Exclude mru_token in user key hash

This commit is contained in:
Felix Spöttel 2020-09-30 12:34:26 +02:00
parent ada2167d08
commit 1f0e493b8c
2 changed files with 12 additions and 6 deletions

View File

@ -4,7 +4,7 @@ from flask import make_response
import utils import utils
from mailconfig import get_mail_password, get_mail_user_privileges from mailconfig import get_mail_password, get_mail_user_privileges
from mfa import get_mfa_state, validate_auth_mfa from mfa import get_hash_mfa_state, validate_auth_mfa
DEFAULT_KEY_PATH = '/var/lib/mailinabox/api.key' DEFAULT_KEY_PATH = '/var/lib/mailinabox/api.key'
DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server' DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@ -147,7 +147,7 @@ class KeyAuthService:
# Add to the message the current MFA state, which is a list of MFA information. # Add to the message the current MFA state, which is a list of MFA information.
# Turn it into a string stably. # Turn it into a string stably.
msg += b" " + json.dumps(get_mfa_state(email, env), sort_keys=True).encode("utf8") msg += b" " + json.dumps(get_hash_mfa_state(email, env), sort_keys=True).encode("utf8")
# Make the HMAC. # Make the HMAC.
hash_key = self.key.encode('ascii') hash_key = self.key.encode('ascii')

View File

@ -22,11 +22,17 @@ def get_mfa_state(email, env):
] ]
def get_public_mfa_state(email, env): def get_public_mfa_state(email, env):
c = open_database(env) mfa_state = get_mfa_state(email, env)
c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
return [ return [
{ "id": r[0], "type": r[1], "label": r[2] } { "id": s["id"], "type": s["type"], "label": s["label"] }
for r in c.fetchall() for s in mfa_state
]
def get_hash_mfa_state(email, env):
mfa_state = get_mfa_state(email, env)
return [
{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
for s in mfa_state
] ]
def enable_mfa(email, type, secret, token, label, env): def enable_mfa(email, type, secret, token, label, env):