Fix session key security issues

Since the password was set to None, the session hash was always identical and predictable for an attacker. A new random salt is added to replace the password which served this funciton before. Should the new session salt is set be default to a rendom value. Should the salt be set to None for some reason, the `get_session_auth_hash` method will raise a `ValueError`. The password field is now removed from the user model. It will raise a `FieldDoesNotExist` error, should the attribute be access further preventing similar security issues.

Author: codingjoe

mailauth/contrib/user/migrations/0002_emailuser_session_salt.py

@@ -0,0 +1,19 @@
+# Generated by Django 2.2.1 on 2019-05-27 10:39
+
+from django.db import migrations, models
+import django.utils.crypto
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('mailauth_user', '0001_initial'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='emailuser',
+ name='session_salt',
+ field=models.CharField(default=django.utils.crypto.get_random_string, editable=False, max_length=12),
+ ),
+ ]

mailauth/contrib/user/models.py

@@ -1,6 +1,7 @@
 from django.contrib.auth.base_user import BaseUserManager
 from django.contrib.auth.models import AbstractUser
 from django.db import models
+from django.utils.crypto import salted_hmac, get_random_string
 from django.utils.translation import ugettext_lazy as _
 
 
@@ -39,6 +40,7 @@ class AbstractEmailUser(AbstractUser):
  email = models.EmailField(_('email address'), unique=True, db_index=True)
  username = None
  password = None
+ session_salt = models.CharField(max_length=12, editable=False, default=get_random_string, unique=True)
 
  def has_usable_password(self):
  return False
@@ -48,6 +50,18 @@ def has_usable_password(self):
  class Meta(AbstractUser.Meta):
  abstract = True
 
+ def get_session_auth_hash(self):
+ """
+ Return an HMAC of the password field.
+ """
+ key_salt = "mailauth.contrib.user.models.EmailUserManager.get_session_auth_hash"
+ if not self.session_salt:
+ raise ValueError("'session_salt' must be set")
+ return salted_hmac(key_salt, self.session_salt).hexdigest()
+
+
+delattr(AbstractEmailUser, 'password')
+
 
 class EmailUser(AbstractEmailUser):
  class Meta(AbstractEmailUser.Meta):

tests/contrib/auth/test_models.py

@@ -1,4 +1,5 @@
 import pytest
+from django.core.exceptions import FieldDoesNotExist
 
 from mailauth.contrib.user.models import EmailUser
 
@@ -7,6 +8,31 @@ class TestAbstractEmailUser:
  def test_has_usable_password(self):
  assert not EmailUser().has_usable_password()
 
+ def test_get_session_auth_hash__default(self, db):
+ user = EmailUser(email='spiderman@avengers.com')
+
+ assert user.session_salt
+ assert user.get_session_auth_hash()
+
+ def test_get_session_auth_hash__value_error(self, db):
+ user = EmailUser(email='spiderman@avengers.com', session_salt=None)
+
+ with pytest.raises(ValueError) as e:
+ user.get_session_auth_hash()
+
+ assert "'session_salt' must be set" in str(e)
+
+ def test_get_session_auth_hash__unique(self, db):
+ spiderman = EmailUser(email='spiderman@avengers.com')
+ ironman = EmailUser(email='ironman@avengers.com')
+
+ assert spiderman.get_session_auth_hash() != ironman.get_session_auth_hash()
+
+ def test_password_field(self):
+ user = EmailUser(email='spiderman@avengers.com')
+ with pytest.raises(FieldDoesNotExist):
+ user.password
+
 
 class TestEmailUserManager: