hashedPasswordBytes = binascii.unhexlify(hashedPassword)
-    hashedPasswordSha = hashlib.sha256(hashedPasswordBytes).hexdigest()
-
-    isValid = req['password'] == hashedPasswordSha
-
-    return jsonify({
-        'valid': isValid
-    })
-
 @password_api.route('/password/change', methods = ['POST'])
 @login_required
 def changePassword():
diff --git a/static/js/encryption.js b/static/js/encryption.js
index 4c7ed3935..9ec31d30c 100644
--- a/static/js/encryption.js
+++ b/static/js/encryption.js
@@ -1,7 +1,7 @@
 let globalEncryptionCallback = null;
 
 function handleEncryption(requireEncryption, modal, callback) {
-    if (requireEncryption && globalEncryptionKey === null) {
+    if (requireEncryption && globalDataKey === null) {
         globalEncryptionCallback = callback;
 
         if (!modal) {
@@ -24,10 +24,10 @@ function handleEncryption(requireEncryption, modal, callback) {
     }
 }
 
-let globalEncryptionKey = null;
+let globalDataKey = null;
 let globalLastEncryptionOperationDate = null;
 
-function deriveEncryptionKey(password) {
+function getDataKey(password) {
     return computeScrypt(password, globalEncryptionSalt, (key, resolve, reject) => {
         const dataKeyAes = getDataKeyAes(key);
 
@@ -37,7 +37,7 @@ function deriveEncryptionKey(password) {
             reject("Wrong password.");
         }
 
-        return decryptedDataKey;
+        resolve(decryptedDataKey);
     });
 }
 
@@ -76,11 +76,13 @@ $("#encryptionPasswordForm").submit(function() {
     const password = $("#encryptionPassword").val();
     $("#encryptionPassword").val("");
 
-    deriveEncryptionKey(password).then(key => {
+    getDataKey(password).then(key => {
         $("#noteDetailWrapper").show();
         $("#encryptionPasswordDialog").dialog("close");
 
-        globalEncryptionKey = key;
+        globalDataKey = key;
+
+        console.log("got the key", key);
 
         for (const noteId of globalAllNoteIds) {
             const note = getNodeByKey(noteId);
@@ -104,7 +106,7 @@ $("#encryptionPasswordForm").submit(function() {
 });
 
 function resetEncryptionSession() {
-    globalEncryptionKey = null;
+    globalDataKey = null;
 
     if (globalCurrentNote.detail.encryption > 0) {
         loadNote(globalCurrentNote.detail.note_id);
@@ -126,13 +128,13 @@ setInterval(function() {
 }, 5000);
 
 function isEncryptionAvailable() {
-    return globalEncryptionKey !== null;
+    return globalDataKey !== null;
 }
 
 function getDataAes() {
     globalLastEncryptionOperationDate = new Date();
 
-    return new aesjs.ModeOfOperation.ctr(globalEncryptionKey, new aesjs.Counter(5));
+    return new aesjs.ModeOfOperation.ctr(globalDataKey, new aesjs.Counter(5));
 }
 
 function getDataKeyAes(key) {
diff --git a/static/js/settings.js b/static/js/settings.js
index ed3712277..79f6500e2 100644
--- a/static/js/settings.js
+++ b/static/js/settings.js
@@ -43,7 +43,11 @@ $("#changePasswordForm").submit(() => {
                 // encryption password changed so current encryption session is invalid and needs to be cleared
                 resetEncryptionSession();
 
+                globalEncryptedDataKey = result.new_encrypted_data_key;
+
                 alert("Password has been changed.");
+
+                $("#settingsDialog").dialog('close');
             }
             else {
                 alert(result.message);