mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-24 02:37:05 +00:00
Use hmac.compare_digest() to compare mru_token
This commit is contained in:
parent
481a333dc0
commit
49c333221a
@ -65,7 +65,7 @@ class TOTPStrategy():
|
|||||||
raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
|
raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
|
||||||
|
|
||||||
# TODO: Should a token replay be handled as its own error?
|
# TODO: Should a token replay be handled as its own error?
|
||||||
if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
|
if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
|
||||||
raise BadTokenError("Two factor code incorrect")
|
raise BadTokenError("Two factor code incorrect")
|
||||||
|
|
||||||
self.store_successful_login(token_header, env)
|
self.store_successful_login(token_header, env)
|
||||||
|
Loading…
Reference in New Issue
Block a user