Add owner-scan login gate with secure signature matching#1
Conversation
|
@copilot resolve the merge conflicts in this pull request |
|
@copilot resolve the merge conflicts in this pull request |
Review Summary by QodoAdd owner-scan login gate with secure signature matching
WalkthroughsDescription• Introduces owner-scan authentication tool for device login verification • Implements secure signature matching with SHA-256 hashing and constant-time comparison • Adds CLI commands for enrollment and login verification with JSON database persistence • Includes comprehensive test coverage for matching, mismatching, and unknown account scenarios Diagramflowchart LR
A["Scan Data Input"] --> B["Normalize & Hash"]
B --> C["SHA-256 Signature"]
C --> D{Enroll or Login?}
D -->|Enroll| E["Store in Database"]
D -->|Login| F["Compare with Stored"]
F --> G{Constant-Time Match?}
G -->|Yes| H["Access Granted"]
G -->|No| I["Access Denied"]
File Changes1. owner_scan_auth.py
|
Code Review by Qodo
1. Empty scan crashes login
|
Resolved. I merged |
There are no remaining merge conflicts on this PR branch. The conflict resolution was already pushed in commit |
There was a problem hiding this comment.
Pull request overview
Adds a small Python-based “owner scan” enrollment + verification gate intended to deny logins when a presented scan doesn’t match the enrolled owner signature, with a JSON-backed store and basic unit tests.
Changes:
- Introduces
owner_scan_auth.pyCLI and helper functions for enrollment and login verification using normalized, hashed scan signatures. - Adds
unittestcoverage for match/mismatch/unknown-account cases. - Updates
README.mdwith quick-start CLI examples.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
owner_scan_auth.py |
Implements scan normalization, signature hashing, JSON-backed storage, and CLI commands for enroll/login verification. |
tests/test_owner_scan_auth.py |
Adds automated tests for allow/deny behavior based on scan match and account presence. |
README.md |
Documents the new CLI usage for enrollment and login verification. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| attempted_signature = create_scan_signature(attempted_scan_data) | ||
| return hmac.compare_digest(expected_signature, attempted_signature) |
| with db_path.open("r", encoding="utf-8") as file: | ||
| data = json.load(file) |
| with db_path.open("w", encoding="utf-8") as file: | ||
| json.dump(database, file, indent=2) |
| def create_scan_signature(scan_data: str) -> str: | ||
| normalized = _normalize_scan(scan_data) | ||
| if not normalized: | ||
| raise ValueError("Scan data cannot be empty") | ||
| return hashlib.sha256(normalized.encode("utf-8")).hexdigest() |
| def main() -> int: | ||
| parser = _build_parser() | ||
| args = parser.parse_args() | ||
|
|
||
| if args.command == "enroll": | ||
| enroll_owner_scan(args.account_id, args.scan_data, args.database) | ||
| print(f"Owner scan enrolled for account '{args.account_id}'.") | ||
| return 0 | ||
|
|
||
| if verify_owner_scan(args.account_id, args.scan_data, args.database): | ||
| print("Access granted.") | ||
| return 0 | ||
|
|
||
| print("Access denied: account owner scan mismatch.") | ||
| return 1 |
This change introduces a minimal login-side ownership check: each account stores a trusted scan signature, and login is denied when the captured scan does not match the enrolled owner profile. The goal is to add a discreet identity-verification layer before granting access.
Owner scan enrollment + verification CLI
owner_scan_auth.pywith two commands:enroll <account_id> <scan_data>: stores the account’s trusted scan signature.login <account_id> <scan_data>: compares login scan to enrolled signature and returns deny on mismatch.--databasepath configurable).Security-focused matching behavior
hmac.compare_digest) for verification.Focused automated coverage
tests/test_owner_scan_auth.pycovering:Documentation
README.mdwith quick-start commands for enrollment and login verification.Original prompt