Safer password/token generation for the DJ.

This commit is contained in:
Josh W 2020-02-15 18:01:13 -05:00
parent 11d6b102af
commit 098c772da9
2 changed files with 9 additions and 20 deletions

View file

@ -2,20 +2,22 @@
import binascii import binascii
import os import os
import secrets
import string
from django.conf import settings from django.conf import settings
from django.contrib.auth.hashers import make_password from django.contrib.auth.hashers import make_password
from django.utils.crypto import get_random_string
from django.db import migrations, models from django.db import migrations, models
from core.utils import generate_password
def create_dj_user(apps, schema_editor): def create_dj_user(apps, schema_editor):
User = apps.get_model('core', 'RadioUser') User = apps.get_model('core', 'RadioUser')
Token = apps.get_model('authtoken', 'Token') Token = apps.get_model('authtoken', 'Token')
db_alias = schema_editor.connection.alias db_alias = schema_editor.connection.alias
new_password = generate_password() chars = string.ascii_letters + string.digits + string.punctuation
new_password = get_random_string(length=32, allowed_chars=chars)
dj = User(email=settings.RADIO_DJ_EMAIL, dj = User(email=settings.RADIO_DJ_EMAIL,
name=settings.RADIO_DJ_NAME, name=settings.RADIO_DJ_NAME,
password=make_password(new_password), password=make_password(new_password),
@ -24,10 +26,10 @@ def create_dj_user(apps, schema_editor):
is_dj=True) is_dj=True)
dj.save(using=db_alias) dj.save(using=db_alias)
# Since 'post_save' is impervious to migration scripts, this is pulled # Since 'post_save' is impervious to migration scripts, this will be
# directly from the authtoken code for key generation. Otherwise, key will # created here instead. Otherwise, key will be blank and we don't want
# be blank. # that for the DJ account.
token = Token(key=binascii.hexlify(os.urandom(20)).decode(), user=dj) token = Token(key=secrets.token_hex(20), user=dj)
token.save(using=db_alias) token.save(using=db_alias)
with open(os.path.join(settings.PROJECT_DIR, '.djinfo'), 'w') as f: with open(os.path.join(settings.PROJECT_DIR, '.djinfo'), 'w') as f:

View file

@ -36,19 +36,6 @@ FILE_IRI_PATTERN = (
) )
def generate_password(length=32):
'''
Quick and dirty random password generator.
***WARNING*** - Although this is likely "good enough" to create a secure
password, there are no validations (suitible entropy, dictionary words,
etc.) and should not be completely trusted. YOU HAVE BEEN WARNED.
'''
chars = string.ascii_letters + string.digits + string.punctuation
rng = random.SystemRandom()
return ''.join([rng.choice(chars) for i in range(length)])
def get_len(rawqueryset): def get_len(rawqueryset):
''' '''
Adds/Overrides a dynamic implementation of the length protocol to the Adds/Overrides a dynamic implementation of the length protocol to the