derive the SSO keys from a KDF

2025-11-29 22:37:58 +02:00 · 2021-02-07 17:58:19 +01:00
parent 99c7420f92
commit ef637f51b7
2 changed files with 5 additions and 2 deletions
--- a/core/admin/mailu/init.py
+++ b/core/admin/mailu/init.py
@@ -3,6 +3,7 @@ import flask_bootstrap

 from mailu import utils, debug, models, manage, configuration

+import hmac

 def create_app_from_config(config):
    """ Create a new application based on the given configuration
@@ -24,6 +25,8 @@ def create_app_from_config(config):
    utils.proxy.init_app(app)
    utils.migrate.init_app(app, models.db)

+    app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
+
    # Initialize debugging tools
    if app.config.get("DEBUG"):
        debug.toolbar.init_app(app)
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -429,10 +429,10 @@ class User(Base, Email):
    @classmethod
    def get_temp_token(cls, email):
        user = cls.query.get(email)
-        return hmac.new(bytearray(app.secret_key,'utf-8'), bytearray("{}|{}".format(datetime.utcnow().strftime("%Y%m%d"), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None
+        return hmac.new(app.temp_token_key, bytearray("{}|{}".format(datetime.utcnow().strftime("%Y%m%d"), email), 'utf-8'), 'sha256').hexdigest() if (user and user.enabled) else None

    def verify_temp_token(self, token):
-        return hmac.compare_digest(b''.fromhex(self.get_temp_token(self.email)), b''.fromhex(token))
+        return hmac.compare_digest(self.get_temp_token(self.email), token)