Acquire.Client._credentials module

class Credentials(username=None, short_uid=None, device_uid=None, password=None, otpcode=None)[source]

Bases: object

This class holds user credentials that are sent to the service to authenticate users

assert_matching_username(username)[source]

Assert that the passed username matches that stored in these credentials

Parameters:username (str) – Username to compare
Returns:None
device_uid()[source]

Return the decoded device UID

Returns:UID for device
Return type:str
static encode_device_uid(encoded_password, device_uid)[source]

Simple function that takes an existing encoded password, and then additionally encodes this using the device_uid

Parameters:
  • encoded_password (str) – Encoded password
  • device_uid (str) – UID for device
Returns:

Password encoded with device UID
Return type:

str
static encode_password(password, identity_uid, device_uid=None)[source]

Simple function that creates an MD5 hash of the password, salted using the passed identity_uid and (optionally) the device_uid

Parameters:
  • password (str) – Password to hash
  • identity_uid (str) – UID to use as salt
  • device_uid (str, default=None) – Device UID to use
  • additional salt (as) –
Returns:

Hashed and salted password
Return type:

str
static from_data(data, username, short_uid, random_sleep=150)[source]

Unpackage the passed data that has been deserialised from json and return the credentials. You need to pass in the username and short_uid that you expect to see. The random_sleep adds a random sleep to disrupt timing attacks

Parameters:
  • data (str) – Data to create credentials from
  • username (str) – Username for credentials
  • short_uid (str) – Short UID to use
  • random_sleep (int, default=150) – Integer used
  • generate a random sleep time (to) –
Returns:

Credentials object created from data
Return type:

Credentials
is_null()[source]

Return whether or not these credentials are null

Returns:True if null, else False
Return type:bool
otpcode()[source]

Return the decoded one time password code (otpcode)

Returns:OTP code for session
Return type:str
static package(identity_uid, short_uid, username, password, otpcode, device_uid=None)[source]

Package up the passed credentials so that they can be sent to a server for verification. We employ the following steps to make it harder for someone to steal the user’s password:

  1. An MD5 of the password (“password”) is generated, salted with the UID of the identity service (“identity_uid”), and, optionally, the UID of this device (“device_uid”)
  2. A symmetric key is generated from the combined MD5s of the user’s login name (username) and the short UID of this login session (short_uid). This is used to encrypt the MD5’s password and one-time password code (“otpcode”). The username and session UID are not sent to the server, so an attacker must know what these are to extract this information.
  3. Also remember that all communication with a service is encrypted using the service’s public key, and tranmission of data should also be sent over HTTPS.
Parameters:
  • identity_uid (str) – UID of the identity service
  • short_uid (str) – UID of the login session
  • username (str) – Username for this session
  • password (str) – Password for user
  • otpcode (str) – OTP code for session
  • device_uid (str) – UID for device
Returns:

JSON serialisable string
Return type:

str
password()[source]

Return the decoded password

Returns:Decoded password
Return type:str
short_uid()[source]

Return the decoded session short UID

Returns:Short UID of session
Return type:str
to_data(identity_uid)[source]

Package these credentials into a secure package that can be encoded to json and sent to the service. Note that you must supply the UID of the identity service that you will send this package to…

Parameters:identity_uid (str) – UID of identity service
Returns:String containing credential data
Return type:str
static unpackage(data, username, short_uid, random_sleep=150)[source]

Unpackage the credentials data packaged using “package” above, assuming that this data was packaged for the user login name “username” and for the session with short UID “short_uid”.

This will return a dictionary containing:

username: Login name of the user short_uid: Short UID of the login session device_uid: UID of the login device (this will be random if it

was not set by the user)
password: The MD5 of the password, salted using the UID of the
identity service, and optionally the device_uid

otpcode: The one-time-password code for this login

To make timing-based attacks harder, you can set ‘random_sleep’ to add an additional random sleep of up to ‘random_sleep’ milliseconds onto the end of the unpackage function

Parameters:
  • data (str) – String of data containing credentials
  • username (str) – Username for session
  • short_uid (str) – UID for session
  • random_sleep (int, default=150) – Integer used to
  • a random sleep to prevent timing attacks (generate) –
Returns:

Dictionary containing credentials
Return type:

dict
username()[source]

Return the decoded username

Returns:Username held for these credentials
Return type:str