improve web app authentication handling

libmproxy/app.py

@@ -12,12 +12,11 @@ from werkzeug.http import parse_range_header
 
 mapp = flask.Flask(__name__)
 mapp.debug = True
-mapp.secret_key = os.urandom(16).encode("hex")
-
+mapp.secret_key = os.urandom(32)
 
 def auth_token():
-    if not mapp.config.get("auth_token", False):
-        mapp.config["auth_token"] = os.urandom(16).encode("hex")
+    if mapp.config["auth_token"] is None:
+        mapp.config["auth_token"] = os.urandom(32).encode("hex")
         print "Auth token:", mapp.config["auth_token"]
     return mapp.config["auth_token"]
 xsrf_token = os.urandom(16).encode("hex")
@@ -39,8 +38,8 @@ def auth():
                     return
     else:
         token = request.args.get("auth", False)
-        if auth_token() == "NO_AUTH":
-            token = "NO_AUTH"
+        if not auth_token():
+            return
         if token:
             if hashlib.sha1(auth_token()).hexdigest() == hashlib.sha1(token).hexdigest():
                 session['auth'] = True

libmproxy/cmdline.py

@@ -225,10 +225,12 @@ def add_common_arguments(parser):
         action="store_true", dest="app_readonly",
         help="Don't allow web clients to modify files on disk (e.g. report scripts)"
     )
+    # None: Generate random auth token. False: Disable Auth. str: Use as auth.
     parser.add_argument(
         "--app-auth",
-        action="store", dest="app_auth", default="NO_AUTH",
-        help="Authentication string for the API."
+        action="store", dest="app_auth", default=None,
+        type=(lambda x: False if str(x).lower() == "no_auth" else x),
+        help='Authentication string for the API. Use "NO_AUTH" to disable authentication.'
     )
 
 

mitmproxy-gui

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 import sys, argparse, signal, webbrowser
-from libmproxy import proxy, dump
+from libmproxy import proxy, dump, app
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(usage = "%(prog)s [options] [filter]")
@@ -17,8 +17,8 @@ if __name__ == '__main__':
     # - Replace default port
     # - force external app
     url = "http://%s:%d/app" % (options.app_domain, 80)
-    if options.app_auth != "NO_AUTH":
-        url += "?auth=%s" % options.app_auth
+    if options.app_auth is not False:
+        url += "?auth=%s" % app.auth_token()
     webbrowser.open(url)
 
     def cleankill(*args, **kwargs):

test/tservers.py

@@ -31,7 +31,7 @@ class TestMaster(flow.FlowMaster):
         flow.FlowMaster.__init__(self, s, state)
         self.testq = testq
         self.clear_log()
-        self.start_app(APP_DOMAIN, APP_IP, "NO_AUTH", False)
+        self.start_app(APP_DOMAIN, APP_IP, False, False)
 
     def handle_request(self, m):
         flow.FlowMaster.handle_request(self, m)