[One Time Passwords and improved login/add/edit/pdf buttons jupdike@gmail.com**20080122012355] { hunk ./Template.hs 19 +import OTP hunk ./Template.hs 38 ---elm "a" ["id"-->name, "href"-->target] [elm "img" ["src"-->"images/search-blank.gif", "alt"-->name] []] +--elm "a" ["id"-->name, "href"-->target] [elm "img" ["src"-->"/images/search-blank.gif", "alt"-->name] []] hunk ./Template.hs 46 --- "type"-->"image", "src"-->"images/search-blank.gif", "maxlength"-->"256"] +-- "type"-->"image", "src"-->"/images/search-blank.gif", "maxlength"-->"256"] hunk ./Template.hs 66 -makeFlipper name target = elm "a" ["id"-->name, "href"-->target] [elm "img" ["src"-->"images/blank.gif", "alt"-->name] []] +--makeFlipper name target = elm "a" ["id"-->name, "href"-->target] [elm "img" ["src"-->"/images/blank.gif", "alt"-->name] []] +--makeFlipper name target = elm "a" ["href"-->target] [txt name] +makeFlipper name target = elm "a" ["href"-->target] [imgSrcAlt ("/images/"++name++".png") name] hunk ./Template.hs 70 -loginBtn p = makeFlipper "login" ("index.cgi?action=login&page=" ++ p) -logoutBtn p = makeFlipper "logout" ("index.cgi?action=logout&page=" ++ p) -newBtn p = makeFlipper "add" ("index.cgi?action=add&page=" ++ p) -pdfBtn p = makeFlipper "pdf" ("index.cgi?action=viewpdf&page=" ++ p) -editBtn p = makeFlipper "edit" ("index.cgi?action=edit&page=" ++ p) +loginBtn p = makeFlipper "login" ("/index.cgi?action=login&page=" ++ p) +logoutBtn p = makeFlipper "logout2" ("/index.cgi?action=logout&page=" ++ p) +newBtn p = makeFlipper "add2" ("/index.cgi?action=add&page=" ++ p) +pdfBtn p = makeFlipper "pdf" ("/index.cgi?action=viewpdf&page=" ++ p) +editBtn p = makeFlipper "edit2" ("/index.cgi?action=edit&page=" ++ p) hunk ./Template.hs 80 +banner = imgSrcAlt "http://www.updike.org/images/updike8org.png" "UPDIKE.ORG" + hunk ./Template.hs 83 - [elm "p" ["class"-->"goright"] (intersperse spacePad buttons)] - where buttons = if loggedin then loggedinBtns p else loggedoutBtns p + [elm "p" ["class"-->"goright"] (intersperse spacePad2 buttons)] +-- where lbuttons = [lbut "pdf", lbut "login", banner] + where buttons = (if loggedin then loggedinBtns p else loggedoutBtns p) ++ [banner] hunk ./Template.hs 89 -fig8 = elm "a" ["href"-->"index.cgi?Fig8"] [imgSrcAlt "images/fig8-small.png" "Hypnotic Figure Eight Klein Bottle Emblem"] +fig8 = elm "a" ["href"-->"index.cgi?Fig8"] [imgSrcAlt "/images/fig8-small.png" "Hypnotic Figure Eight Klein Bottle Emblem"] hunk ./Template.hs 92 +spacePad2 = txt "    " hunk ./Template.hs 96 - -- imgSrcAlt "images/banner.png" "home of Jared Updike on the web + -- imgSrcAlt "/images/banner.png" "home of Jared Updike on the web hunk ./Template.hs 115 -loginform pageName = +loginform pageName otp = hunk ./Template.hs 120 - [ [] ,[xsubmit ] ]] ]) -- ++ xhiddens) + [ [] ,[xsubmit ] ]] , xhidden]) hunk ./Template.hs 124 - --xhiddens = [hiddeninput "action" "validate", - -- hiddeninput "page" pageName] + xhidden = hiddeninput "otp" otp hunk ./Template.hs 173 - where validateIconXHTML = imgSrcAlt "images/w3c-valid-xhtml.gif" "Valid XHTML 1.0 Transitional!" - validateIconCSS = imgSrcAlt "images/w3c-valid-css.gif" "Valid CSS!" + where validateIconXHTML = imgSrcAlt "/images/w3c-valid-xhtml.gif" "Valid XHTML 1.0 Transitional!" + validateIconCSS = imgSrcAlt "/images/w3c-valid-css.gif" "Valid CSS!" hunk ./Template.hs 248 -getXmlEnv pageName root newPage = do +getNewOTP :: Bool -> IO String +getNewOTP needed = do + if not needed then return "" + else do + pw <- otpNew + return pw + +getXmlEnv pageName root newPage isLogin = do hunk ./Template.hs 271 + otp <- getNewOTP isLogin hunk ./Template.hs 273 - ,("loginform", loginform pageName) + ,("loginform", loginform pageName otp) hunk ./Template.hs 338 - xtagsinput = "input" `with` ["size"-->"65", "name"-->"tagsbox", "type"-->"text", + xtagsinput = "input" `with` ["size"-->"65", "id"-->"tagsbox", "name"-->"tagsbox", "type"-->"text", hunk ./Template.hs 406 + let isLogin = filename `endsWith` "login.txt" hunk ./Template.hs 428 - xmlEnv <- getXmlEnv pageName root newPage + xmlEnv <- getXmlEnv pageName root newPage isLogin hunk ./Template.hs 434 - let message = if messagestr /= "" then [ppClass "message" [aa ("index.cgi?"++pageName) "X", txt " ", txt messagestr]] else [] + let message = if messagestr /= "" then [ppClass "message" [aa ("/articles/"++pageName) "X", txt " ", txt messagestr]] else [] hunk ./blah.hs 1 -{- -import Time - -noTimeDiff = TimeDiff { tdYear = 0, tdMonth = 0, tdDay = 0, tdHour = 0, tdMin = 0, tdSec = 0, tdPicosec = 0 } - -dif = noTimeDiff { tdHour = -8 } - -adder ct = addToClockTime dif ct --} - -{- -type Str = String -> String - -string s = s "" -str s = (s++) -cat a b = a . b --} - -mytemplate = "hello there\n@buttons\nsomething else\n@content\ntest2" -test = templateReplace mytemplate [ ("@buttons", "but") - , ("@content", "contentment") - ] - ---templateReplace templ [] = templ ---templateReplace templ ((a,b):rest) = templateReplace (replace a b templ) rest - -templateReplace templ pairs = unlines . map doReplace . lines $ templ - where - doReplace x@('@':rest) = elookup x pairs - doReplace x = x - elookup a kv = case lookup a kv of - Nothing -> "" - Just b -> b rmfile ./blah.hs hunk ./index.hs 16 +import OTP (otpCheck) hunk ./index.hs 78 + -- use one time password to prevent replay attacks + let otp = dlookup "" "otp" env + otpValid <- otpCheck otp hunk ./index.hs 82 - let valid = password == realPasswd + -- note: we expect the client (JavaScript) to scramble the password exactly like this + let scrambled = md5 (realPasswd ++ otp) + let valid = otpValid && password == scrambled }