Python django.utils.crypto.salted_hmac() Examples
The following are 30
code examples of django.utils.crypto.salted_hmac().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
django.utils.crypto
, or try the search function
.
Example #1
Source File: tokens.py From GTDWeb with GNU General Public License v2.0 | 6 votes |
def _make_token_with_timestamp(self, user, timestamp): # timestamp is number of days since 2001-1-1. Converted to # base 36, this gives us a 3 digit string until about 2121 ts_b36 = int_to_base36(timestamp) # By hashing on the internal state of the user and using state # that is sure to change (the password salt will change as soon as # the password is set, at least for current Django auth, and # last_login will also change), we produce a hash that will be # invalid as soon as it is used. # We limit the hash to 20 chars to keep URL short key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator" # Ensure results are consistent across DB backends login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None) value = (six.text_type(user.pk) + user.password + six.text_type(login_timestamp) + six.text_type(timestamp)) hash = salted_hmac(key_salt, value).hexdigest()[::2] return "%s-%s" % (ts_b36, hash)
Example #2
Source File: tokens.py From Hands-On-Application-Development-with-PyCharm with MIT License | 6 votes |
def _make_hash_value(self, user, timestamp): """ Hash the user's primary key and some user state that's sure to change after a password reset to produce a token that invalidated when it's used: 1. The password field will change upon a password reset (even if the same password is chosen, due to password salting). 2. The last_login field will usually be updated very shortly after a password reset. Failing those things, settings.PASSWORD_RESET_TIMEOUT_DAYS eventually invalidates the token. Running this data through salted_hmac() prevents password cracking attempts using the reset token, provided the secret isn't compromised. """ # Truncate microseconds so that tokens are consistent even if the # database doesn't support microseconds. login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None) return str(user.pk) + user.password + str(login_timestamp) + str(timestamp)
Example #3
Source File: models.py From happinesspackets with Apache License 2.0 | 6 votes |
def send_to_recipient(self, use_https, domain): stripped_email = strip_email(self.recipient_email) if BlacklistedEmail.objects.filter(stripped_email=stripped_email).count(): return blacklist_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.recipient_email).hexdigest() blacklist_url = reverse('messaging:blacklist_email', kwargs={'email': self.recipient_email, 'digest': blacklist_digest}) self.recipient_email_token = readable_random_token(alphanumeric=True) self.status = Message.STATUS.sent context = { 'message': self, 'protocol': 'https' if use_https else 'http', 'domain': domain, 'recipient': self.recipient_email, 'blacklist_url': blacklist_url, } subject = render_to_string('messaging/recipient_subject.txt', context) subject = ' '.join(subject.splitlines()) body_txt = render_to_string('messaging/recipient_mail.txt', context) body_html = render_to_string('messaging/recipient_mail.html', context) send_html_mail(subject, body_txt, body_html, self.recipient_email) self.save()
Example #4
Source File: models.py From happinesspackets with Apache License 2.0 | 6 votes |
def send_sender_confirmation(self, use_https, domain): stripped_email = strip_email(self.sender_email) if BlacklistedEmail.objects.filter(stripped_email=stripped_email).count(): return blacklist_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.sender_email).hexdigest() blacklist_url = reverse('messaging:blacklist_email', kwargs={'email': self.sender_email, 'digest': blacklist_digest}) self.sender_email_token = readable_random_token(alphanumeric=True) context = { 'message': self, 'protocol': 'https' if use_https else 'http', 'domain': domain, 'recipient': self.sender_email, 'blacklist_url': blacklist_url, } subject = render_to_string('messaging/sender_confirmation_subject.txt', context) subject = ' '.join(subject.splitlines()) body_txt = render_to_string('messaging/sender_confirmation_mail.txt', context) body_html = render_to_string('messaging/sender_confirmation_mail.html', context) send_html_mail(subject, body_txt, body_html, self.sender_email) self.save()
Example #5
Source File: tokens.py From fomalhaut-panel with MIT License | 6 votes |
def _make_token_with_timestamp(self, user, timestamp): # timestamp is number of days since 2001-1-1. Converted to # base 36, this gives us a 3 digit string until about 2121 ts_b36 = int_to_base36(timestamp) # By hashing on the internal state of the user and using state # that is sure to change (the password salt will change as soon as # the password is set, at least for current Django auth, and # last_login will also change), we produce a hash that will be # invalid as soon as it is used. # We limit the hash to 20 chars to keep URL short key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator" # Ensure results are consistent across DB backends if user.date_updated: login_timestamp = user.date_updated.replace(microsecond=0, tzinfo=None) elif user.last_login: login_timestamp = user.last_login.replace(microsecond=0, tzinfo=None) else: login_timestamp = user.date_joined.replace(microsecond=0, tzinfo=None) value = (six.text_type(user.pk) + user.password + six.text_type(login_timestamp) + six.text_type(timestamp)) hash = salted_hmac(key_salt, value).hexdigest()[::2] return "%s-%s" % (ts_b36, hash)
Example #6
Source File: tokens.py From openhgsenti with Apache License 2.0 | 6 votes |
def _make_token_with_timestamp(self, user, timestamp): # timestamp is number of days since 2001-1-1. Converted to # base 36, this gives us a 3 digit string until about 2121 ts_b36 = int_to_base36(timestamp) # By hashing on the internal state of the user and using state # that is sure to change (the password salt will change as soon as # the password is set, at least for current Django auth, and # last_login will also change), we produce a hash that will be # invalid as soon as it is used. # We limit the hash to 20 chars to keep URL short hash = salted_hmac( self.key_salt, self._make_hash_value(user, timestamp), ).hexdigest()[::2] return "%s-%s" % (ts_b36, hash)
Example #7
Source File: tokens.py From bioforum with MIT License | 6 votes |
def _make_token_with_timestamp(self, user, timestamp): # timestamp is number of days since 2001-1-1. Converted to # base 36, this gives us a 3 digit string until about 2121 ts_b36 = int_to_base36(timestamp) # By hashing on the internal state of the user and using state # that is sure to change (the password salt will change as soon as # the password is set, at least for current Django auth, and # last_login will also change), we produce a hash that will be # invalid as soon as it is used. # We limit the hash to 20 chars to keep URL short hash = salted_hmac( self.key_salt, self._make_hash_value(user, timestamp), secret=self.secret, ).hexdigest()[::2] return "%s-%s" % (ts_b36, hash)
Example #8
Source File: tokens.py From python2017 with MIT License | 6 votes |
def _make_token_with_timestamp(self, user, timestamp): # timestamp is number of days since 2001-1-1. Converted to # base 36, this gives us a 3 digit string until about 2121 ts_b36 = int_to_base36(timestamp) # By hashing on the internal state of the user and using state # that is sure to change (the password salt will change as soon as # the password is set, at least for current Django auth, and # last_login will also change), we produce a hash that will be # invalid as soon as it is used. # We limit the hash to 20 chars to keep URL short hash = salted_hmac( self.key_salt, self._make_hash_value(user, timestamp), ).hexdigest()[::2] return "%s-%s" % (ts_b36, hash)
Example #9
Source File: cookie.py From python2017 with MIT License | 5 votes |
def _hash(self, value): """ Creates an HMAC/SHA1 hash based on the value and the project setting's SECRET_KEY, modified to make it unique for the present purpose. """ key_salt = 'django.contrib.messages' return salted_hmac(key_salt, value).hexdigest()
Example #10
Source File: base_user.py From python2017 with MIT License | 5 votes |
def get_session_auth_hash(self): """ Return an HMAC of the password field. """ key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" return salted_hmac(key_salt, self.password).hexdigest()
Example #11
Source File: base_user.py From openhgsenti with Apache License 2.0 | 5 votes |
def get_session_auth_hash(self): """ Return an HMAC of the password field. """ key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" return salted_hmac(key_salt, self.password).hexdigest()
Example #12
Source File: cookie.py From openhgsenti with Apache License 2.0 | 5 votes |
def _hash(self, value): """ Creates an HMAC/SHA1 hash based on the value and the project setting's SECRET_KEY, modified to make it unique for the present purpose. """ key_salt = 'django.contrib.messages' return salted_hmac(key_salt, value).hexdigest()
Example #13
Source File: base.py From wechat-python-sdk with BSD 2-Clause "Simplified" License | 5 votes |
def _hash(self, value): return salted_hmac('wechat_sdk.context.framework.django', value).hexdigest()
Example #14
Source File: crypto.py From polyaxon with Apache License 2.0 | 5 votes |
def get_hmac(key_salt, value): return salted_hmac(key_salt, value).hexdigest()
Example #15
Source File: cookie.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
def _hash(self, value): """ Creates an HMAC/SHA1 hash based on the value and the project setting's SECRET_KEY, modified to make it unique for the present purpose. """ key_salt = 'django.contrib.messages' return salted_hmac(key_salt, value).hexdigest()
Example #16
Source File: signing.py From luscan-devel with GNU General Public License v2.0 | 5 votes |
def base64_hmac(salt, value, key): return b64_encode(salted_hmac(salt, value, key).digest())
Example #17
Source File: hash.py From eoj3 with MIT License | 5 votes |
def _make_hash(self, user, timestamp, content_type_id, object_id): content = "%s-%s-%s" % (int_to_base36(timestamp), int_to_base36(content_type_id), int_to_base36(object_id)) Hash = salted_hmac( settings.SECRET_KEY[::2], content + six.text_type(user.pk) + user.password ).hexdigest()[::2] return "%s-%s" % (content, Hash)
Example #18
Source File: tokens.py From Hands-On-Application-Development-with-PyCharm with MIT License | 5 votes |
def _make_token_with_timestamp(self, user, timestamp): # timestamp is number of days since 2001-1-1. Converted to # base 36, this gives us a 3 digit string until about 2121 ts_b36 = int_to_base36(timestamp) hash = salted_hmac( self.key_salt, self._make_hash_value(user, timestamp), secret=self.secret, ).hexdigest()[::2] # Limit to 20 characters to shorten the URL. return "%s-%s" % (ts_b36, hash)
Example #19
Source File: base_user.py From Hands-On-Application-Development-with-PyCharm with MIT License | 5 votes |
def get_session_auth_hash(self): """ Return an HMAC of the password field. """ key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" return salted_hmac(key_salt, self.password).hexdigest()
Example #20
Source File: cookie.py From Hands-On-Application-Development-with-PyCharm with MIT License | 5 votes |
def _hash(self, value): """ Create an HMAC/SHA1 hash based on the value and the project setting's SECRET_KEY, modified to make it unique for the present purpose. """ key_salt = 'django.contrib.messages' return salted_hmac(key_salt, value).hexdigest()
Example #21
Source File: test_views.py From happinesspackets with Apache License 2.0 | 5 votes |
def setUp(self): self.message = MessageModelFactory() self.correct_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.message.recipient_email).hexdigest() self.url_kwargs = {'email': self.message.recipient_email, 'digest': self.correct_digest} self.url = reverse(self.url_name, kwargs=self.url_kwargs)
Example #22
Source File: views.py From happinesspackets with Apache License 2.0 | 5 votes |
def get_email(self): expected_digest = salted_hmac(BLACKLIST_HMAC_SALT, self.kwargs['email']) if not constant_time_compare(expected_digest.hexdigest(), self.kwargs['digest']): raise Http404 return self.kwargs['email']
Example #23
Source File: tokens.py From mangaki with GNU Affero General Public License v3.0 | 5 votes |
def compute_token(salt, username): return salted_hmac(salt, username).hexdigest()
Example #24
Source File: video_calls.py From zulip with Apache License 2.0 | 5 votes |
def get_zoom_sid(request: HttpRequest) -> str: # This is used to prevent CSRF attacks on the Zoom OAuth # authentication flow. We want this value to be unpredictable and # tied to the session, but we don’t want to expose the main CSRF # token directly to the Zoom server. csrf.get_token(request) # Use 'mark_sanitized' to cause Pysa to ignore the flow of user controlled # data out of this function. 'request.META' is indeed user controlled, but # post-HMAC ouptut is no longer meaningfully controllable. return mark_sanitized( "" if getattr(request, "_dont_enforce_csrf_checks", False) else salted_hmac("Zulip Zoom sid", request.META["CSRF_COOKIE"]).hexdigest() )
Example #25
Source File: utils.py From django-users2 with BSD 3-Clause "New" or "Revised" License | 5 votes |
def _make_token_with_timestamp(self, user, timestamp): ts_b36 = int_to_base36(timestamp) key_salt = 'users.utils.EmailActivationTokenGenerator' login_timestamp = '' if user.last_login is None else \ user.last_login.replace(microsecond=0, tzinfo=None) value = (six.text_type(user.pk) + six.text_type(user.email) + six.text_type(login_timestamp) + six.text_type(timestamp)) hash = salted_hmac(key_salt, value).hexdigest()[::2] return '%s-%s' % (ts_b36, hash)
Example #26
Source File: base_user.py From bioforum with MIT License | 5 votes |
def get_session_auth_hash(self): """ Return an HMAC of the password field. """ key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" return salted_hmac(key_salt, self.password).hexdigest()
Example #27
Source File: cookie.py From bioforum with MIT License | 5 votes |
def _hash(self, value): """ Create an HMAC/SHA1 hash based on the value and the project setting's SECRET_KEY, modified to make it unique for the present purpose. """ key_salt = 'django.contrib.messages' return salted_hmac(key_salt, value).hexdigest()
Example #28
Source File: base.py From django-sitemessage with BSD 3-Clause "New" or "Revised" License | 5 votes |
def get_dispatch_hash(cls, dispatch_id: int, message_id: int) -> str: """Returns a hash string for validation purposes. :param dispatch_id: :param message_id: """ return salted_hmac('%s' % dispatch_id, '%s|%s' % (message_id, dispatch_id)).hexdigest()
Example #29
Source File: signing.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
def base64_hmac(salt, value, key): return b64_encode(salted_hmac(salt, value, key).digest())
Example #30
Source File: models.py From GTDWeb with GNU General Public License v2.0 | 5 votes |
def get_session_auth_hash(self): """ Returns an HMAC of the password field. """ key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" return salted_hmac(key_salt, self.password).hexdigest() # A few helper functions for common logic between User and AnonymousUser.