From 07a0d266a67d29d520bbcc9253c302e721d13ed4 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <rpm@fthiessen.de>
Date: Tue, 25 Aug 2020 21:17:36 +0200
Subject: [PATCH 1/2] Fixed guessing of accesstoken, using python.secrets
 library. Fixes #399

---
 geruecht/controller/accesTokenController.py | 4 ++--
 geruecht/model/accessToken.py               | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/geruecht/controller/accesTokenController.py b/geruecht/controller/accesTokenController.py
index bec7703..0988c50 100644
--- a/geruecht/controller/accesTokenController.py
+++ b/geruecht/controller/accesTokenController.py
@@ -4,7 +4,7 @@ import geruecht.controller.mainController as mc
 import geruecht.controller.databaseController as dc
 from geruecht.model import BAR
 from datetime import datetime, timedelta
-import hashlib
+import secrets
 from . import Singleton
 from geruecht.logger import getDebugLogger
 
@@ -95,7 +95,7 @@ class AccesTokenController(metaclass=Singleton):
         """
         debug.info("creat accesstoken")
         now = datetime.ctime(datetime.now())
-        token = hashlib.md5((now + user.dn).encode('utf-8')).hexdigest()
+        token = secrets.token_hex(16)
         self.checkBar(user)
         accToken = db.createAccessToken(user, token, self.lifetime, datetime.now(), lock_bar=False, user_agent=user_agent)
         debug.debug("accesstoken is {{ {} }}".format(accToken))
diff --git a/geruecht/model/accessToken.py b/geruecht/model/accessToken.py
index 6e777f7..f5c50aa 100644
--- a/geruecht/model/accessToken.py
+++ b/geruecht/model/accessToken.py
@@ -1,4 +1,5 @@
 from datetime import datetime
+from secrets import compare_digest
 from geruecht.logger import getDebugLogger
 
 debug = getDebugLogger()
@@ -67,7 +68,7 @@ class AccessToken():
         return dic
 
     def __eq__(self, token):
-        return True if self.token == token else False
+        return compare_digest(self.token, token)
 
     def __sub__(self, other):
         return other - self.timestamp

From 5cd752a096398661b4d9928c6993ce98f31c377a Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <rpm@fthiessen.de>
Date: Tue, 25 Aug 2020 22:33:30 +0200
Subject: [PATCH 2/2] Sidewards compatibility with pluginify. Some cleanup

---
 geruecht/model/user.py |  2 +-
 geruecht/routes.py     | 15 +++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/geruecht/model/user.py b/geruecht/model/user.py
index 543859c..6003432 100644
--- a/geruecht/model/user.py
+++ b/geruecht/model/user.py
@@ -227,7 +227,7 @@ class User():
             "dn": self.dn,
             "firstname": self.firstname,
             "lastname": self.lastname,
-            "group": self.group,
+            "groups": self.group,
             "username": self.uid,
             "locked": self.locked,
             "autoLock": self.autoLock,
diff --git a/geruecht/routes.py b/geruecht/routes.py
index 810b141..1eb8232 100644
--- a/geruecht/routes.py
+++ b/geruecht/routes.py
@@ -216,16 +216,16 @@ def _getUsers(**kwargs):
         return jsonify({"error": str(err)}), 500
 
 
-@app.route("/getLifeTime", methods=['GET'])
+@app.route("/getLifetime", methods=['GET'])
 @login_required(groups=[MONEY, GASTRO, VORSTAND, EXTERN, USER], bar=True)
-def _getLifeTime(**kwargs):
+def _getLifetime(**kwargs):
     try:
         debug.info("get lifetime of accesstoken")
         if 'accToken' in kwargs:
             accToken = kwargs['accToken']
             debug.debug("accessToken is {{ {} }}".format(accToken))
             retVal = {"value": accToken.lifetime,
-                      "group": accToken.user.toJSON()['group'],
+                      "groups": accToken.user.toJSON()['groups'],
                       "lock_bar": accToken.lock_bar}
             debug.info(
                 "return get lifetime from accesstoken {{ {} }}".format(retVal))
@@ -235,11 +235,11 @@ def _getLifeTime(**kwargs):
         return jsonify({"error": str(err)}), 500
 
 
-@app.route("/saveLifeTime", methods=['POST'])
+@app.route("/setLifetime", methods=['POST'])
 @login_required(groups=[MONEY, GASTRO, VORSTAND, EXTERN, USER], bar=True)
-def _saveLifeTime(**kwargs):
+def _setLifetime(**kwargs):
     try:
-        debug.info("save lifetime for accessToken")
+        debug.info("set lifetime for accessToken")
         if 'accToken' in kwargs:
             accToken = kwargs['accToken']
             debug.debug("accessToken is {{ {} }}".format(accToken))
@@ -253,7 +253,7 @@ def _saveLifeTime(**kwargs):
             accToken = accesTokenController.updateAccessToken(accToken)
             accToken = accesTokenController.validateAccessToken(accToken.token, [USER, EXTERN])
             retVal = {"value": accToken.lifetime,
-                      "group": accToken.user.toJSON()['group']}
+                      "groups": accToken.user.toJSON()['groups']}
             debug.info(
                 "return save lifetime for accessToken {{ {} }}".format(retVal))
             return jsonify(retVal)
@@ -320,7 +320,6 @@ def _login():
         debug.info("validate accesstoken")
         dic = accesTokenController.validateAccessToken(
             token, [USER, EXTERN]).user.toJSON()
-        dic["token"] = token
         dic["accessToken"] = token
         debug.info("User {{ {} }} success login.".format(username))
         debug.info("return login {{ {} }}".format(dic))