Salt the ip address before hashing

2019-04-25 21:55:30 +03:00 · 2019-04-25 21:55:30 +03:00 · d299feb420
commit d299feb420
parent 3b3ae8a82c
2 changed files with 6 additions and 5 deletions
--- a/hc/accounts/tests/test_login.py
+++ b/hc/accounts/tests/test_login.py
@ -50,8 +50,8 @@ class LoginTestCase(BaseTestCase):

    @override_settings(SECRET_KEY="test-secret")
    def test_it_rate_limits_ips(self):
-        # 4b84.... is sha1("127.0.0.1test-secret")
-        obj = TokenBucket(value="ip-4b84b15bff6ee5796152495a230e45e3d7e947d9")
+        # 60be.... is sha1("127.0.0.1test-secret")
+        obj = TokenBucket(value="ip-60be45f44bd9ab3805871fb1137594e708c993ff")
        obj.tokens = 0
        obj.save()

--- a/hc/api/models.py
+++ b/hc/api/models.py
@ -629,8 +629,8 @@ class TokenBucket(models.Model):
        mailbox = mailbox.split("+")[0]
        email = mailbox + "@" + domain

-        b = (email + settings.SECRET_KEY).encode()
-        value = "em-%s" % hashlib.sha1(b).hexdigest()
+        salted_encoded = (email + settings.SECRET_KEY).encode()
+        value = "em-%s" % hashlib.sha1(salted_encoded).hexdigest()

        # 20 emails per 3600 seconds (1 hour):
        return TokenBucket.authorize(value, 20, 3600)
@ -640,7 +640,8 @@ class TokenBucket(models.Model):
        headers = request.META
        ip = headers.get("HTTP_X_FORWARDED_FOR", headers["REMOTE_ADDR"])
        ip = ip.split(",")[0]
-        value = "ip-%s" % hashlib.sha1(ip.encode()).hexdigest()
+        salted_encoded = (ip + settings.SECRET_KEY).encode()
+        value = "ip-%s" % hashlib.sha1(salted_encoded).hexdigest()

        # 20 login attempts from a single IP per 3600 seconds (1 hour):
        return TokenBucket.authorize(value, 20, 3600)