Home Explore Help
Sign In
221V
/
Misago
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 055992eed5
Branches Tags
Misago
/
misago
/
users
/
tokens.py

tokens.py 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. import base64
    2. 

  2. from hashlib import sha256
    3. 

  3. from time import time
    4. 

  4. 

  5. from django.conf import settings
    6. 

  6. from django.utils import six
    7. 

  7. from django.utils.encoding import force_bytes
    8. 

  8. 

  9. 

  10. """
    11. 

  11. Token creation
    12. 

  12. 

  13. Token is base encoded string containing three values:
    14. 

  14. 

  15. - days since unix epoch (so we can validate token expiration)
    16. 

  16. - hash unique for current state of user model
    17. 

  17. - token checksum for discovering manipulations
    18. 

  18. """
    19. 

  19. 

  20. 

  21. def make(user, token_type):
    22. 

  22.     user_hash = _make_hash(user, token_type)
    23. 

  23.     creation_day = _days_since_epoch()
    24. 

  24. 

  25.     obfuscated = base64.b64encode(force_bytes('%s%s' % (user_hash, creation_day))).decode()
    26. 

  26.     obfuscated = obfuscated.rstrip('=')
    27. 

  27.     checksum = _make_checksum(obfuscated)
    28. 

  28. 

  29.     return '%s%s' % (checksum, obfuscated)
    30. 

  30. 

  31. 

  32. def is_valid(user, token_type, token):
    33. 

  33.     checksum = token[:8]
    34. 

  34.     obfuscated = token[8:]
    35. 

  35. 

  36.     if checksum != _make_checksum(obfuscated):
    37. 

  37.         return False
    38. 

  38. 

  39.     unobfuscated = base64.b64decode(obfuscated + '=' * (-len(obfuscated) % 4)).decode()
    40. 

  40.     user_hash = unobfuscated[:8]
    41. 

  41. 

  42.     if user_hash != _make_hash(user, token_type):
    43. 

  43.         return False
    44. 

  44. 

  45.     creation_day = int(unobfuscated[8:])
    46. 

  46.     return creation_day + 5 >= _days_since_epoch()
    47. 

  47. 

  48. 

  49. def _make_hash(user, token_type):
    50. 

  50.     seeds = (
    51. 

  51.         user.pk, user.email, user.password, user.last_login.replace(microsecond=0, tzinfo=None),
    52. 

  52.         token_type, settings.SECRET_KEY,
    53. 

  53.     )
    54. 

  54. 

  55.     return sha256(force_bytes('+'.join([six.text_type(s) for s in seeds]))).hexdigest()[:8]
    56. 

  56. 

  57. 

  58. def _days_since_epoch():
    59. 

  59.     return int(time() / (25 * 3600))
    60. 

  60. 

  61. 

  62. def _make_checksum(obfuscated):
    63. 

  63.     return sha256(force_bytes('%s:%s' % (settings.SECRET_KEY, obfuscated))).hexdigest()[:8]
    64. 

  64. 

  65. 

  66. """
    67. 

  67. Convenience functions for activation token
    68. 

  68. """
    69. 

  69. ACTIVATION_TOKEN = 'activation'
    70. 

  70. 

  71. 

  72. def make_activation_token(user):
    73. 

  73.     return make(user, ACTIVATION_TOKEN)
    74. 

  74. 

  75. 

  76. def is_activation_token_valid(user, token):
    77. 

  77.     return is_valid(user, ACTIVATION_TOKEN, token)
    78. 

  78. 

  79. 

  80. """
    81. 

  81. Convenience functions for password change token
    82. 

  82. """
    83. 

  83. PASSWORD_CHANGE_TOKEN = 'change_password'
    84. 

  84. 

  85. 

  86. def make_password_change_token(user):
    87. 

  87.     return make(user, PASSWORD_CHANGE_TOKEN)
    88. 

  88. 

  89. 

  90. def is_password_change_token_valid(user, token):
    91. 

  91.     return is_valid(user, PASSWORD_CHANGE_TOKEN, token)
    92.