Add better authentication

Closes #5

client/js/main.js

@@ -62,6 +62,9 @@ function setup() {
 		errorbox.style.display = 'block'
 		canvas.style.display = 'none'
 	}
+	ws.onopen = function(e) {
+		ws.send('pass ' + localStorage.getItem('password'))
+	}
 	setInterval(function(){ws.send('ack')}, 3000)
 }
 
@@ -79,7 +82,7 @@ function release(e) {
 	y = e.layerY
 	w = displayWidth
 	length = is_short?false:true
-	ws.send('touch ' + localStorage.getItem('password') + ' ' + x + ' ' + y + ' ' + w + ' ' + length)
+	ws.send('touch ' + x + ' ' + y + ' ' + w + ' ' + length)
 	clearTimeout(click_timeout)
 	is_short = true
 }

server/wss.py

@@ -74,6 +74,33 @@ class Client:
 
 class HCRAServer(tornado.websocket.WebSocketHandler):
     def open(self):
+        self.has_auth = False
+
+    def on_close(self):
+        global client
+        if client is self.client:
+            self.client.good = None
+            client = None
+        self.is_open = False
+
+    def on_message(self, message):
+        action = message.split(' ', 1)[0]
+        if not self.has_auth:
+            print(message)
+            print(action)
+            print(action != 'pass')
+            if action != 'pass':
+                self.write_message('err%*mustauth%Authentication required')
+                self.close()
+                return
+
+            try:
+                ph.verify(config_data['password_argon2'], message.split(' ', 1)[1])
+            except argon2.exceptions.VerifyMismatchError:
+                self.write_message(f'err%*badpass%Incorrect password')
+                self.close()
+                return
+
             try:
                 self.client = Client(self)
             except DisconnectError as e:
@@ -93,26 +120,15 @@ class HCRAServer(tornado.websocket.WebSocketHandler):
             self.is_open = True
             self.client.ack()
 
-    def on_close(self):
-        global client
-        if client is self.client:
-            self.client.good = None
-            client = None
-        self.is_open = False
-
-    def on_message(self, message):
-        action = message.split(' ', 1)[0]
+            self.has_auth = True
+        else:
             if action == 'ack':
                 self.client.good = True
             else:
-            _, password, x, y, w, is_long = message.split(' ')
-            try:
-                ph.verify(config_data['password_argon2'], password)
+                print(message)
+                _, x, y, w, is_long = message.split(' ')
                 x, y, w, is_long = int(x), int(y), int(w), is_long == 'true'
                 imgproc.touch(x, y, w, is_long)
-            except argon2.exceptions.VerifyMismatchError:
-                self.client.send(f'err%*badpass%Incorrect password', 'BADPASS')
-                self.close()
 
     def check_origin(self, origin):
         return True