Move HMAC tokens into users.cr

This commit is contained in:
Omar Roth 2018-11-11 09:44:16 -06:00
parent dcddb6fb83
commit 1465cefa17
2 changed files with 52 additions and 52 deletions

View File

@ -389,55 +389,3 @@ def extract_items(nodeset, ucid = nil)
return items return items
end end
def create_response(user_id, operation, key, expire = 6.hours)
expire = Time.now + expire
nonce = Random::Secure.hex(4)
challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}"
token = OpenSSL::HMAC.digest(:sha256, key, challenge)
challenge = Base64.urlsafe_encode(challenge)
token = Base64.urlsafe_encode(token)
return challenge, token
end
def validate_response(challenge, token, user_id, operation, key)
if !challenge
raise "Hidden field \"challenge\" is a required field"
end
if !token
raise "Hidden field \"token\" is a required field"
end
challenge = Base64.decode_string(challenge)
if challenge.split("-").size == 4
expire, nonce, challenge_user_id, challenge_operation = challenge.split("-")
expire = expire.to_i?
expire ||= 0
else
raise "Invalid challenge"
end
challenge = OpenSSL::HMAC.digest(:sha256, HMAC_KEY, challenge)
challenge = Base64.urlsafe_encode(challenge)
if challenge != token
raise "Invalid token"
end
if challenge_operation != operation
raise "Invalid token"
end
if challenge_user_id != user_id
raise "Invalid token"
end
if expire < Time.now.to_unix
raise "Token is expired, please try again"
end
end

View File

@ -195,3 +195,55 @@ def create_user(sid, email, password)
return user return user
end end
def create_response(user_id, operation, key, expire = 6.hours)
expire = Time.now + expire
nonce = Random::Secure.hex(4)
challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}"
token = OpenSSL::HMAC.digest(:sha256, key, challenge)
challenge = Base64.urlsafe_encode(challenge)
token = Base64.urlsafe_encode(token)
return challenge, token
end
def validate_response(challenge, token, user_id, operation, key)
if !challenge
raise "Hidden field \"challenge\" is a required field"
end
if !token
raise "Hidden field \"token\" is a required field"
end
challenge = Base64.decode_string(challenge)
if challenge.split("-").size == 4
expire, nonce, challenge_user_id, challenge_operation = challenge.split("-")
expire = expire.to_i?
expire ||= 0
else
raise "Invalid challenge"
end
challenge = OpenSSL::HMAC.digest(:sha256, HMAC_KEY, challenge)
challenge = Base64.urlsafe_encode(challenge)
if challenge != token
raise "Invalid token"
end
if challenge_operation != operation
raise "Invalid token"
end
if challenge_user_id != user_id
raise "Invalid token"
end
if expire < Time.now.to_unix
raise "Token is expired, please try again"
end
end