Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hash_remember_device_cookie_key method does raw translations from bytes to string #600

Open
sevdog opened this issue Feb 22, 2023 · 0 comments
Open

hash_remember_device_cookie_key method does raw translations from bytes to string #600

sevdog opened this issue Feb 22, 2023 · 0 comments

Comments

@sevdog
Copy link
Contributor

sevdog commented Feb 22, 2023
edited

The method hash_remember_device_cookie_key performs a raw casting from bytes to string:

django-two-factor-auth/two_factor/views/utils.py

Lines 293 to 294 in 52b78a7

def hash_remember_device_cookie_key(otp_device_id):
return str(base64.b64encode(force_bytes(otp_device_id)))

Thus the outputh of the method is something like b'....' which is probabilly not what it was supposed to produce.

To address this issue the casting may be changed by using force_str from django.utils.encoding.

This will have as a drawback that old cookies will not be validated, but it can be addressed in the validate_remember_device_cookie method by checking if the value starts with b' and ends with '.
sevdog added a commit to sevdog/django-two-factor-auth that referenced this issue Feb 23, 2023
@sevdog
Use right encoding method for device_id and add legacy compatibility …
1e32ab4 
…check (fixes jazzband#600)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sevdog