forked from rDrama/rDrama
use more secure token_urlsafe
parent
7823df8f0c
commit
ed322add97
|
@ -1890,7 +1890,7 @@ def delete_media_post(v):
|
||||||
@admin_level_required(PERMS['USER_RESET_PASSWORD'])
|
@admin_level_required(PERMS['USER_RESET_PASSWORD'])
|
||||||
def admin_reset_password(user_id, v):
|
def admin_reset_password(user_id, v):
|
||||||
user = get_account(user_id)
|
user = get_account(user_id)
|
||||||
new_password = secrets.token_hex(31)
|
new_password = secrets.token_urlsafe(57)
|
||||||
user.passhash = hash_password(new_password)
|
user.passhash = hash_password(new_password)
|
||||||
g.db.add(user)
|
g.db.add(user)
|
||||||
|
|
||||||
|
|
|
@ -172,7 +172,7 @@ def sign_up_get(v:Optional[User]):
|
||||||
return render_template("login/sign_up_failed_ref.html"), 403
|
return render_template("login/sign_up_failed_ref.html"), 403
|
||||||
|
|
||||||
now = int(time.time())
|
now = int(time.time())
|
||||||
token = secrets.token_hex(16)
|
token = secrets.token_urlsafe(32)
|
||||||
session["signup_token"] = token
|
session["signup_token"] = token
|
||||||
|
|
||||||
formkey_hashstr = str(now) + token + g.agent
|
formkey_hashstr = str(now) + token + g.agent
|
||||||
|
@ -234,7 +234,7 @@ def sign_up_post(v:Optional[User]):
|
||||||
ref_user = None
|
ref_user = None
|
||||||
|
|
||||||
now = int(time.time())
|
now = int(time.time())
|
||||||
token = secrets.token_hex(16)
|
token = secrets.token_urlsafe(32)
|
||||||
session["signup_token"] = token
|
session["signup_token"] = token
|
||||||
formkey_hashstr = str(now) + token + g.agent
|
formkey_hashstr = str(now) + token + g.agent
|
||||||
formkey = hmac.new(key=bytes(SECRET_KEY, "utf-16"),
|
formkey = hmac.new(key=bytes(SECRET_KEY, "utf-16"),
|
||||||
|
|
|
@ -39,7 +39,7 @@ def calc_users():
|
||||||
|
|
||||||
if not session.get("session_id"):
|
if not session.get("session_id"):
|
||||||
session.permanent = True
|
session.permanent = True
|
||||||
session["session_id"] = secrets.token_hex(49)
|
session["session_id"] = secrets.token_urlsafe(98)
|
||||||
|
|
||||||
if v:
|
if v:
|
||||||
if session["session_id"] in loggedout: del loggedout[session["session_id"]]
|
if session["session_id"] in loggedout: del loggedout[session["session_id"]]
|
||||||
|
|
Loading…
Reference in New Issue