Python django.utils.crypto.salted_hmac() Examples

The following are 30 code examples of django.utils.crypto.salted_hmac(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module django.utils.crypto , or try the search function .
Example #1
Source File: tokens.py    From GTDWeb with GNU General Public License v2.0 6 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)

        # By hashing on the internal state of the user and using state
        # that is sure to change (the password salt will change as soon as
        # the password is set, at least for current Django auth, and
        # last_login will also change), we produce a hash that will be
        # invalid as soon as it is used.
        # We limit the hash to 20 chars to keep URL short
        key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"

        # Ensure results are consistent across DB backends
        login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None)

        value = (six.text_type(user.pk) + user.password +
                six.text_type(login_timestamp) + six.text_type(timestamp))
        hash = salted_hmac(key_salt, value).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash) 
Example #2
Source File: tokens.py    From Hands-On-Application-Development-with-PyCharm with MIT License 6 votes vote down vote up
def _make_hash_value(self, user, timestamp):
        """
        Hash the user's primary key and some user state that's sure to change
        after a password reset to produce a token that invalidated when it's
        used:
        1. The password field will change upon a password reset (even if the
           same password is chosen, due to password salting).
        2. The last_login field will usually be updated very shortly after
           a password reset.
        Failing those things, settings.PASSWORD_RESET_TIMEOUT_DAYS eventually
        invalidates the token.

        Running this data through salted_hmac() prevents password cracking
        attempts using the reset token, provided the secret isn't compromised.
        """
        # Truncate microseconds so that tokens are consistent even if the
        # database doesn't support microseconds.
        login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None)
        return str(user.pk) + user.password + str(login_timestamp) + str(timestamp) 
Example #3
Source File: models.py    From happinesspackets with Apache License 2.0 6 votes vote down vote up
def send_to_recipient(self, use_https, domain):
        stripped_email = strip_email(self.recipient_email)
        if BlacklistedEmail.objects.filter(stripped_email=stripped_email).count():
            return

        blacklist_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.recipient_email).hexdigest()
        blacklist_url = reverse('messaging:blacklist_email', kwargs={'email': self.recipient_email, 'digest': blacklist_digest})
        self.recipient_email_token = readable_random_token(alphanumeric=True)
        self.status = Message.STATUS.sent
        context = {
            'message': self,
            'protocol': 'https' if use_https else 'http',
            'domain': domain,
            'recipient': self.recipient_email,
            'blacklist_url': blacklist_url,
        }
        subject = render_to_string('messaging/recipient_subject.txt', context)
        subject = ' '.join(subject.splitlines())
        body_txt = render_to_string('messaging/recipient_mail.txt', context)
        body_html = render_to_string('messaging/recipient_mail.html', context)
        send_html_mail(subject, body_txt, body_html, self.recipient_email)
        self.save() 
Example #4
Source File: models.py    From happinesspackets with Apache License 2.0 6 votes vote down vote up
def send_sender_confirmation(self, use_https, domain):
        stripped_email = strip_email(self.sender_email)
        if BlacklistedEmail.objects.filter(stripped_email=stripped_email).count():
            return

        blacklist_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.sender_email).hexdigest()
        blacklist_url = reverse('messaging:blacklist_email', kwargs={'email': self.sender_email, 'digest': blacklist_digest})
        self.sender_email_token = readable_random_token(alphanumeric=True)
        context = {
            'message': self,
            'protocol': 'https' if use_https else 'http',
            'domain': domain,
            'recipient': self.sender_email,
            'blacklist_url': blacklist_url,
        }
        subject = render_to_string('messaging/sender_confirmation_subject.txt', context)
        subject = ' '.join(subject.splitlines())
        body_txt = render_to_string('messaging/sender_confirmation_mail.txt', context)
        body_html = render_to_string('messaging/sender_confirmation_mail.html', context)
        send_html_mail(subject, body_txt, body_html, self.sender_email)
        self.save() 
Example #5
Source File: tokens.py    From fomalhaut-panel with MIT License 6 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)

        # By hashing on the internal state of the user and using state
        # that is sure to change (the password salt will change as soon as
        # the password is set, at least for current Django auth, and
        # last_login will also change), we produce a hash that will be
        # invalid as soon as it is used.
        # We limit the hash to 20 chars to keep URL short
        key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"

        # Ensure results are consistent across DB backends
        if user.date_updated:
            login_timestamp = user.date_updated.replace(microsecond=0, tzinfo=None)
        elif user.last_login:
            login_timestamp = user.last_login.replace(microsecond=0, tzinfo=None)
        else:
            login_timestamp = user.date_joined.replace(microsecond=0, tzinfo=None)

        value = (six.text_type(user.pk) + user.password +
                 six.text_type(login_timestamp) + six.text_type(timestamp))
        hash = salted_hmac(key_salt, value).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash) 
Example #6
Source File: tokens.py    From openhgsenti with Apache License 2.0 6 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)

        # By hashing on the internal state of the user and using state
        # that is sure to change (the password salt will change as soon as
        # the password is set, at least for current Django auth, and
        # last_login will also change), we produce a hash that will be
        # invalid as soon as it is used.
        # We limit the hash to 20 chars to keep URL short

        hash = salted_hmac(
            self.key_salt,
            self._make_hash_value(user, timestamp),
        ).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash) 
Example #7
Source File: tokens.py    From bioforum with MIT License 6 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)

        # By hashing on the internal state of the user and using state
        # that is sure to change (the password salt will change as soon as
        # the password is set, at least for current Django auth, and
        # last_login will also change), we produce a hash that will be
        # invalid as soon as it is used.
        # We limit the hash to 20 chars to keep URL short

        hash = salted_hmac(
            self.key_salt,
            self._make_hash_value(user, timestamp),
            secret=self.secret,
        ).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash) 
Example #8
Source File: tokens.py    From python2017 with MIT License 6 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)

        # By hashing on the internal state of the user and using state
        # that is sure to change (the password salt will change as soon as
        # the password is set, at least for current Django auth, and
        # last_login will also change), we produce a hash that will be
        # invalid as soon as it is used.
        # We limit the hash to 20 chars to keep URL short

        hash = salted_hmac(
            self.key_salt,
            self._make_hash_value(user, timestamp),
        ).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash) 
Example #9
Source File: cookie.py    From python2017 with MIT License 5 votes vote down vote up
def _hash(self, value):
        """
        Creates an HMAC/SHA1 hash based on the value and the project setting's
        SECRET_KEY, modified to make it unique for the present purpose.
        """
        key_salt = 'django.contrib.messages'
        return salted_hmac(key_salt, value).hexdigest() 
Example #10
Source File: base_user.py    From python2017 with MIT License 5 votes vote down vote up
def get_session_auth_hash(self):
        """
        Return an HMAC of the password field.
        """
        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
        return salted_hmac(key_salt, self.password).hexdigest() 
Example #11
Source File: base_user.py    From openhgsenti with Apache License 2.0 5 votes vote down vote up
def get_session_auth_hash(self):
        """
        Return an HMAC of the password field.
        """
        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
        return salted_hmac(key_salt, self.password).hexdigest() 
Example #12
Source File: cookie.py    From openhgsenti with Apache License 2.0 5 votes vote down vote up
def _hash(self, value):
        """
        Creates an HMAC/SHA1 hash based on the value and the project setting's
        SECRET_KEY, modified to make it unique for the present purpose.
        """
        key_salt = 'django.contrib.messages'
        return salted_hmac(key_salt, value).hexdigest() 
Example #13
Source File: base.py    From wechat-python-sdk with BSD 2-Clause "Simplified" License 5 votes vote down vote up
def _hash(self, value):
        return salted_hmac('wechat_sdk.context.framework.django', value).hexdigest() 
Example #14
Source File: crypto.py    From polyaxon with Apache License 2.0 5 votes vote down vote up
def get_hmac(key_salt, value):
    return salted_hmac(key_salt, value).hexdigest() 
Example #15
Source File: cookie.py    From GTDWeb with GNU General Public License v2.0 5 votes vote down vote up
def _hash(self, value):
        """
        Creates an HMAC/SHA1 hash based on the value and the project setting's
        SECRET_KEY, modified to make it unique for the present purpose.
        """
        key_salt = 'django.contrib.messages'
        return salted_hmac(key_salt, value).hexdigest() 
Example #16
Source File: signing.py    From luscan-devel with GNU General Public License v2.0 5 votes vote down vote up
def base64_hmac(salt, value, key):
    return b64_encode(salted_hmac(salt, value, key).digest()) 
Example #17
Source File: hash.py    From eoj3 with MIT License 5 votes vote down vote up
def _make_hash(self, user, timestamp, content_type_id, object_id):
    content = "%s-%s-%s" % (int_to_base36(timestamp), int_to_base36(content_type_id), int_to_base36(object_id))

    Hash = salted_hmac(
      settings.SECRET_KEY[::2],
      content + six.text_type(user.pk) + user.password
    ).hexdigest()[::2]

    return "%s-%s" % (content, Hash) 
Example #18
Source File: tokens.py    From Hands-On-Application-Development-with-PyCharm with MIT License 5 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)
        hash = salted_hmac(
            self.key_salt,
            self._make_hash_value(user, timestamp),
            secret=self.secret,
        ).hexdigest()[::2]  # Limit to 20 characters to shorten the URL.
        return "%s-%s" % (ts_b36, hash) 
Example #19
Source File: base_user.py    From Hands-On-Application-Development-with-PyCharm with MIT License 5 votes vote down vote up
def get_session_auth_hash(self):
        """
        Return an HMAC of the password field.
        """
        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
        return salted_hmac(key_salt, self.password).hexdigest() 
Example #20
Source File: cookie.py    From Hands-On-Application-Development-with-PyCharm with MIT License 5 votes vote down vote up
def _hash(self, value):
        """
        Create an HMAC/SHA1 hash based on the value and the project setting's
        SECRET_KEY, modified to make it unique for the present purpose.
        """
        key_salt = 'django.contrib.messages'
        return salted_hmac(key_salt, value).hexdigest() 
Example #21
Source File: test_views.py    From happinesspackets with Apache License 2.0 5 votes vote down vote up
def setUp(self):
        self.message = MessageModelFactory()
        self.correct_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.message.recipient_email).hexdigest()
        self.url_kwargs = {'email': self.message.recipient_email, 'digest': self.correct_digest}
        self.url = reverse(self.url_name, kwargs=self.url_kwargs) 
Example #22
Source File: views.py    From happinesspackets with Apache License 2.0 5 votes vote down vote up
def get_email(self):
        expected_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.kwargs['email'])
        if not constant_time_compare(expected_digest.hexdigest(), self.kwargs['digest']):
            raise Http404
        return self.kwargs['email'] 
Example #23
Source File: tokens.py    From mangaki with GNU Affero General Public License v3.0 5 votes vote down vote up
def compute_token(salt, username):
    return salted_hmac(salt, username).hexdigest() 
Example #24
Source File: video_calls.py    From zulip with Apache License 2.0 5 votes vote down vote up
def get_zoom_sid(request: HttpRequest) -> str:
    # This is used to prevent CSRF attacks on the Zoom OAuth
    # authentication flow.  We want this value to be unpredictable and
    # tied to the session, but we don’t want to expose the main CSRF
    # token directly to the Zoom server.

    csrf.get_token(request)
    # Use 'mark_sanitized' to cause Pysa to ignore the flow of user controlled
    # data out of this function. 'request.META' is indeed user controlled, but
    # post-HMAC ouptut is no longer meaningfully controllable.
    return mark_sanitized(
        ""
        if getattr(request, "_dont_enforce_csrf_checks", False)
        else salted_hmac("Zulip Zoom sid", request.META["CSRF_COOKIE"]).hexdigest()
    ) 
Example #25
Source File: utils.py    From django-users2 with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def _make_token_with_timestamp(self, user, timestamp):

        ts_b36 = int_to_base36(timestamp)
        key_salt = 'users.utils.EmailActivationTokenGenerator'
        login_timestamp = '' if user.last_login is None else \
            user.last_login.replace(microsecond=0, tzinfo=None)
        value = (six.text_type(user.pk) + six.text_type(user.email) +
                 six.text_type(login_timestamp) + six.text_type(timestamp))
        hash = salted_hmac(key_salt, value).hexdigest()[::2]
        return '%s-%s' % (ts_b36, hash) 
Example #26
Source File: base_user.py    From bioforum with MIT License 5 votes vote down vote up
def get_session_auth_hash(self):
        """
        Return an HMAC of the password field.
        """
        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
        return salted_hmac(key_salt, self.password).hexdigest() 
Example #27
Source File: cookie.py    From bioforum with MIT License 5 votes vote down vote up
def _hash(self, value):
        """
        Create an HMAC/SHA1 hash based on the value and the project setting's
        SECRET_KEY, modified to make it unique for the present purpose.
        """
        key_salt = 'django.contrib.messages'
        return salted_hmac(key_salt, value).hexdigest() 
Example #28
Source File: base.py    From django-sitemessage with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def get_dispatch_hash(cls, dispatch_id: int, message_id: int) -> str:
        """Returns a hash string for validation purposes.

        :param dispatch_id:
        :param message_id:

        """
        return salted_hmac('%s' % dispatch_id, '%s|%s' % (message_id, dispatch_id)).hexdigest() 
Example #29
Source File: signing.py    From GTDWeb with GNU General Public License v2.0 5 votes vote down vote up
def base64_hmac(salt, value, key):
    return b64_encode(salted_hmac(salt, value, key).digest()) 
Example #30
Source File: models.py    From GTDWeb with GNU General Public License v2.0 5 votes vote down vote up
def get_session_auth_hash(self):
        """
        Returns an HMAC of the password field.
        """
        key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash"
        return salted_hmac(key_salt, self.password).hexdigest()


# A few helper functions for common logic between User and AnonymousUser.