Merge pull request #86 from Half-Shot/patch-1

User types should be part of the hmac
This commit is contained in:
Tulir Asokan 2020-03-04 15:34:32 +02:00 committed by GitHub
commit 4aada15bbe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -33,7 +33,7 @@ def registration_secrets() -> Dict[str, Dict[str, str]]:
return get_config()["registration_secrets"] return get_config()["registration_secrets"]
def generate_mac(secret: str, nonce: str, user: str, password: str, admin: bool = False): def generate_mac(secret: str, nonce: str, user: str, password: str, admin: bool = False, user_type: str = None):
mac = hmac.new(key=secret.encode("utf-8"), digestmod=hashlib.sha1) mac = hmac.new(key=secret.encode("utf-8"), digestmod=hashlib.sha1)
mac.update(nonce.encode("utf-8")) mac.update(nonce.encode("utf-8"))
mac.update(b"\x00") mac.update(b"\x00")
@ -42,6 +42,9 @@ def generate_mac(secret: str, nonce: str, user: str, password: str, admin: bool
mac.update(password.encode("utf-8")) mac.update(password.encode("utf-8"))
mac.update(b"\x00") mac.update(b"\x00")
mac.update(b"admin" if admin else b"notadmin") mac.update(b"admin" if admin else b"notadmin")
if user_type is not None:
mac.update(b"\x00")
mac.update(user_type.encode("utf8"))
return mac.hexdigest() return mac.hexdigest()
@ -75,7 +78,7 @@ async def read_client_auth_request(request: web.Request) -> Tuple[Optional[AuthR
except KeyError: except KeyError:
return None, resp.invalid_server return None, resp.invalid_server
api = HTTPAPI(base_url, "", loop=get_loop()) api = HTTPAPI(base_url, "", loop=get_loop())
user_type = body.get("user_type", None) user_type = body.get("user_type", "bot")
return AuthRequestInfo(api, secret, username, password, user_type), None return AuthRequestInfo(api, secret, username, password, user_type), None
@ -87,7 +90,7 @@ async def register(request: web.Request) -> web.Response:
api, secret, username, password, user_type = info api, secret, username, password, user_type = info
res = await api.request(Method.GET, Path.admin.register) res = await api.request(Method.GET, Path.admin.register)
nonce = res["nonce"] nonce = res["nonce"]
mac = generate_mac(secret, nonce, username, password) mac = generate_mac(secret, nonce, username, password, user_type)
try: try:
return web.json_response(await api.request(Method.POST, Path.admin.register, content={ return web.json_response(await api.request(Method.POST, Path.admin.register, content={
"nonce": nonce, "nonce": nonce,