Fixed guessing of accesstoken, using python.secrets library. Fixes #399

geruecht/controller/accesTokenController.py

@@ -4,7 +4,7 @@ import geruecht.controller.mainController as mc
 import geruecht.controller.databaseController as dc
 from geruecht.model import BAR
 from datetime import datetime, timedelta
-import hashlib
+import secrets
 from . import Singleton
 from geruecht.logger import getDebugLogger
 
@@ -95,7 +95,7 @@ class AccesTokenController(metaclass=Singleton):
         """
         debug.info("creat accesstoken")
         now = datetime.ctime(datetime.now())
-        token = hashlib.md5((now + user.dn).encode('utf-8')).hexdigest()
+        token = secrets.token_hex(16)
         self.checkBar(user)
         accToken = db.createAccessToken(user, token, self.lifetime, datetime.now(), lock_bar=False, user_agent=user_agent)
         debug.debug("accesstoken is {{ {} }}".format(accToken))

geruecht/model/accessToken.py

@@ -1,4 +1,5 @@
 from datetime import datetime
+from secrets import compare_digest
 from geruecht.logger import getDebugLogger
 
 debug = getDebugLogger()
@@ -67,7 +68,7 @@ class AccessToken():
         return dic
 
     def __eq__(self, token):
-        return True if self.token == token else False
+        return compare_digest(self.token, token)
 
     def __sub__(self, other):
         return other - self.timestamp