From cea2189774837c165aef871de930f6a5d0f4febd Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed, 14 May 2014 09:05:00 +0200
Subject: [PATCH] Store join paswword hashed Do not trade security and privacy
 for convenience

---
 lib/Vroom/I18N/en.pm                   | 1 -
 lib/Vroom/I18N/fr.pm                   | 1 -
 public/vroom.pl                        | 9 ++++-----
 templates/default/invite.email_html.ep | 5 -----
 templates/default/invite.email_text.ep | 4 ----
 5 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/lib/Vroom/I18N/en.pm b/lib/Vroom/I18N/en.pm
index 27e2aca..9922449 100644
--- a/lib/Vroom/I18N/en.pm
+++ b/lib/Vroom/I18N/en.pm
@@ -18,7 +18,6 @@ our %Lexicon = (
   "A_WEBCAM"                             => "A webcam",
   "A_MIC"                                => "A microphone",
   "WHEN_YOU_ARE_READY"                   => "When you are ready, go to this address to join the conference",
-  "YOU_WILL_NEED_THIS_PASSWORD"          => "The following password is needed to join the room",
   "HAVE_A_NICE_MEETING"                  => "Have a nice meeting :-)",
   "EMAIL_SIGN"                           => "VROOM! And video conferencing becomes free, simple and safe",
   "FEEDBACK"                             => "Feedback",
diff --git a/lib/Vroom/I18N/fr.pm b/lib/Vroom/I18N/fr.pm
index 9c6a09f..7db9918 100644
--- a/lib/Vroom/I18N/fr.pm
+++ b/lib/Vroom/I18N/fr.pm
@@ -20,7 +20,6 @@ our %Lexicon = (
     "A_WEBCAM"                                  => "Une webcam",
     "A_MIC"                                     => "Un micro",
     "WHEN_YOU_ARE_READY"                        => "Quand vous êtes prêt, rendez-vous sur cette adresse pour joindre la conférence",
-    "YOU_WILL_NEED_THIS_PASSWORD"               => "Le mot de passe suivant est nécessaire pour rejoindre le salon",
     "HAVE_A_NICE_MEETING"                       => "Bonne réunion :-)",
     "EMAIL_SIGN"                                => "VROOM! Et la visio conférence devient libre, simple et sûr",
     "FEEDBACK"                                  => "Retour d'expérience",
diff --git a/public/vroom.pl b/public/vroom.pl
index e69c3d5..7501f0e 100755
--- a/public/vroom.pl
+++ b/public/vroom.pl
@@ -244,6 +244,7 @@ helper set_join_pass => sub {
   my ($room,$pass) = @_;
   return undef unless ( %{ $self->get_room($room) });
   my $sth = eval { $self->db->prepare("UPDATE rooms SET join_password=? where name=?;") } || return undef;
+  $pass = ($pass) ? Crypt::SaltedHash->new(algorithm => 'SHA-256')->add($pass)->generate : undef;
   $sth->execute($pass,$room) || return undef;
   if ($pass){
     $self->app->log->debug($self->session('name') . " has set a password on room $room");
@@ -261,9 +262,8 @@ helper set_owner_pass => sub {
   return undef unless ( %{ $self->get_room($room) });
   if ($pass){
     my $sth = eval { $self->db->prepare("UPDATE rooms SET owner_password=?,persistent='1' where name=?;") } || return undef;
-    my $csh = Crypt::SaltedHash->new(algorithm => 'SHA-256');
-    $csh->add($pass);
-    $sth->execute($csh->generate,$room) || return undef;
+    my $pass = Crypt::SaltedHash->new(algorithm => 'SHA-256')->add($pass)->generate;
+    $sth->execute($pass,$room) || return undef;
     $self->app->log->debug($self->session('name') . " has set an owner password on room $room, which is now persistent");
   }
   else{
@@ -380,7 +380,7 @@ post '/password/(:room)' => sub {
     $self->session($room => {role => 'owner'});
     $self->redirect_to($self->url_for('/') . $room);
   }
-  elsif ($pass eq $data->{join_password}){
+  elsif ($data->{join_password} && Crypt::SaltedHash->validate($data->{join_password}, $pass)){
     $self->session($room => {role => 'participant'});
     $self->redirect_to($self->url_for('/') . $room);
   }
@@ -479,7 +479,6 @@ post '/action' => sub {
       data => [
         template => 'invite',
         room => $room,
-        joinPassword => $data->{join_password}
       ],
     ) ||
     return $self->render(
diff --git a/templates/default/invite.email_html.ep b/templates/default/invite.email_html.ep
index f08087e..f140d8f 100644
--- a/templates/default/invite.email_html.ep
+++ b/templates/default/invite.email_html.ep
@@ -26,11 +26,6 @@
     </h1>
   </center>
 </p>
-<% if ($joinPassword && $joinPassword ne ''){ %>
-<p>
-  <%=l 'YOU_WILL_NEED_THIS_PASSWORD' %>: <%= $joinPassword %>
-</p>
-<% } %>
 <br>
 <p>
   <%=l 'HAVE_A_NICE_MEETING' %>
diff --git a/templates/default/invite.email_text.ep b/templates/default/invite.email_text.ep
index b513ec4..23f10a5 100644
--- a/templates/default/invite.email_text.ep
+++ b/templates/default/invite.email_text.ep
@@ -12,10 +12,6 @@
 
 <%= $url . $room %>
 
-<% if ($joinPassword && $joinPassword ne ''){ %>
-<%=l 'YOU_WILL_NEED_THIS_PASSWORD' %>: <%== $joinPassword %>
-<% } %>
-
 <%=l 'HAVE_A_NICE_MEETING' %>
 -- 
 <%=l 'EMAIL_SIGN' %>