Hopiu/django-ddp
1
0
Fork 0
mirror of https://github.com/jazzband/django-ddp.git synced 2026-03-16 22:40:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Pylint cleanups to dddp.accounts.ddp module.

Browse source
This commit is contained in:
Tyson Clugg 2016-01-28 15:04:21 +11:00
parent 4ce7f8ce33
commit ef52a938b1
1 changed files with 15 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
dddp/accounts/ddp.py
View file

@ -29,8 +29,8 @@ from dddp.models import get_meteor_id, get_object, Subscription
from dddp.api import API, APIMixin, api_endpoint, Collection, Publication
# pylint dones't like lower case attribute names on modules, but it's the normal
# thing to do for Django signal names. --> pylint: disable=C0103
# pylint doesn't like lower case attribute names on modules, but it's the
# normal thing to do for Django signal names. --> pylint: disable=C0103
create_user = Signal(providing_args=['request', 'params'])
password_changed = Signal(providing_args=['request', 'user'])
forgot_password = Signal(providing_args=['request', 'user', 'token', 'expiry'])
@ -49,7 +49,7 @@ HASH_MINUTES_VALID = {
HashPurpose.PASSWORD_RESET: int(
getattr(
# keep possible attack window short to reduce chance of account
# takeover through later discovery of password reset email message.
# takeover through later discovery of password reset email message.
settings, 'DDP_PASSWORD_RESET_MINUTES_VALID', '1440', # 24 hours
)
),
@ -67,8 +67,8 @@ def iter_auth_hashes(user, purpose, minutes_valid):
"""
Generate auth tokens tied to user and specified purpose.
The hash expires at midnight on the minute of now + minutes_valid, such that
when minutes_valid=1 you get *at least* 1 minute to use the token.
The hash expires at midnight on the minute of now + minutes_valid, such
that when minutes_valid=1 you get *at least* 1 minute to use the token.
"""
now = timezone.now().replace(microsecond=0, second=0)
for minute in range(minutes_valid + 1):
@ -278,7 +278,9 @@ class Auth(APIMixin):
for col_post, query in post.items():
try:
qs_pre = pre[col_post]
query = query.exclude(pk__in=qs_pre.order_by().values('pk'))
query = query.exclude(
pk__in=qs_pre.order_by().values('pk'),
)
except KeyError:
# collection not included pre-auth, everything is added.
pass
@ -377,9 +379,9 @@ class Auth(APIMixin):
return password
else:
# Meteor is trying to be smart by doing client side hashing of the
# password so that passwords are "...not sent in plain text over the
# wire". This behaviour doesn't make HTTP any more secure - it just
# gives a false sense of security as replay attacks and
# password so that passwords are "...not sent in plain text over
# the wire". This behaviour doesn't make HTTP any more secure -
# it just gives a false sense of security as replay attacks and
# code-injection are both still viable attack vectors for the
# malicious MITM. Also as no salt is used with hashing, the
# passwords are vulnerable to rainbow-table lookups anyway.
@ -389,9 +391,9 @@ class Auth(APIMixin):
# security concepts put together by people with no security
# background.
#
# We protest loudly to anyone who cares to listen in the server logs
# until upstream developers see the light and drop the password
# hashing mis-feature.
# We protest loudly to anyone who cares to listen in the server
# logs until upstream developers see the light and drop the
# password hashing mis-feature.
raise MeteorError(
426,
"Outmoded password hashing: "
@ -478,7 +480,7 @@ class Auth(APIMixin):
minutes_valid=HASH_MINUTES_VALID[HashPurpose.RESUME_LOGIN],
)
# Call to `authenticate` was unable to verify the username and password.
# Call to `authenticate` couldn't verify the username and password.
# It will have sent the `user_login_failed` signal, no need to pass the
# `username` argument to auth_failed().
self.auth_failed()