Changeset - 11ab74b7701b
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich (mads) - 6 years ago 2020-08-18 22:36:45
mads@kiilerich.com
Grafted from: 72727aefb249
pytest: use hmac.new instead of hmac.HMAC

According to documentation, hmac.new is the way to create a HMAC object ... and
the first argument is mandaatory and we don't want to name it.

This has no functional change but will address a pytype warning:

File "kallithea/model/user.py", line 304, in get_reset_password_token: Invalid keyword arguments (digestmod, key, msg) to function HMAC.__init__ [wrong-keyword-args]
1 file changed with 2 insertions and 2 deletions:
kallithea/model/user.py
2
2
0 comments (0 inline, 0 general)
kallithea/model/user.py
Show inline comments
 
@@ -292,26 +292,26 @@ class UserModel(object):
 

			




	
	
	
		
 
        * session ID (the anti-CSRF token), requiring an attacker to have

			




	
	
	
		
 
          access to the browser session in which the token was created

			




	
	
	
		
 
        * numeric user ID, limiting the token to a specific user (yet allowing

			




	
	
	
		
 
          users to be renamed)

			




	
	
	
		
 
        * user email address

			




	
	
	
		
 
        * time of token issue (a Unix timestamp, to enable token expiration)

			




	
	
	
		
 

			




	
	
	
		
 
        The key and message values are separated by NUL characters, which are

			




	
	
	
		
 
        guaranteed not to occur in any of the values.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        app_secret = config.get('app_instance_uuid')

			




	
	
	
		
 
        return hmac.HMAC(

			




	
	
	
		
 
            key='\0'.join([app_secret, user.password]).encode('utf-8'),

			




	
	
	
		
 
        return hmac.new(

			




	
	
	
		
 
            '\0'.join([app_secret, user.password]).encode('utf-8'),

			




	
	
	
		
 
            msg='\0'.join([session_id, str(user.user_id), user.email, str(timestamp)]).encode('utf-8'),

			




	
	
	
		
 
            digestmod=hashlib.sha1,

			




	
	
	
		
 
        ).hexdigest()

			




	
	
	
		
 

			




	
	
	
		
 
    def send_reset_password_email(self, data):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Sends email with a password reset token and link to the password

			




	
	
	
		
 
        reset confirmation page with all information (including the token)

			




	
	
	
		
 
        pre-filled. Also returns URL of that page, only without the token,

			




	
	
	
		
 
        allowing users to copy-paste or manually enter the token from the

			




	
	
	
		
 
        email.

			




	
	
	
		
 
        """

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-23909
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support