Web interface and UTF-8 support

[lichinka]

Hi! I've added a local web interface using CherryPy and reimplemented the pwdhash algorithm to support UTF-8 master passwords exactly as the Javascript implementation.

[abbot]

While I admire the effort, I can't merge this.
First, making a web-app was never the goal of this project, it was designed to be just a password hashing library.

Second, the whole unicode compatibility thing could be brought much simpler, without rewriting crypto code. Something like this would be enough, if you really need it (haven't tested it thoroughly, but pretty sure it would do the trick):

def mangle(s): return "".join(chr(ord(x) & 0xff) for x in s)

def generate(password, uri):
    """
    generate the pwdhash password for master password and uri or
    domain name.
    """
    realm = extract_domain(uri)
    if password.startswith(_password_prefix):
        password = password[len(_password_prefix):]

    password_hash = b64_hmac_md5(mangle(password), realm)
    size = len(password) + len(_password_prefix)
    nonalphanumeric = len(re.findall(r'\W', password)) != 0

    return apply_constraints(password_hash, size, nonalphanumeric)

(as this is not the diff, for clarity: 1 line added, 1 line changed).

I'm not closing this request only to keep a reminder for myself to add this compatibility code later.

[lichinka]

Thanks for taking the time to look at the pull request.
It is good to know that the codes have different goals. I will deattach the fork then.
Thanks again and be well.

PS: tried your snippet but could not get UTF-8 compatibility after a quick test ... I will take a closer look later though ...

[abbot]

I did some quick testing using browser, as usual you need to be careful with string vs. unicode, or it will break.

As a reference point:

Hash generated by https://www.pwdhash.com/ for domain http://www.example.com/ and password "проверка": 0MeobH5tn/

Now, you can call modified code with either unicode string (and get correct result), or utf-8 encoded non-unicode string (and for obvious reasons get wrong result):

In [1]: import pwdhash

In [2]: pwdhash.generate(u"проверка", "http://www.example.com/")
Out[2]: '0MeobH5tn/'

In [3]: pwdhash.generate(u"проверка".encode("utf-8"), "http://www.example.com/") 
Out[3]: 'Jhd9+uPrIn3IfGt6TB'

In [4]: pwdhash.generate("проверка", "http://www.example.com/")
Out[4]: 'Jhd9+uPrIn3IfGt6TB'

[lichinka]

I see now ... this is the line that encodes using bytes:

password = getpass.getpass("Password for %s: " % domain)

Indeed, I am getting your exact same output both if testing using the interpreter and launching the program.

Once you close the pull request, I will deattach the fork and use pwdhash as a dependency in my code.
Thanks again.

[abbot]

I created #3 to not forget fix this, but don't have time to do that just now.