Authentication: Support for fallback secret keys in get_session_auth_hash (#4481)

* Authentication: Support for fallback secret keys in get_session_auth_hash * Update src/pretix/presale/utils.py Co-authored-by: Richard Schreiber <schreiber@rami.io> --------- Co-authored-by: Richard Schreiber <schreiber@rami.io>
2024-10-07 16:58:37 +02:00
parent cdc5401dc2
commit 6cc9529d9a
4 changed files with 52 additions and 5 deletions
--- a/src/pretix/presale/utils.py
+++ b/src/pretix/presale/utils.py
@@ -100,10 +100,23 @@ def get_customer(request):
                request._cached_customer = None
            else:
                session_hash = session.get(hash_session_key)
+                session_auth_hash = customer.get_session_auth_hash()
                session_hash_verified = session_hash and constant_time_compare(
                    session_hash,
-                    customer.get_session_auth_hash()
+                    session_auth_hash,
                )
+                if not session_hash_verified:
+                    # If the current secret does not verify the session, try
+                    # with the fallback secrets and stop when a matching one is
+                    # found.
+                    if session_hash and any(
+                        constant_time_compare(session_hash, fallback_auth_hash)
+                        for fallback_auth_hash in customer.get_session_auth_fallback_hash()
+                    ):
+                        request.session.cycle_key()
+                        request.session[hash_session_key] = session_auth_hash
+                        session_hash_verified = True
+
                if session_hash_verified:
                    request._cached_customer = customer
                else: