Several fixes (#2291)

* Fix login timings and use secure secret for password recovery * Run HIBP for all premium users not just paid
2025-09-06 22:54:42 +08:00 · 2024-10-30 10:58:00 +01:00 · 2024-10-30 10:58:00 +01:00 · 2dc96a1d1e
commit 2dc96a1d1e
parent 8457a46cb3
4 changed files with 15 additions and 3 deletions
--- a/app/auth/views/login.py
+++ b/app/auth/views/login.py
@ -10,6 +10,7 @@ from app.events.auth_event import LoginEvent
 from app.extensions import limiter
 from app.log import LOG
 from app.models import User
+from app.pw_models import PasswordOracle
 from app.utils import sanitize_email, sanitize_next_url, canonicalize_email


@ -43,6 +44,13 @@ def login():
        user = User.get_by(email=email) or User.get_by(email=canonical_email)

        if not user or not user.check_password(form.password.data):
+            if not user:
+                # Do the hash to avoid timing attacks nevertheless
+                dummy_pw = PasswordOracle()
+                dummy_pw.password = (
+                    "$2b$12$ZWqpL73h4rGNfLkJohAFAu0isqSw/bX9p/tzpbWRz/To5FAftaW8u"
+                )
+                dummy_pw.check_password(form.password.data)
            # Trigger rate limiter
            g.deduct_limit = True
            form.password.data = None
--- a/app/dashboard/views/account_setting.py
+++ b/app/dashboard/views/account_setting.py
@ -1,3 +1,5 @@
+import secrets
+
 import arrow
 from flask import (
    render_template,
@ -163,7 +165,7 @@ def send_reset_password_email(user):
    """
    # the activation code is valid for 1h
    reset_password_code = ResetPasswordCode.create(
-        user_id=user.id, code=random_string(60)
+        user_id=user.id, code=secrets.token_urlsafe(32)
    )
    Session.commit()

--- a/cron.py
+++ b/cron.py
@ -971,7 +971,7 @@ def delete_expired_tokens():
    LOG.d("Delete api to cookie tokens older than %s, nb row %s", max_time, nb_row)


-async def _hibp_check(api_key, queue):
+async def _hibp_check(api_key: str, queue: asyncio.Queue):
    """
    Uses a single API key to check the queue as fast as possible.

@ -990,7 +990,7 @@ async def _hibp_check(api_key, queue):
        if not alias:
            continue
        user = alias.user
-        if user.disabled or not user.is_paid():
+        if user.disabled or not user.is_premium():
            # Mark it as hibp done to skip it as if it had been checked
            alias.hibp_last_check = arrow.utcnow()
            Session.commit()
--- a/templates/admin/email_search.html
+++ b/templates/admin/email_search.html
@ -11,6 +11,7 @@
            <th scope="col">Verified</th>
            <th scope="col">Status</th>
            <th scope="col">Paid</th>
+            <th scope="col">Premium</th>
            <th>Subscription</th>
            <th>Created At</th>
            <th>Updated At</th>
@ -32,6 +33,7 @@
                <td class="text-success">Enabled</td>
            {% endif %}
            <td>{{ "yes" if user.is_paid() else "No" }}</td>
+            <td>{{ "yes" if user.is_premium() else "No" }}</td>
            <td>{{ user.get_active_subscription() }}</td>
            <td>{{ user.created_at }}</td>
            <td>{{ user.updated_at }}</td>