attempt logging in with fernet tokens as well

CSCfi · Nov 24, 2021 · bb09e7b · bb09e7b
1 parent 854a6a6
commit bb09e7b
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/swift_browser_ui/ui/login.py b/swift_browser_ui/ui/login.py
@@ -5,6 +5,8 @@
 import hashlib
 import json
 import re
+import base64
+import binascii
 
 # aiohttp
 import aiohttp.web
@@ -94,7 +96,16 @@ def test_token(
     if unscoped is None:
         raise aiohttp.web.HTTPBadRequest(reason="Token missing from query")
     if not (re.match("[a-f0-9]{32}", unscoped) and len(unscoped) == 32):
-        raise aiohttp.web.HTTPBadRequest(reason="Token is malformed")
+        try:
+            # Check the magic byte matches a fernet token
+            if (
+                not base64.urlsafe_b64decode(unscoped.encode("utf-8"))[:1]
+                == b"\x80"
+            ):
+                raise aiohttp.web.HTTPBadRequest(reason="Token is malformed")
+        # Handle failures in base64decode
+        except (binascii.Error, UnicodeDecodeError):
+            raise aiohttp.web.HTTPBadRequest(reason="Token is malformed")
 
     log.info("Got OS token in login return")