Improve password checks

code4romania · Aug 9, 2024 · b34341b · b34341b
1 parent 9ea48a9
commit b34341b
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/backend/users/models.py b/backend/users/models.py
@@ -105,9 +105,10 @@ def refresh_token(self, commit=True):
         return self.validation_token
 
     def verify_token(self, token):
-        if not self.validation_token or not token:
+        validation_token: uuid.UUID = self.validation_token
+        if not validation_token or not token:
             return False
-        if self.validation_token == token:
+        if hmac.compare_digest(validation_token.hex, token.hex):
             return True
         return False
 
@@ -117,7 +118,8 @@ def clear_token(self, commit=True):
         if commit:
             self.save()
 
-    def old_hash_password(self, password, method, salt=None, pepper=None):
+    @staticmethod
+    def old_hash_password(password, method, salt=None, pepper=None):
         """
         Implement the old password hashing algorithm from webapp2
         """
@@ -149,9 +151,9 @@ def check_old_password(self, password: str = ""):
             return False
 
         pepper = settings.OLD_SESSION_KEY
-        hashval, method, salt = self.old_password.split("$", 2)
+        hash_val, method, salt = self.old_password.split("$", 2)
 
-        return self.old_hash_password(password, method, salt, pepper) == hashval
+        return hmac.compare_digest(self.old_hash_password(password, method, salt, pepper), hash_val)
 
     @staticmethod
     def create_admin_login_url(next_url=""):