From 54268ac0273486e53829d812c6d30dccaac2e214 Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Wed, 17 Jun 2020 14:08:08 +0300 Subject: [PATCH] Login: add an action indicator to know the user signed a login request. --- django_etebase/serializers.py | 1 + django_etebase/views.py | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/django_etebase/serializers.py b/django_etebase/serializers.py index c940d6e..576431d 100644 --- a/django_etebase/serializers.py +++ b/django_etebase/serializers.py @@ -416,6 +416,7 @@ class AuthenticationLoginSerializer(serializers.Serializer): class AuthenticationLoginInnerSerializer(AuthenticationLoginChallengeSerializer): challenge = BinaryBase64Field() host = serializers.CharField() + action = serializers.CharField() def create(self, validated_data): raise NotImplementedError() diff --git a/django_etebase/views.py b/django_etebase/views.py index 59fcaa2..2b0ec58 100644 --- a/django_etebase/views.py +++ b/django_etebase/views.py @@ -607,6 +607,7 @@ class AuthenticationViewSet(viewsets.ViewSet): user = self.get_login_user(username) host = serializer.validated_data['host'] challenge = serializer.validated_data['challenge'] + action = serializer.validated_data['action'] salt = bytes(user.userinfo.salt) enc_key = self.get_encryption_key(salt) @@ -614,7 +615,10 @@ class AuthenticationViewSet(viewsets.ViewSet): challenge_data = json.loads(box.decrypt(challenge).decode()) now = int(datetime.now().timestamp()) - if now - challenge_data['timestamp'] > app_settings.CHALLENGE_VALID_SECONDS: + if action != "login": + content = {'code': 'wrong_action', 'detail': 'Expected "login" but got something else'} + return Response(content, status=status.HTTP_400_BAD_REQUEST) + elif now - challenge_data['timestamp'] > app_settings.CHALLENGE_VALID_SECONDS: content = {'code': 'challenge_expired', 'detail': 'Login challange has expired'} return Response(content, status=status.HTTP_400_BAD_REQUEST) elif challenge_data['userId'] != user.id: