Make auth codes depend on fr secret by default

okfde · Apr 19, 2021 · 21e2ba1 · 21e2ba1
1 parent 8e17468
commit 21e2ba1
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 6 deletions.
diff --git a/froide/foirequest/auth.py b/froide/foirequest/auth.py
@@ -139,22 +139,45 @@ def can_read_foirequest_anonymous(foirequest, request):
     return False
 
 
-def get_foirequest_auth_code(foirequest):
-    return salted_hmac("FoiRequestPublicBodyAuth",
+def _get_foirequest_auth_code(foirequest):
+    return [
+        salted_hmac("FoiRequestPublicBodyAuth",
+            '%s#%s' % (foirequest.id, foirequest.get_secret())).hexdigest(),
+        salted_hmac("FoiRequestPublicBodyAuth",
             '%s#%s' % (foirequest.id, foirequest.secret_address)).hexdigest()
+    ]
 
 
-def get_foirequest_upload_code(foirequest):
-    return salted_hmac("FoiRequestPublicBodyUpload",
+def _get_foirequest_upload_code(foirequest):
+    secret = foirequest.get_secret()
+    return [
+        salted_hmac("FoiRequestPublicBodyUpload",
+            '%s#%s' % (foirequest.id, secret)).hexdigest(),
+        salted_hmac("FoiRequestPublicBodyUpload",
             '%s#%s' % (foirequest.id, foirequest.secret_address)).hexdigest()
+    ]
+
+
+def get_foirequest_upload_code(foirequest):
+    return _get_foirequest_upload_code(foirequest)[0]
+
+
+def get_foirequest_auth_code(foirequest):
+    return _get_foirequest_auth_code(foirequest)[0]
 
 
 def check_foirequest_auth_code(foirequest, code):
-    return constant_time_compare(code, get_foirequest_auth_code(foirequest))
+    for gen_code in _get_foirequest_auth_code(foirequest):
+        if constant_time_compare(code, gen_code):
+            return True
+    return False
 
 
 def check_foirequest_upload_code(foirequest, code):
-    return constant_time_compare(code, get_foirequest_upload_code(foirequest))
+    for gen_code in _get_foirequest_upload_code(foirequest):
+        if constant_time_compare(code, gen_code):
+            return True
+    return False
 
 
 def is_attachment_public(foirequest, attachment):

diff --git a/froide/foirequest/models/request.py b/froide/foirequest/models/request.py
@@ -10,6 +10,7 @@
 from django.contrib.sites.models import Site
 from django.contrib.sites.managers import CurrentSiteManager
 from django.urls import reverse
+from django.utils.crypto import get_random_string
 
 import django.dispatch
 from django.utils import timezone
@@ -483,6 +484,12 @@ def get_absolute_domain_url(self):
     def get_absolute_domain_short_url(self):
         return get_absolute_domain_short_url(self.id)
 
+    def get_secret(self):
+        if not self.secret:
+            self.secret = get_random_string(25)
+            self.save()
+        return self.secret
+
     def get_auth_link(self):
         from ..auth import get_foirequest_auth_code