Use hmac.compare_digest() to compare mru_token

This commit is contained in:
Felix Spöttel 2020-09-06 12:54:45 +02:00
parent 481a333dc0
commit 49c333221a

View file

@ -65,7 +65,7 @@ class TOTPStrategy():
raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
# TODO: Should a token replay be handled as its own error?
if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
raise BadTokenError("Two factor code incorrect")
self.store_successful_login(token_header, env)