Token mechanism fixes:

* Save token secret to config * OpenVPN profile fixes for Ubuntu 16.04 * Raise correct exceptions for invalid tokens * Display token expiration time in local time
2026-01-12 17:06:59 +00:00 · 2017-04-22 14:10:54 +03:00
parent 7651c220c8
commit 029ee357fb
6 changed files with 39 additions and 23 deletions
--- a/certidude/api/token.py
+++ b/certidude/api/token.py
@@ -1,4 +1,5 @@
 import click
+import falcon
 import logging
 import hashlib
 import random
@@ -12,12 +13,6 @@ from certidude.auth import login_required, authorize_admin

 logger = logging.getLogger(__name__)

-chars = string.ascii_letters + string.digits + '!@#$%^&*()'
-SECRET = ''.join(random.choice(chars) for i in range(32))
-
-click.echo("Token secret: %s" % SECRET)
-
-
 KEYWORDS = (
    (u"Android", u"android"),
    (u"iPhone", u"iphone"),
@@ -36,16 +31,17 @@ class TokenResource(object):
        username = req.get_param("u", required=True)
        user = User.objects.get(username)
        csum = hashlib.sha256()
-        csum.update(SECRET)
+        csum.update(config.TOKEN_SECRET)
        csum.update(username)
        csum.update(str(timestamp))

        if csum.hexdigest() != req.get_param("c", required=True):
-            raise # TODO
+            raise falcon.HTTPUnauthorized("Forbidden", "Invalid token supplied, did you copy-paste link correctly?")
        if now < timestamp:
-            raise # Token not valid yet
+            raise falcon.HTTPUnauthorized("Forbidden", "Token not valid yet, are you sure server clock is correct?")
        if now > timestamp + config.TOKEN_LIFETIME:
-            raise # token expired
+            raise falcon.HTTPUnauthorized("Forbidden", "Token expired")
+
        # At this point consider token to be legitimate

        common_name = username
@@ -83,12 +79,17 @@ class TokenResource(object):
        user = User.objects.get(username)
        timestamp = int(time())
        csum = hashlib.sha256()
-        csum.update(SECRET)
+        csum.update(config.TOKEN_SECRET)
        csum.update(username)
        csum.update(str(timestamp))
        args = "u=%s&t=%d&c=%s" % (username, timestamp, csum.hexdigest())
-        token_created = datetime.utcfromtimestamp(timestamp)
-        token_expires = datetime.utcfromtimestamp(timestamp + config.TOKEN_LIFETIME)
+
+        # Token lifetime in local time, to select timezone: dpkg-reconfigure tzdata
+        token_created = datetime.fromtimestamp(timestamp)
+        token_expires = datetime.fromtimestamp(timestamp + config.TOKEN_LIFETIME)
+        with open("/etc/timezone") as fh:
+            token_timezone = fh.read().strip()
+
        context = globals()
        context.update(locals())
        mailer.send("token.md", to=user, **context)