From 1f0e493b8c2d9f69ad57b5d56fee4e631d0f6008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?= <1682504+fspoettel@users.noreply.github.com> Date: Wed, 30 Sep 2020 12:34:26 +0200 Subject: [PATCH] Exclude mru_token in user key hash --- management/auth.py | 4 ++-- management/mfa.py | 14 ++++++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/management/auth.py b/management/auth.py index d55e069..fd143c7 100644 --- a/management/auth.py +++ b/management/auth.py @@ -4,7 +4,7 @@ from flask import make_response import utils from mailconfig import get_mail_password, get_mail_user_privileges -from mfa import get_mfa_state, validate_auth_mfa +from mfa import get_hash_mfa_state, validate_auth_mfa DEFAULT_KEY_PATH = '/var/lib/mailinabox/api.key' DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server' @@ -147,7 +147,7 @@ class KeyAuthService: # Add to the message the current MFA state, which is a list of MFA information. # Turn it into a string stably. - msg += b" " + json.dumps(get_mfa_state(email, env), sort_keys=True).encode("utf8") + msg += b" " + json.dumps(get_hash_mfa_state(email, env), sort_keys=True).encode("utf8") # Make the HMAC. hash_key = self.key.encode('ascii') diff --git a/management/mfa.py b/management/mfa.py index 541fbc2..6af2288 100644 --- a/management/mfa.py +++ b/management/mfa.py @@ -22,11 +22,17 @@ def get_mfa_state(email, env): ] def get_public_mfa_state(email, env): - c = open_database(env) - c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),)) + mfa_state = get_mfa_state(email, env) return [ - { "id": r[0], "type": r[1], "label": r[2] } - for r in c.fetchall() + { "id": s["id"], "type": s["type"], "label": s["label"] } + for s in mfa_state + ] + +def get_hash_mfa_state(email, env): + mfa_state = get_mfa_state(email, env) + return [ + { "id": s["id"], "type": s["type"], "secret": s["secret"] } + for s in mfa_state ] def enable_mfa(email, type, secret, token, label, env):