SECRETLIFE = 30*60,
## Maximum age of an authentication key, in seconds.
- SECRETFRESH = 5*60)
+ SECRETFRESH = 5*60,
+
+ ## Hash function to use for crypto.
+ AUTHHASH = H.sha256)
def cleansecrets():
"""Remove dead secrets from the database."""
def auth_tag(sec, stamp, nonce, user):
"""Compute a tag using secret SEC on `STAMP.NONCE.USER'."""
- hmac = HM.HMAC(sec, digestmod = H.sha256)
+ hmac = HM.HMAC(sec, digestmod = CFG.AUTHHASH)
hmac.update('%d.%s.%s' % (stamp, nonce, user))
return hack_octets(hmac.digest())
'EXPIRED': 'session timed out',
'BADTAG': 'incorrect tag',
'NOUSER': 'unknown user name',
+ 'LOGOUT': 'explicitly logged out',
None: None
}
global NONCE
+ ## If the token has been explicitly clobbered, then we're logged out.
+ if token == 'logged-out': raise AuthenticationFailed, 'LOGOUT'
+
## Parse the token.
bits = token.split('.', 3)
if len(bits) != 4: raise AuthenticationFailed, 'BADTOKEN'