cleaned imports and fixed datetime and passlib use

master
Alexander Graf 3 years ago
parent 6dc1a19390
commit fbd945390d

@ -1,7 +1,6 @@
""" Mailu config storage model
"""
import re
import os
import smtplib
import json
@ -17,7 +16,6 @@ import passlib.hash
import passlib.registry
import time
import os
import glob
import hmac
import smtplib
import idna
@ -533,7 +531,7 @@ class User(Base, Email):
if cache_result and current_salt:
cache_salt, cache_hash = cache_result
if cache_salt == current_salt:
return hash.pbkdf2_sha256.verify(password, cache_hash)
return passlib.hash.pbkdf2_sha256.verify(password, cache_hash)
else:
# the cache is local per gunicorn; the password has changed
# so the local cache can be invalidated
@ -560,7 +558,7 @@ we have little control over GC and string interning anyways.
An attacker that can dump the process' memory is likely to find credentials
in clear-text regardless of the presence of the cache.
"""
self._credential_cache[self.get_id()] = (self.password.split('$')[3], hash.pbkdf2_sha256.using(rounds=1).hash(password))
self._credential_cache[self.get_id()] = (self.password.split('$')[3], passlib.hash.pbkdf2_sha256.using(rounds=1).hash(password))
return result
def set_password(self, password, raw=False):
@ -604,7 +602,7 @@ in clear-text regardless of the presence of the cache.
@classmethod
def get_temp_token(cls, email):
user = cls.query.get(email)
return hmac.new(app.temp_token_key, bytearray("{}|{}".format(datetime.utcnow().strftime("%Y%m%d"), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None
return hmac.new(app.temp_token_key, bytearray("{}|{}".format(time.strftime('%Y%m%d'), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None
def verify_temp_token(self, token):
return hmac.compare_digest(self.get_temp_token(self.email), token)

Loading…
Cancel
Save