Skip to content
← Back to Community
Updated Chatroom
Profile icon
LoneAce

Hello there!

Just a brief intro this is an updated version of my previous Python Chatroom post

Link is here: https://repl.it/talk/share/Python-Public-Chatroom/21474

For public viewers please use the route "public"


Updates:
~> Public chatroom that is more secure (Can't pretend to be a mod)
~> Private chatroom (Only for close friends for now)
~> /read to read messages without having to press enter (But if you want to send a new message restart the program
~> /quit to quit and change routes (As in for those allowed into the private chats)
~> /kick to kick everyone from a certain chatroom (For mods only)
~> Client and server separated, and server is a private repl so that its very secure


A journey of a thousand lines begin with a single line

Voters
Profile icon
PantheraLeo04
Profile icon
NathanPp
Profile icon
RomeroSchwarz
Profile icon
Kai_Justice
Profile icon
LoneAce
Comments
hotnewtop
Profile icon
Foster_Bryant

can you please tlel me how you are storing it and how the database works? thanks

Profile icon
LoneAce

@Foster_Bryant Ok so I am storing the messages using the json_store_client module and using its class to save and retrieve it. The key however, is hidden in the server and can be only retrieved if you have the route. The server returns the key using a simple Flask function.

Profile icon
[deleted]

This isn't much of an amazing change from V1 of your chatroom. A bunch of unnecessary bcrypt hashes, the "private rooms" functionality isn't too amazing, and I can't look at the server code to see any exploits / bad code.

Profile icon
LoneAce

@sanjaykdragon Really sorry i forgot to delete those it was to keep my classmates from using it early. As for the bad code I still used the previous chatroom and not yours to avoid plagiarism

Profile icon
[deleted]

what is the route

Profile icon
jtapostle

I hate to say it, but all you need is a bcrypt utility and you can get into lone's account.
I suggest using salts in your encryption, to slow down intrusions.

Profile icon
LoneAce

@GabeEE Can you elaborate using python? I'm not really experienced in it

Profile icon
jtapostle

@LoneAce
Just encrypt a hash that's already encrypted.
Sounds complex, but it's really not.

Profile icon
[deleted]

@GabeEE You are completely incorrect. Do you even know what hashing is? Try accessing his account, let me know how it goes.

Profile icon
jtapostle

@sanjaykdragon
Easy, just replace his hash with your own bcrypt hash, and use that instead of his password when you login.

Profile icon
[deleted]

@GabeEE thats not "cracking" the program. And he should be doing serverside authentication for security anyways

Profile icon
LoneAce

@sanjaykdragon So pardon the intrusion, am I doing it right or wrong? Or would you like me to do the authentication for a mod account in the server? Please elaborate

Profile icon
[deleted]

@LoneAce If you have control of the serverside, you should authenticate users on the serverside too. check my chatroom ex on my profile (has client and server, with authenticated users)

Profile icon
superwhiskers

@GabeEE you don't even need to have the password, or crack it, or anything. all you need to do it remove the code that checks the password/removes [MOD] and you're good. the "server" itself only returns a jsonstore secret anyways so all you need to do is take that and you can edit anything you want, even wipe the chat.

Profile icon
superwhiskers

@superwhiskers here. https://chatroom-database.loneace.repl.co/public this is the url to the secret of the public chatroom.

to remedy this, i'd suggest having the server itself proxy messages to a store and require authentication on the serverside for moderation actions

Profile icon
LoneAce

@superwhiskers I am trying that out. Is there any way I can authenticate through IP addresses though?

Profile icon
LoneAce

@sanjaykdragon Thanks for helping me all this while mate. Do you have an insta account so that I can contact you more easily?

Profile icon
[deleted]

@LoneAce I don't give my instagram out to internet ppl.
Also you can authenticate by IP address by saving an array of "good" ip addresses, and comparing the user who connects to the array, and if they are in there, accept their moderation command

Profile icon
superwhiskers

@LoneAce

  1. authentication via ip addresses is insecure as ip addresses can change and don't represent single people
  2. you can't as your repl is behind a reverse proxy anyways, and the returned ip from the ip layer would be that of the proxy. (but it may be accessible through a header)
Profile icon
LoneAce

@sanjaykdragon Ok then thanks.

Profile icon
LoneAce

@superwhiskers Oh ya... then could you tell me how to do server side authentication when others can just fork the real and remove it.

Profile icon
superwhiskers

@LoneAce you should really just open source the server. i highly doubt that there's anything that would be an issue exposing to the public assuming you secured the appropriate data

Profile icon
LoneAce

@superwhiskers I don't know whether this works in Python but if another person runs the code won't they be able to see the data in the log? Anyway I am also using the server for other projects so I made it private for the meantime

Profile icon
superwhiskers

@LoneAce assuming you don't log it, no. but i could try and bruteforce the endpoints anyways. point is, there was zero security in the architecture to begin with, open sourcing it would only save me the time

Profile icon
LoneAce

@superwhiskers Hm true. Would take days but I know it will work