Authentication: Support for fallback secret keys in get_session_auth_hash (#4481)

* Authentication: Support for fallback secret keys in get_session_auth_hash * Update src/pretix/presale/utils.py Co-authored-by: Richard Schreiber <schreiber@rami.io> --------- Co-authored-by: Richard Schreiber <schreiber@rami.io>
2024-10-07 16:58:37 +02:00
parent cdc5401dc2
commit 6cc9529d9a
4 changed files with 52 additions and 5 deletions
--- a/src/pretix/base/models/auth.py
+++ b/src/pretix/base/models/auth.py
@@ -571,13 +571,23 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):

    def get_session_auth_hash(self):
        """
-        Return an HMAC that needs to
+        Return an HMAC that needs to be the same throughout the session, used e.g. for forced
+        logout after every password change.
+        """
+        return self._get_session_auth_hash(secret=settings.SECRET_KEY)
+
+    def get_session_auth_fallback_hash(self):
+        for fallback_secret in settings.SECRET_KEY_FALLBACKS:
+            yield self._get_session_auth_hash(secret=fallback_secret)
+
+    def _get_session_auth_hash(self, secret):
+        """
        """
        key_salt = "pretix.base.models.User.get_session_auth_hash"
        payload = self.password
        payload += self.email
        payload += self.session_token
-        return salted_hmac(key_salt, payload).hexdigest()
+        return salted_hmac(key_salt, payload, secret=secret).hexdigest()

    def update_session_token(self):
        self.session_token = generate_session_token()