Merge branch 'master' into DO-NOT-MERGE-horrible-webapp

2018-07-13 22:10:11 +02:00 · 2018-07-13 22:10:11 +02:00 · fab4303d5b
commit fab4303d5b
parent 9b67d1d1ff b12535bc93
1 changed files with 7 additions and 4 deletions
--- a/matemat/db/facade.py
+++ b/matemat/db/facade.py
@ -2,6 +2,7 @@
 from typing import List, Optional, Any, Type

 import crypt
+from hmac import compare_digest

 from matemat.primitives import User, Product
 from matemat.exceptions import AuthenticationError, DatabaseConsistencyError
@ -158,9 +159,11 @@ class MatematDatabase(object):
            if row is None:
                raise AuthenticationError('User does not exist')
            user_id, username, email, pwhash, tkhash, admin, member, balance = row
-            if password is not None and crypt.crypt(password, pwhash) != pwhash:
+            if password is not None and not compare_digest(crypt.crypt(password, pwhash), pwhash):
                raise AuthenticationError('Password mismatch')
-            elif touchkey is not None and tkhash is not None and crypt.crypt(touchkey, tkhash) != tkhash:
+            elif touchkey is not None \
+                    and tkhash is not None \
+                    and not compare_digest(crypt.crypt(touchkey, tkhash), tkhash):
                raise AuthenticationError('Touchkey mismatch')
            elif touchkey is not None and tkhash is None:
                raise AuthenticationError('Touchkey not set')
@ -185,7 +188,7 @@ class MatematDatabase(object):
            if row is None:
                raise AuthenticationError('User does not exist in database.')
            # Verify the old password, if it should be verified.
-            if verify_password and crypt.crypt(oldpass, row[0]) != row[0]:
+            if verify_password and not compare_digest(crypt.crypt(oldpass, row[0]), row[0]):
                raise AuthenticationError('Old password does not match.')
            # Hash the new password and write it to the database.
            pwhash: str = crypt.crypt(newpass, crypt.mksalt(_CRYPT_METHOD))
@ -215,7 +218,7 @@ class MatematDatabase(object):
            if row is None:
                raise AuthenticationError('User does not exist in database.')
            # Verify the password, if it should be verified.
-            if verify_password and crypt.crypt(password, row[0]) != row[0]:
+            if verify_password and not compare_digest(crypt.crypt(password, row[0]), row[0]):
                raise AuthenticationError('Password does not match.')
            # Hash the new touchkey and write it to the database.
            tkhash: str = crypt.crypt(touchkey, crypt.mksalt(_CRYPT_METHOD)) if touchkey is not None else None