Login: add an action indicator to know the user signed a login request.

2020-06-17 14:08:08 +03:00 · 2020-06-17 14:08:08 +03:00 · 54268ac027
commit 54268ac027
parent d1017aac76
2 changed files with 6 additions and 1 deletions
--- a/django_etebase/serializers.py
+++ b/django_etebase/serializers.py
@ -416,6 +416,7 @@ class AuthenticationLoginSerializer(serializers.Serializer):
 class AuthenticationLoginInnerSerializer(AuthenticationLoginChallengeSerializer):
    challenge = BinaryBase64Field()
    host = serializers.CharField()
+    action = serializers.CharField()

    def create(self, validated_data):
        raise NotImplementedError()
--- a/django_etebase/views.py
+++ b/django_etebase/views.py
@ -607,6 +607,7 @@ class AuthenticationViewSet(viewsets.ViewSet):
                user = self.get_login_user(username)
                host = serializer.validated_data['host']
                challenge = serializer.validated_data['challenge']
+                action = serializer.validated_data['action']

                salt = bytes(user.userinfo.salt)
                enc_key = self.get_encryption_key(salt)
@ -614,7 +615,10 @@ class AuthenticationViewSet(viewsets.ViewSet):

                challenge_data = json.loads(box.decrypt(challenge).decode())
                now = int(datetime.now().timestamp())
-                if now - challenge_data['timestamp'] > app_settings.CHALLENGE_VALID_SECONDS:
+                if action != "login":
+                    content = {'code': 'wrong_action', 'detail': 'Expected "login" but got something else'}
+                    return Response(content, status=status.HTTP_400_BAD_REQUEST)
+                elif now - challenge_data['timestamp'] > app_settings.CHALLENGE_VALID_SECONDS:
                    content = {'code': 'challenge_expired', 'detail': 'Login challange has expired'}
                    return Response(content, status=status.HTTP_400_BAD_REQUEST)
                elif challenge_data['userId'] != user.id: