Skip to content
/ password-manager-server Public

The server part of a portable, secure, zero-knowledge password manager.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Benjamin-Paul/password-manager-server

BranchesTags

Repository files navigation

Presentation

This repository contains the code for a simple password manager server written in Python.

The server, at its core, is a Flask API, implemented in the app package.

Through API endpoints implemented as Flask routes in the routes module of the app package, it allows for user registration (/register), user login (/login), encrypted password storage (/add), vaulted password retrieval (/get), vaulted password modification (/change) and vaulted password deletion (/delete).

It is designed to work off the shelf with a Postgresql database. Since it uses SQLALchemy, however, only a few changes to the database subpackage should suffice to make it work with other types of databases.

The postgres database must be created independently. Once a database exists, its connection details must be entered in the database.ini file. You can then run the config.py script to automatically create the required tables in your database. The link between the server and the database is then handled through Flask-SQLAlchemy models defined in the models module of the app package.

The server implements JWT for user authentication. Sessions are maintained for one hour after the token has been issued. See the auth subpackage for details. Tokens are signed and verified with a secret key stored in the project .env file.

Getting strated

Install the project's requirements :

pip install -r requirements.txt

Enter your postgres database details in the database.ini file. This file should look like this :

[postgresql]
database = postgres
user = johndoe
host = mysuperdatabase.com
password = correct_horse_battery_staple
port = 5432

Run the config.py script to create the tables in the database :

python3 conifg.py

Rename the .env.example file to .env and add a long, random JWT signing key to it. For optimal security, make sure you create a cryptographically strong key, for example with the built-in Python sercets module. The file should look like this (obvioulsy don't use this key) :

JWT_KEY="0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a"

Execute run.py to launch the server :

python3 run.py

About security

This server is designed to be as secure as possible : as such, it never stores users master passwords in any form. Instead, it uses a zero-knowledge proof algorithm to authentify clients. The passwords are then stored as encrypted strings that can only be decrypted on the client itself, since the server doesn't know anything about master passwords.

For more, check the corresponding client implementation.

About

The server part of a portable, secure, zero-knowledge password manager.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages