use generated salts instead of fixed ones

setup.py

@@ -28,16 +28,16 @@ password1 = getpass.getpass()
 password2 = getpass.getpass(prompt='Repeat the same password: ')
 
 if password1 == password2:
-    hash = src.my_scrypt.getVerificationHash(password1)
-
-    src.sql.setOption('username', username)
-    src.sql.setOption('password', binascii.hexlify(hash))
-
     # urandom is secure enough, see https://docs.python.org/2/library/os.html
     src.sql.setOption('flask_secret_key', base64.b64encode(os.urandom(24)))
     src.sql.setOption('verification_salt', base64.b64encode(os.urandom(24)))
     src.sql.setOption('encryption_salt', base64.b64encode(os.urandom(24)))
 
+    hash = src.my_scrypt.getVerificationHash(password1)
+
+    src.sql.setOption('username', username)
+    src.sql.setOption('password', binascii.hexlify(hash))
+
     src.sql.commit()
 
     print('Application has been set up. You can now login.')

src/my_scrypt.py

@@ -1,12 +1,15 @@
 import scrypt  # pip install scrypt
+import sql
 
 def getVerificationHash(password):
-    salt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6"
+    # getOption returns unicode bytes which scrypt doesn't like
+    salt = sql.getOption('verification_salt').encode('ascii', 'ignore')
 
     return getScryptHash(password, salt)
 
 def getEncryptionHash(password):
-    salt = "2503bfc386bc028772f803887eaaf4d4a5c1019036873e4ba5de79a4efb7e8d8"
+    # getOption returns unicode bytes which scrypt doesn't like
+    salt = sql.getOption('encryption_salt').encode('ascii', 'ignore')
 
     return getScryptHash(password, salt)
 

src/tree_api.py

@@ -1,7 +1,7 @@
 from flask import Blueprint, jsonify
 from flask_login import login_required
 
-from sql import getResults, getSingleResult
+from sql import getResults, getSingleResult, getOption
 
 tree_api = Blueprint('tree_api', __name__)
 
@@ -40,5 +40,7 @@ def getTree():
     retObject = {}
     retObject['notes'] = rootNotes
     retObject['start_note_id'] = getSingleResult('select * from options where opt_name = "start_node"')['opt_value'];
+    retObject['verification_salt'] = getOption('verification_salt')
+    retObject['encryption_salt'] = getOption('encryption_salt')
 
     return jsonify(retObject)

static/js/encryption.js

@@ -31,10 +31,7 @@ let globalEncryptionKey = null;
 let globalLastEncryptionOperationDate = null;
 
 function deriveEncryptionKey(password) {
-    // why this is done is explained here: https://github.com/ricmoo/scrypt-js - "Encoding notes"
-    const verificationSalt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6";
-
-    const verificationPromise = computeScrypt(password, verificationSalt, (key, resolve, reject) => {
+    const verificationPromise = computeScrypt(password, globalVerificationSalt, (key, resolve, reject) => {
         $.ajax({
             url: baseUrl + 'password/verify',
             type: 'POST',
@@ -55,9 +52,7 @@ function deriveEncryptionKey(password) {
         });
     });
 
-    const encryptionKeySalt = "2503bfc386bc028772f803887eaaf4d4a5c1019036873e4ba5de79a4efb7e8d8";
-
-    const encryptionKeyPromise = computeScrypt(password, encryptionKeySalt, (key, resolve, reject) => resolve(key));
+    const encryptionKeyPromise = computeScrypt(password, globalEncryptionSalt, (key, resolve, reject) => resolve(key));
 
     return Promise.all([ verificationPromise, encryptionKeyPromise ]).then(results => results[1]);
 }

static/js/tree.js

@@ -83,10 +83,15 @@ function setExpandedToServer(note_id, is_expanded) {
     });
 }
 
+let globalVerificationSalt;
+let globalEncryptionSalt;
+
 $(function(){
     $.get(baseUrl + 'tree').then(resp => {
         const notes = resp.notes;
         let startNoteId = resp.start_note_id;
+        globalVerificationSalt = resp.verification_salt;
+        globalEncryptionSalt = resp.encryption_salt;
 
         if (document.location.hash) {
             startNoteId = document.location.hash.substr(1); // strip initial #