mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-22 07:17:05 +00:00
Use hmac.compare_digest() to compare mru_token
This commit is contained in:
parent
481a333dc0
commit
49c333221a
@ -65,7 +65,7 @@ class TOTPStrategy():
|
||||
raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
|
||||
|
||||
# TODO: Should a token replay be handled as its own error?
|
||||
if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
|
||||
if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
|
||||
raise BadTokenError("Two factor code incorrect")
|
||||
|
||||
self.store_successful_login(token_header, env)
|
||||
|
Loading…
Reference in New Issue
Block a user