Authenticating and authorizing users securely in a Python PyQt desktop application

Asked 13/10, 2017 at 9:20 Answered 24/10, 2017 at 8:55

python security authentication sqlalchemy desktop-application

The application I develop dictates that the software should prevent unauthorized access. In order to implement this, I've used user and password based authentication with two roles available - standard user and administrator.

This was implemented completely in Python by using SQLAlchemy for interacting with the database, PyQt for user interface.

The entered password is hashed using brcypt and then compared with the hash present on the database for the respective username (standard authentication technique used in web services).

After successful authentication, a variable called self.authenticatedUser holds an SQLAlchemy instance of class User.

The consequence of this implementation is that anyone can edit the login method to simply query the database directly for an object of type User with username admin and assign the returned SQLAlchemy instance of User to self.authenticatedUser and bingo the hacker has access to the system.

Since, I am distributing this software written in python, it is a matter of minutes for an hacker(or any sort of programmer) to disable the authentication mechanism. Also, I cannot use a web service here to authenticate or authorize by getting login login token because the software would be used in an environment with an air gap.

Are there any concrete ways to implement this in a much secure way ?

Using a local MySQLDatabase
Using a secure (relatively hard to reverse engineer would probably be appropriate) mechanism.

Stupe answered 13/10, 2017 at 9:20 Comment(1)

You could think about distributing it with PyInstaller as an OS binary. SQLAlchemy and PyQt are on the list of supported packages. PyInstaller even supports PyCrypto. – Jitters 24/10, 2017 at 9:16

Everything is just a matter of how hard is to reverse engineer the code, so here are some techniques to "protect" it.

precompile your application to byte code (but there are tools to decompile it back like uncompyle6)
use some obfuscator to your code, so it is hardly readable (like pyminifier)
encrypt your application (e.g. pyconcrete)
use users password to encrypt important part of the application itself on the fly. With password, hacker can recreate unencrypted application, but without it, it is impossible.

Perspicuous answered 21/10, 2017 at 14:16 Comment(1)

pyminifier won't work on pyqt codes. it converts all class variable into global – Doom 27/9, 2020 at 21:26

Even with an air gap a service is possible. However if you do not want to do this, you should protect your data as if you gave every user a propper SQL client (like pgAdmin or SQL Server Management Studio). I suggest you start configuring your roles / users on the database level.

Glia answered 24/10, 2017 at 7:43 Comment(0)

Since bcrypt is no longer adopted and you can easily use SHA2x. I think you need to consider using SHA2x for security reason.Secondly , you can either use JWT , since it works 100% with python. Also have a deep look at the 2 factors authentication which would be another plus to your security check.

Homework answered 24/10, 2017 at 8:55 Comment(0)

Recommended topics

Hot tags