mirror of
https://github.com/etesync/server
synced 2025-01-28 09:30:56 +00:00
Avoid leaking user existence info
This commit is contained in:
parent
6b66ec16d5
commit
886a5621f0
@ -1,3 +1,4 @@
|
||||
import random
|
||||
import typing as t
|
||||
from typing_extensions import Literal
|
||||
from datetime import datetime
|
||||
@ -122,16 +123,36 @@ def get_login_user(request: Request, challenge: LoginChallengeIn) -> UserType:
|
||||
raise AuthenticationFailed(code="user_not_init", detail="User not properly init")
|
||||
return user
|
||||
except User.DoesNotExist:
|
||||
raise AuthenticationFailed(code="user_not_found", detail="User not found")
|
||||
return fake_user(username)
|
||||
|
||||
|
||||
def get_encryption_key(salt: bytes):
|
||||
FAKE_USER_COUNT = 1000
|
||||
|
||||
|
||||
def fake_user(username: str) -> UserType:
|
||||
username_bytes = bytes(username, encoding="utf-8")
|
||||
login_pubkey = get_encryption_key(b"", b"loginPubkey", username_bytes)[:32]
|
||||
salt = get_encryption_key(b"", b"salt", username_bytes)[:16]
|
||||
|
||||
user = User()
|
||||
user.username = username
|
||||
user.id = random.Random(settings.SECRET_KEY + username).randint(0, FAKE_USER_COUNT)
|
||||
|
||||
userinfo = UserInfo()
|
||||
userinfo.loginPubkey = login_pubkey
|
||||
userinfo.salt = salt
|
||||
|
||||
user.userinfo = userinfo
|
||||
return user
|
||||
|
||||
|
||||
def get_encryption_key(salt: bytes, person=b"etebase-auth", data: bytes = b""):
|
||||
key = nacl.hash.blake2b(settings.SECRET_KEY.encode(), encoder=nacl.encoding.RawEncoder)
|
||||
return nacl.hash.blake2b(
|
||||
b"",
|
||||
data=data,
|
||||
key=key,
|
||||
salt=salt[: nacl.hash.BLAKE2B_SALTBYTES],
|
||||
person=b"etebase-auth",
|
||||
person=person,
|
||||
encoder=nacl.encoding.RawEncoder,
|
||||
)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user