init commit

.env

@@ -0,0 +1,3 @@
+HOST=localhost
+PORT=5000
+DEBUG=true

Dockerfile

@@ -0,0 +1,21 @@
+FROM python:3.9-slim
+
+USER root
+
+WORKDIR /app
+
+COPY requirements.txt /app/
+RUN pip install -r requirements.txt
+
+COPY app.py /app/
+COPY assets /app/assets
+COPY instance /app/instance
+
+RUN chmod -R 777 /app/instance
+
+
+RUN pip install Flask
+
+EXPOSE 5000
+
+CMD ["python", "app.py"]

README.md

@@ -1,11 +1,9 @@
 ---
 title: AuthSystem
-emoji: 📚
-colorFrom: indigo
-colorTo: gray
+emoji: 🔐
+colorFrom: red
+colorTo: yellow
 sdk: docker
+app_port: 5000
 pinned: false
-license: apache-2.0
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+---

app.py

@@ -0,0 +1,334 @@
+import logging
+import os
+import re
+from datetime import datetime, timedelta
+
+from argon2 import PasswordHasher
+from dotenv import load_dotenv
+from flask import Flask, request, jsonify, render_template
+from flask_sqlalchemy import SQLAlchemy
+from sqlalchemy.exc import IntegrityError
+
+# load environment vars from .env
+load_dotenv(".env")
+
+logger = logging.getLogger(__name__)
+
+app = Flask(__name__, template_folder="assets", static_folder="assets")
+app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///users.db"
+db = SQLAlchemy(app)
+hasher = PasswordHasher()
+
+HOST = os.environ.get("HOST", "0.0.0.0")
+PORT = int(os.environ.get("PORT", 5000))
+DEBUG = True if str(os.environ.get("DEBUG", "true")).lower() == "true" else False
+MAX_LOGIN_ATTEMPTS = 10
+LOCKOUT_DURATION = timedelta(seconds=60)
+
+COMMON_SWEAR_WORDS = [
+    "fuck", "shit", "bitch", "asshole", "bastard", "cunt", "dick", "cock", "pussy",
+    "motherfucker", "wanker", "twat", "bollocks", "arsehole", "crap", "damn", "bugger",
+    "bloody", "sod", "git", "idiot", "moron", "prick", "slut", "whore", "nigger", "retard"
+]
+CHARACTER_SUBSTITUTIONS = {
+    "0": "o",
+    "1": "i",
+    "3": "e",
+    "4": "a",
+    "5": "s",
+    "6": "g",
+    "7": "t",
+    "8": "b",
+    "9": "g",
+    "@": "a",
+    "$": "s",
+    "!": "i"
+}
+
+
+def load_passwords_from_file(file_path: str) -> set:
+    """Loads passwords from a file specified"""
+    try:
+        with open(file_path, 'r') as file:
+            passwords = set(file.read().splitlines())
+        return passwords
+
+    except Exception as e:
+        logger.exception(f"Error occurred while retrieving passwords. {str(e)}")
+        return set()
+
+
+WEAK_PASSWORDS = load_passwords_from_file('assets/weakpasswords.txt')
+BREACHED_PASSWORDS = load_passwords_from_file('assets/breachedpasswords.txt')
+BREACHED_PASSWORDS_LOWER = [p.lower() for p in BREACHED_PASSWORDS]
+
+
+# create a sqlite model for
+# storing user data
+class User(db.Model):
+    id = db.Column(db.Integer, primary_key=True)
+    username = db.Column(db.String(80), unique=True, nullable=False)
+    hashed_password = db.Column(db.String(256), nullable=False)
+    salt = db.Column(db.String(16), nullable=False)
+    login_attempts = db.Column(db.Integer, default=0)
+    last_login_time = db.Column(db.DateTime, default=datetime.utcnow)
+
+
+# create database tables
+with app.app_context():
+    db.create_all()
+
+
+# custom exception definitions
+class CredentialValidationError(Exception):
+    def __init__(self, message):
+        self.message = message
+        super().__init__(message)
+
+
+def apply_character_substitutions(word):
+    """Converts a char or number substituted
+    word into its original representation"""
+    for original, replacement in CHARACTER_SUBSTITUTIONS.items():
+        word = word.replace(original, replacement)
+    return word
+
+
+def validate_username(username: str) -> None:
+    """Validates the username by checking
+    it against a pre-defined ruleset"""
+
+    # 1. raise a validation exception if username
+    # contains non-alphanumeric chars other than
+    # the underscore
+    if not re.match(r'^[a-zA-Z0-9_]+$', username):
+        raise CredentialValidationError("Invalid username")
+
+    # 2. raise a validation exception when the
+    # username contains a commonly used swear word
+    if any(word in username.lower() for word in COMMON_SWEAR_WORDS):
+        raise CredentialValidationError("Username cannot contain swear words")
+
+    # 3. raises when users attempt to bypass the
+    # above rule using symbol and number substitutions
+    if any(word in apply_character_substitutions(username.lower()) for word in COMMON_SWEAR_WORDS):
+        raise CredentialValidationError(
+            "Username contains a symbol or number substituted swear word"
+        )
+
+
+def validate_password(username: str, password: str) -> None:
+    """Validates a user password according
+    to the NISP password guidelines"""
+
+    # 1. Length: At least 8 characters
+    if len(password) < 8:
+        raise CredentialValidationError(
+            "The password must be at least 8 characters long"
+        )
+
+    # 2. Complexity: Overly complex rules
+    # will not be enforced
+
+    # 3. Composition: Disallowing consequent
+    # characters if consequent char count > 3
+    if bool(re.search(r'(.)\1\1+', password)):
+        raise CredentialValidationError(
+            "The password cannot contain 3 or more "
+            "consequent repeated characters"
+        )
+
+    # 4. Expiration: Password expiration is
+    # not checked since it's not recommended
+    # to frequently expire passwords
+
+    # 5. Similarity to username: If exactly or
+    # partially similar to the username, an
+    # exception will be raised
+    if username.lower() in password.lower():
+        raise CredentialValidationError(
+            "The password cannot be similar to the username"
+        )
+    if apply_character_substitutions(username.lower()) == apply_character_substitutions(password.lower()):
+        raise CredentialValidationError(
+            "The password cannot be similar to the username, "
+            "even with character and number substitutions"
+        )
+
+    # 6. Data Breaches and Weak Passwords: any weak
+    # password or breached passwords are disallowed
+    if password in WEAK_PASSWORDS:
+        raise CredentialValidationError(
+            "Password is too weak. Please try again with a strong password"
+        )
+    if password in BREACHED_PASSWORDS:
+        raise CredentialValidationError(
+            "Found the password in an already breached password dictionary, "
+            "thus not secure. Please try again with a strong password"
+        )
+    if password.lower() in BREACHED_PASSWORDS_LOWER:
+        raise CredentialValidationError(
+            "Password is very similar to a password in an already breached "
+            "password dictionary. Please try again with a strong password"
+        )
+
+
+def hash_password(password) -> tuple[str, ...]:
+    try:
+        salt = os.urandom(16)
+        hashed_password = hasher.hash(password + salt.hex())
+        return hashed_password, salt.hex()
+
+    except Exception as e:
+        logger.exception("Couldn't hash the password")
+        raise e
+
+
+def verify_password(hashed_password, password, salt) -> bool:
+    try:
+        hasher.verify(hashed_password, password + salt)
+        return True
+
+    except Exception as e:
+        logger.exception(f"Couldn't verify the password. {str(e)}")
+        return False
+
+
+@app.route("/")
+def homepage():
+    return render_template("index.html")
+
+
+@app.route("/enroll")
+def enroll_page():
+    return render_template("enroll.html")
+
+
+@app.route("/api/enroll", methods=["POST"])
+def enroll():
+    """Enrolling new users"""
+    try:
+        data = request.get_json()
+        username = data.get("username")
+        password = data.get("password")
+
+        validate_username(username=username)
+        validate_password(username=username, password=password)
+
+        # securely hashing the password
+        # and storing it in the sqlite db
+        hashed_password, salt = hash_password(password)
+        user = User(username=username.lower(), hashed_password=hashed_password, salt=salt)
+        db.session.add(user)
+        db.session.commit()
+
+        return jsonify({"message": "User enrolled successfully"}), 200
+
+    except CredentialValidationError as e:
+        logger.exception(str(e))
+        return jsonify({"error": str(e)}), 400
+    except IntegrityError as e:
+        logger.exception(str(e))
+        return jsonify({"error": "Username is already taken"}), 409
+    except Exception as e:
+        logger.exception(str(e))
+        return jsonify({"error": "Internal Server Error", "details": str(e)}), 500
+
+
+@app.route("/api/authenticate", methods=["POST"])
+def authenticate():
+    """Authenticates a user based
+    on user credentials"""
+    try:
+        data = request.get_json()
+        username = data.get("username")
+        password = data.get("password")
+
+        # 2FA/MFA: NIST entertains 2FA or MFA, but here it
+        # is not imposed due to its implementation complexity
+
+        user = User.query.filter_by(username=username.lower()).first()
+
+        if user is None:
+            return jsonify({"error": "User not found"}), 404
+
+        # Retry attempts: Users are given 10 consequent
+        # login attempts until they're locked out
+        if user.login_attempts >= MAX_LOGIN_ATTEMPTS:
+            lockout_time = user.last_login_time + LOCKOUT_DURATION
+            remaining_duration = lockout_time - datetime.utcnow()
+            if remaining_duration.total_seconds() > 0:
+                remaining_seconds = int(remaining_duration.total_seconds())
+                minutes, seconds = divmod(remaining_seconds, 60)
+                if minutes > 0:
+                    remaining_time_str = f"{minutes} minute(s) and {seconds} second(s)"
+                else:
+                    remaining_time_str = f"{seconds} second(s)"
+                return jsonify(
+                    {
+                        "error": f"Account locked out. Try again in {remaining_time_str}"
+                    }
+                ), 401
+            else:
+                user.login_attempts = 0
+                user.last_login_time = datetime.utcnow()
+                db.session.commit()
+
+        # Verify the password
+        if not verify_password(user.hashed_password, password, user.salt):
+            user.login_attempts += 1
+            user.last_login_time = datetime.utcnow()
+            db.session.commit()
+            if user.login_attempts >= MAX_LOGIN_ATTEMPTS:
+                remaining_time = int(LOCKOUT_DURATION.total_seconds())
+                minutes, seconds = divmod(remaining_time, 60)
+                if minutes > 0:
+                    remaining_time_str = f"{minutes} minute(s) and {seconds} second(s)"
+                else:
+                    remaining_time_str = f"{seconds} second(s)"
+                return jsonify({"error": f"Account locked out. Try again in {remaining_time_str}"}), 401
+
+            return jsonify({"error": "Invalid password"}), 401
+
+        # Reset if a valid login attempt
+        user.login_attempts = 0
+        user.last_login_time = datetime.utcnow()
+        db.session.commit()
+        return jsonify({"message": f"Authentication successful. Welcome @{username.lower()}!"}), 200
+
+    except Exception as e:
+        logger.exception(str(e))
+        return jsonify({"error": "Internal Server Error", "details": str(e)}), 500
+
+
+@app.route("/api/users", methods=["GET"])
+def get_users():
+    """Retrieves the list of all users"""
+    try:
+        users = User.query.all()
+        user_list = [{"id": user.id, "username": user.username} for user in users]
+        return jsonify(user_list), 200
+
+    except Exception as e:
+        logger.exception(str(e))
+        return jsonify({"error": "Internal Server Error", "details": str(e)}), 500
+
+
+@app.route("/api/users/<string:username>", methods=["DELETE"])
+def delete_user(username):
+    """Deletes a user by username"""
+    try:
+        user = User.query.filter_by(username=username.lower()).first()
+        if user is None:
+            return jsonify({"error": "User not found"}), 404
+        db.session.delete(user)
+        db.session.commit()
+        return jsonify({"message": "User deleted successfully"}), 200
+
+    except Exception as e:
+        logger.exception(str(e))
+        return jsonify({"error": "Internal Server Error", "details": str(e)}), 500
+
+
+if __name__ == "__main__":
+    app.run(host=HOST, port=PORT, debug=DEBUG)

app.spec

@@ -0,0 +1,38 @@
+# -*- mode: python ; coding: utf-8 -*-
+
+
+a = Analysis(
+    ['app.py'],
+    pathex=[],
+    binaries=[],
+    datas=[('assets', 'assets')],
+    hiddenimports=[],
+    hookspath=[],
+    hooksconfig={},
+    runtime_hooks=[],
+    excludes=[],
+    noarchive=False,
+)
+pyz = PYZ(a.pure)
+
+exe = EXE(
+    pyz,
+    a.scripts,
+    a.binaries,
+    a.datas,
+    [],
+    name='app',
+    debug=False,
+    bootloader_ignore_signals=False,
+    strip=False,
+    upx=True,
+    upx_exclude=[],
+    runtime_tmpdir=None,
+    console=True,
+    disable_windowed_traceback=False,
+    argv_emulation=False,
+    target_arch=None,
+    codesign_identity=None,
+    entitlements_file=None,
+    icon=['assets\\app.ico'],
+)

assets/breachedpasswords.txt

@@ -0,0 +1,594 @@
+password1
+abc123
+monkey1
+iloveyou1
+myspace1
+fuckyou1
+number1
+football1
+nicole1
+123456
+iloveyou2
+123abc
+princess1
+bubbles1
+blink182
+babygirl1
+123456a
+qwerty1
+jordan1
+iloveyou
+password.
+passw0rd
+panda1
+nirvana1
+matthew1
+marie1
+loveme1
+joshua1
+iloveyou3
+hollister1
+hello1
+green1
+fuckoff
+fluffy1
+elizabeth1
+chocolate!
+a123456789
+RAYRAY1
+OMG1195
+DIPSET1
+@aol.com
+462518n
+36mafia
+2hot4u
+2bowweezy
+1sister
+1q2w3e
+1lover
+1bitch
+12345
+1234
+123123
+100689b
+zxr400
+zxcvbnm,./
+@sshole
+@ss%7777
+????(L)
+9hoktes
+9duchess9
+973bori
+957wanta42
+9507sc
+9170xxxx
+8lackdevil
+7714forlif
+7581
+6fingers
+6ELTTEN
+69love
+67mustang
+5pokemon
+5779266adam
+56fres
+4apples
+495n4285
+4271981cs
+4235
+420hi420
+4201531NY
+4191669baby
+41185rk
+3littlebirds
+3591ford
+3440dd
+339273E
+312269
+3063373k
+3000gtvr4
+2sexy4u
+2htsobs
+2hearts
+2friends
+2cute4u
+265611a
+2525sam
+23jordan23
+21SIMONE
+1truelove
+1tigger
+1skate
+1sexybeast
+1rasputin
+1qa2ws
+1q2w3e4r
+1playboy
+1o1892C
+1mexico
+1luisa
+1loveyou
+1loveu2
+1loveu
+1loveoonagh
+1lovehim
+1lokas
+1kitty
+1ilove
+1hottie
+1helpme
+1hannah
+1guitar
+1g2i3z4z5m6o
+1fuckyou
+1friends
+1cutie
+1ciara
+1chrisbrown
+1chocolate
+1chicken
+1MAMASITA
+1967nala
+188824r
+1716buni
+16188s
+13lindsay
+1345432n
+124life
+124578b
+123zac
+123giveittome
+1234ash
+12345t
+12345q
+12345j
+123456s
+123456p
+123456m
+123456l
+123456k
+1234567a
+123456789a
+1234567890
+123456789
+111111
+1024cd
+0boysdontcry
+0LASHAWN
+050589s
+0324869
+032453kp
+*will*
+*DIXON*
+****kz
+#1moomoo
+~~lily~~
+~raymond
+~monkey
+~molta69~
+~iRENE
+~coco~
+~chanel~
+~SP00KY~
+~Irene~
+~*~love~*~
+~*~THATFINEST~*~
+wrongpassword
+wrists9
+wrinkle2
+wrinkle1
+wrigj04
+wrftball07
+wrfafa
+wrether123
+wrestling2
+wrestling09
+wrestling0
+wrestling!
+wrestlers160
+wrestler77
+wrestler10
+wrestler06-m.s.
+wren1960
+wrekone1
+wreckless15
+wow5544
+wow1983
+wow123
+wotsits1
+worthlesspieceofshit
+unluckyhackinglucktime
+unix73xe
+universal1
+unity41
+united21
+united2
+united13
+united101
+united06
+united05
+t.o.81
+t.j.12
+t.i.02
+t.carter
+t-rod179
+t-mac1
+t-king
+t7777777
+t
+szitting2007
+sziszy3
+szarhazi
+sz1969
+systems1
+system3
+sysex02
+syracuse3
+synt45
+syn6661
+syida_am
+syeda202
+sydney90
+sydney77
+sydney555
+sydney504
+sydney2
+sydney1
+sydney09
+sydenham1
+sycocity22
+sycobitch1
+sycamore!
+sybgm10
+syan100
+sxifrank1
+sxcgal6
+sxcdana1
+sxcbeast!
+sxc268
+swxy69
+swords5
+swordfish9
+swordfish16
+swordfish1
+sword99
+swmoke6
+switch5
+swiper123
+swingtree0
+swingset8
+swinger5352
+swimming7
+swimming1@
+swimmer91
+swimmer06
+swimmer*69
+swimfast04
+swim20
+swim131415
+swim11
+swiger77
+swez46
+swetbaby1
+swep3rs
+swell1
+sweetz
+sweety7
+sweety13
+sweety1
+sweety*
+sweetx3
+sweettie4
+sweettart1
+sweets3
+sweets123
+sweets1
+sweetpie1
+sweetpea.
+sweetp25
+sweetness3
+sweetness2
+sweetness13
+sweetness1
+sweeties!
+sweetie66
+sweetie101
+sweetie00
+sweetie.ee
+sweetgirl1
+sweetgirl
+sweetest1
+sweeter
+sweetdeal2
+sweetbaby1
+sweetass
+sweet_love
+sweet9
+sweet89
+sweet79
+sweet77
+sweet75
+sweet67
+sweet6
+sweet5
+sweet4209
+stoptryingtohackpeople
+stopspamming
+stopitnow15
+stopit14
+stophackingfag
+stophack23
+stop70
+stop12
+stopmadness
+stopyoufaggot.
+stoopid1
+stooch1a
+stonesour!
+stoners3
+stonerage!
+stoner420
+stoner1
+stonecold11
+stone34
+stokecity
+stoke
+stoddart12
+stock1
+stobe3
+stmatt32
+stlcards1
+stj1mmy
+stixx08
+stitches2
+stitches12
+stissing
+stinois1
+stinky91
+stinky57
+stinks.
+stinkhole1
+stinker3
+stinker1
+stinker.
+stingray5
+stingray
+sting92
+sting46
+stillman61
+stiller22
+stiggy!
+stiffler2
+stickzach9
+sticky05
+stickney1
+stick666
+stick21
+stick1
+stfumang.
+stfum3hoe
+stfubetch1
+stfu123
+stfu11
+stfugetlife.
+stfstf1
+stews2
+stewie13
+stewart73
+stewart7
+stewart6
+stewart20
+stevo91
+stevo.
+stevielee313
+steviej!
+stevie136
+stevie12
+steveo33
+steveo1
+stevenson1
+stevensd92
+stevenjo3l
+steven21
+steven20
+steven2
+steven.
+steven!
+steven
+stevemw77
+steve71985
+steve666
+steve420
+steve0
+steve
+steuby
+stetson10
+sterling13
+sterling01
+sterilox02
+stereo1
+stepup76
+stepup333
+stepup323
+stepup1
+stepsno1fan
+steppy5
+stephon03
+stepho89
+stephl2
+stephie7
+stephie1750
+stephh222
+stephen5584
+stephen3
+stephen12
+stephcore18
+stephanie6
+stephanie23enm56
+stephanie13
+stephanie123
+stephan
+stephal1
+steph3788
+steph182
+steph11
+steph007
+stepanie6
+stensrud.
+stellbell
+stellar1
+stella1
+steffon95
+steffie_14
+steffie_114
+stefani9
+stefani19
+stef90
+stef710
+steeny1
+steen4
+steelpen1
+steelhair23
+steelers86
+steelers36
+steelers2
+steelers15
+steelers12
+steelers#7
+steeler86
+steeler1
+stealmypassword
+stealingpasswords?
+2savage1
+2s2b4g
+2roijaui
+2rhodecollege
+2r391l1424
+2puppydog
+2potheads
+2pints!
+2pimpdacad
+2piggies
+2phoenix
+2pac69
+2pac1992
+2orions
+2orange
+2oragnes
+2ootall10
+2nikkbre
+2myspace
+2momanddad
+27272a
+2722barth
+270383
+26janelle
+2697gz
+2692519aa
+2663tay
+2663cu
+265115inc
+2639ab
+263806kt
+263732p
+261981t
+261707m
+261186
+261153mmm
+260britt
+26081985s
+260390a
+25ringgold
+25jan93
+25angels
+25acuras
+25acura
+259925sk
+259925
+25896l
+2586794k
+257397892
+257095j
+25678er51
+255611683k
+2554Zachary
+25425632
+253skittz1
+2527852l
+2512avon
+2508shortie
+250506jack
+250187o
+250120sg
+24yelhsa37
+2205Jb!
+220547s
+2200PALORA
+21tiki
+.ireland.
+.farewell
+.famil
+.daygar1
+.commar113
+.com4u
+.com
+.colchones
+.boutiquedemerde
+.bekki4chr
+.babydoll.
+.05tml
+...mmm
+...84621ap
+...
+.,m.,m
+-sugarsweee
+-slayerr
+-sailorsaturn-
+-rich-
+-rhcp-
+-pickle07
+-pickle06
+-l-e-z-1
+-flexa-
+-fergie-
+-darkside
+-csa-sniper-
+-*
+,,chrisd
++zebrahead
++slaughter
+
+!yamaha
+!tigger
+!tiger
+!tazz!
+!taytay!
+!stupid
+!stewart
+!spain!
+!shootpower!
+!pmoney
+!parksbisawesome
+!myk!!
+!mthr3w.0u=
+!missmyboo
+!meandhim
+!magnum
+!luvzuz
+!loverockandroll
+!lovehp
+!kendra!
+!jason
+!gravier!
+!fuckyou!
+!fuckoff
+!elpoo
+!dieman!
+!daintofpunk!
+!chimpboi!
+!callie
+!brianna!
+!1001dk
+!!!sara
+!!!gerard!!!
+rincess4life

assets/enroll.html

@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Enroll</title>
+    <link rel="icon" type="image/x-icon" href="{{ url_for('static', filename='app.ico') }}">
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css">
+</head>
+<body>
+    <div class="container">
+        <h1>Enroll</h1>
+        <form id="signup-form">
+            <div class="input-field">
+                <input type="text" id="username" name="username" required>
+                <label for="username">Username</label>
+            </div>
+            <div class="input-field">
+                <input type="password" id="password" name="password" required>
+                <label for="password">Password</label>
+                <i class="material-icons toggle-password" onclick="togglePasswordVisibility()">visibility_off</i>
+            </div>
+            <button class="btn waves-effect waves-light green darken-1" type="submit" name="action">Enroll
+                <i class="material-icons right">send</i>
+            </button>
+        </form>
+        <p>Already have an account? <a href="/">Authenticate</a></p>
+    </div>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/js/materialize.min.js"></script>
+    <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
+    <script>
+        function togglePasswordVisibility() {
+            var passwordInput = document.getElementById("password");
+            var toggleIcon = document.querySelector(".toggle-password");
+
+            if (passwordInput.type === "password") {
+                passwordInput.type = "text";
+                toggleIcon.textContent = "visibility";
+            } else {
+                passwordInput.type = "password";
+                toggleIcon.textContent = "visibility_off";
+            }
+        }
+
+        $(document).ready(function(){
+            $('#signup-form').submit(function(e){
+                e.preventDefault();
+                $.ajax({
+                    url: '/api/enroll',
+                    method: 'POST',
+                    contentType: 'application/json',
+                    data: JSON.stringify({
+                        username: $('#username').val(),
+                        password: $('#password').val()
+                    }),
+                    success: function(response){
+                        M.toast({html: response.message});
+                    },
+                    error: function(xhr, status, error){
+                        M.toast({html: xhr.responseJSON.error});
+                    }
+                });
+            });
+        });
+    </script>
+</body>
+</html>

assets/index.html

@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Authenticate</title>
+    <link rel="icon" type="image/x-icon" href="{{ url_for('static', filename='app.ico') }}">
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css">
+</head>
+<body>
+    <div class="container">
+        <h1>Authenticate</h1>
+        <form id="auth-form">
+            <div class="input-field">
+                <input type="text" id="username" name="username" required>
+                <label for="username">Username</label>
+            </div>
+            <div class="input-field">
+                <input type="password" id="password" name="password" required>
+                <label for="password">Password</label>
+                <i class="material-icons toggle-password" onclick="togglePasswordVisibility()">visibility_off</i>
+            </div>
+            <button class="btn waves-effect waves-light green darken-1" type="submit" name="action">Authenticate
+                <i class="material-icons right">send</i>
+            </button>
+        </form>
+        <p>Don't have an account? <a href="/enroll">Enroll</a></p>
+    </div>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/js/materialize.min.js"></script>
+    <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
+    <script>
+        function togglePasswordVisibility() {
+            var passwordInput = document.getElementById("password");
+            var toggleIcon = document.querySelector(".toggle-password");
+
+            if (passwordInput.type === "password") {
+                passwordInput.type = "text";
+                toggleIcon.textContent = "visibility";
+            } else {
+                passwordInput.type = "password";
+                toggleIcon.textContent = "visibility_off";
+            }
+        }
+
+        $(document).ready(function(){
+            $('#auth-form').submit(function(e){
+                e.preventDefault();
+                $.ajax({
+                    url: '/api/authenticate',
+                    method: 'POST',
+                    contentType: 'application/json',
+                    data: JSON.stringify({
+                        username: $('#username').val(),
+                        password: $('#password').val()
+                    }),
+                    success: function(response){
+                        M.toast({html: response.message});
+                    },
+                    error: function(xhr, status, error){
+                        M.toast({html: xhr.responseJSON.error});
+                    }
+                });
+            });
+        });
+    </script>
+</body>
+</html>

assets/weakpasswords.txt

@@ -0,0 +1,512 @@
+123456
+12345
+123456789
+password
+iloveyou
+princess
+1234567
+12345678
+abc123
+nicole
+daniel
+babygirl
+monkey
+lovely
+jessica
+654321
+michael
+ashley
+qwerty
+111111
+iloveu
+000000
+michelle
+tigger
+sunshine
+chocolate
+password1
+soccer
+anthony
+friends
+butterfly
+purple
+angel
+jordan
+liverpool
+justin
+loveme
+fuckyou
+123123
+football
+secret
+andrea
+carlos
+jennifer
+joshua
+bubbles
+1234567890
+superman
+hannah
+amanda
+loveyou
+pretty
+basketball
+andrew
+angels
+tweety
+flower
+playboy
+hello
+elizabeth
+hottie
+tinkerbell
+charlie
+samantha
+barbie
+chelsea
+lovers
+teamo
+jasmine
+brandon
+666666
+shadow
+melissa
+eminem
+matthew
+robert
+danielle
+forever
+family
+jonathan
+987654321
+computer
+whatever
+dragon
+vanessa
+cookie
+naruto
+summer
+sweety
+spongebob
+joseph
+junior
+softball
+taylor
+yellow
+daniela
+lauren
+mickey
+princesa
+alexandra
+alexis
+jesus
+estrella
+miguel
+william
+thomas
+beautiful
+mylove
+angela
+poohbear
+patrick
+iloveme
+sakura
+adrian
+alexander
+destiny
+christian
+121212
+sayang
+america
+dancer
+monica
+richard
+112233
+princess1
+555555
+diamond
+carolina
+steven
+rangers
+louise
+orange
+789456
+999999
+shorty
+11111
+nathan
+snoopy
+gabriel
+hunter
+cherry
+killer
+sandra
+alejandro
+buster
+george
+brittany
+alejandra
+patricia
+rachel
+tequiero
+7777777
+cheese
+159753
+arsenal
+dolphin
+antonio
+heather
+david
+ginger
+stephanie
+peanut
+blink182
+sweetie
+222222
+beauty
+987654
+victoria
+honey
+00000
+fernando
+pokemon
+maggie
+corazon
+chicken
+pepper
+cristina
+rainbow
+kisses
+manuel
+myspace
+rebelde
+angel1
+ricardo
+babygurl
+heaven
+55555
+baseball
+martin
+greenday
+november
+alyssa
+madison
+mother
+123321
+123abc
+mahalkita
+batman
+september
+december
+morgan
+mariposa
+maria
+gabriela
+iloveyou2
+bailey
+jeremy
+pamela
+kimberly
+gemini
+shannon
+pictures
+asshole
+sophie
+jessie
+hellokitty
+claudia
+babygirl1
+angelica
+austin
+mahalko
+victor
+horses
+tiffany
+mariana
+eduardo
+andres
+courtney
+booboo
+kissme
+harley
+ronaldo
+iloveyou1
+precious
+october
+inuyasha
+peaches
+veronica
+chris
+888888
+adriana
+cutie
+james
+banana
+prince
+friend
+jesus1
+crystal
+celtic
+zxcvbnm
+edward
+oliver
+diana
+samsung
+freedom
+angelo
+kenneth
+master
+scooby
+carmen
+456789
+sebastian
+rebecca
+jackie
+spiderman
+christopher
+karina
+johnny
+hotmail
+0123456789
+school
+barcelona
+august
+orlando
+samuel
+cameron
+slipknot
+cutiepie
+monkey1
+50cent
+bonita
+kevin
+bitch
+maganda
+babyboy
+casper
+brenda
+adidas
+kitten
+karen
+mustang
+isabel
+natalie
+cuteako
+javier
+789456123
+123654
+sarah
+bowwow
+portugal
+laura
+777777
+marvin
+denise
+tigers
+volleyball
+jasper
+rockstar
+january
+fuckoff
+alicia
+nicholas
+flowers
+cristian
+tintin
+bianca
+chrisbrown
+chester
+101010
+smokey
+silver
+internet
+sweet
+strawberry
+garfield
+dennis
+panget
+francis
+cassie
+benfica
+love123
+696969
+asdfgh
+lollipop
+olivia
+cancer
+camila
+qwertyuiop
+superstar
+harrypotter
+ihateyou
+charles
+monique
+midnight
+vincent
+christine
+apples
+scorpio
+jordan23
+lorena
+andreea
+mercedes
+katherine
+charmed
+abigail
+rafael
+icecream
+mexico
+brianna
+nirvana
+aaliyah
+pookie
+johncena
+lovelove
+fucker
+abcdef
+benjamin
+131313
+gangsta
+brooke
+333333
+hiphop
+aaaaaa
+mybaby
+sergio
+welcome
+metallica
+julian
+travis
+myspace1
+babyblue
+sabrina
+michael1
+jeffrey
+stephen
+love
+dakota
+catherine
+badboy
+fernanda
+westlife
+blondie
+sasuke
+smiley
+jackson
+simple
+melanie
+steaua
+dolphins
+roberto
+fluffy
+teresa
+piglet
+ronald
+slideshow
+asdfghjkl
+minnie
+newyork
+jason
+raymond
+santiago
+jayson
+88888888
+5201314
+jerome
+gandako
+muffin
+gatita
+babyko
+246810
+sweetheart
+chivas
+ladybug
+kitty
+popcorn
+alberto
+valeria
+cookies
+leslie
+jenny
+nicole1
+12345678910
+leonardo
+jayjay
+liliana
+dexter
+sexygirl
+232323
+amores
+rockon
+christ
+babydoll
+anthony1
+marcus
+bitch1
+fatima
+miamor
+lover
+chris1
+single
+eeyore
+lalala
+252525
+scooter
+natasha
+skittles
+brooklyn
+colombia
+159357
+teddybear
+winnie
+happy
+manutd
+123456a
+britney
+katrina
+christina
+pasaway
+cocacola
+mahal
+grace
+linda
+albert
+tatiana
+london
+cantik
+0123456
+lakers
+marie
+teiubesc
+147258369
+charlotte
+natalia
+francisco
+amorcito
+smile
+paola
+angelito
+manchester
+hahaha
+elephant
+mommy1
+shelby
+147258
+kelsey
+genesis
+amigos
+snickers
+xavier
+turtle
+marlon
+linkinpark
+claire
+stupid
+147852
+marina
+garcia
+fuckyou1
+diego
+brandy
+letmein
+hockey

requirements.txt

@@ -0,0 +1,5 @@
+flask==3.0.2
+Flask-SQLAlchemy==3.1.1
+sqlalchemy==2.0.29
+argon2-cffi==23.1.0
+python-dotenv==1.0.1