Safer password/token generation for the DJ.
This commit is contained in:
Josh W
parent
11d6b102af
commit
098c772da9
2 changed files with 9 additions and 20 deletions
|
|
@ -2,20 +2,22 @@
|
|||
|
||||
import binascii
|
||||
import os
|
||||
import secrets
|
||||
import string
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib.auth.hashers import make_password
|
||||
from django.utils.crypto import get_random_string
|
||||
from django.db import migrations, models
|
||||
|
||||
from core.utils import generate_password
|
||||
|
||||
|
||||
def create_dj_user(apps, schema_editor):
|
||||
User = apps.get_model('core', 'RadioUser')
|
||||
Token = apps.get_model('authtoken', 'Token')
|
||||
db_alias = schema_editor.connection.alias
|
||||
|
||||
new_password = generate_password()
|
||||
chars = string.ascii_letters + string.digits + string.punctuation
|
||||
new_password = get_random_string(length=32, allowed_chars=chars)
|
||||
dj = User(email=settings.RADIO_DJ_EMAIL,
|
||||
name=settings.RADIO_DJ_NAME,
|
||||
password=make_password(new_password),
|
||||
|
|
@ -24,10 +26,10 @@ def create_dj_user(apps, schema_editor):
|
|||
is_dj=True)
|
||||
dj.save(using=db_alias)
|
||||
|
||||
# Since 'post_save' is impervious to migration scripts, this is pulled
|
||||
# directly from the authtoken code for key generation. Otherwise, key will
|
||||
# be blank.
|
||||
token = Token(key=binascii.hexlify(os.urandom(20)).decode(), user=dj)
|
||||
# Since 'post_save' is impervious to migration scripts, this will be
|
||||
# created here instead. Otherwise, key will be blank and we don't want
|
||||
# that for the DJ account.
|
||||
token = Token(key=secrets.token_hex(20), user=dj)
|
||||
token.save(using=db_alias)
|
||||
|
||||
with open(os.path.join(settings.PROJECT_DIR, '.djinfo'), 'w') as f:
|
||||
|
|
|
|||
|
|
@ -36,19 +36,6 @@ FILE_IRI_PATTERN = (
|
|||
)
|
||||
|
||||
|
||||
def generate_password(length=32):
|
||||
'''
|
||||
Quick and dirty random password generator.
|
||||
|
||||
***WARNING*** - Although this is likely "good enough" to create a secure
|
||||
password, there are no validations (suitible entropy, dictionary words,
|
||||
etc.) and should not be completely trusted. YOU HAVE BEEN WARNED.
|
||||
'''
|
||||
chars = string.ascii_letters + string.digits + string.punctuation
|
||||
rng = random.SystemRandom()
|
||||
return ''.join([rng.choice(chars) for i in range(length)])
|
||||
|
||||
|
||||
def get_len(rawqueryset):
|
||||
'''
|
||||
Adds/Overrides a dynamic implementation of the length protocol to the
|
||||
|
|
|
|||
Loading…
Reference in a new issue