From 72dbc49c6f153c058f3ef73d7c1fe8678fe14873 Mon Sep 17 00:00:00 2001
From: Christiaan Goossens
 <9487666+christiaangoossens@users.noreply.github.com>
Date: Tue, 31 Dec 2024 16:54:39 +0100
Subject: [PATCH] Slowed down code checking to prevent brute forcing (#12)

---
 custom_components/auth_oidc/manifest.json | 5 +++--
 custom_components/auth_oidc/provider.py   | 9 +++++++++
 pyproject.toml                            | 3 ++-
 requirements-dev.lock                     | 1 +
 requirements.lock                         | 2 ++
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/custom_components/auth_oidc/manifest.json b/custom_components/auth_oidc/manifest.json
index 6b837b9..beb3ef3 100644
--- a/custom_components/auth_oidc/manifest.json
+++ b/custom_components/auth_oidc/manifest.json
@@ -16,7 +16,8 @@
   "requirements": [
     "python-jose>=3.3.0",
     "aiofiles>=24.1.0",
-    "jinja2>=3.1.4"
+    "jinja2>=3.1.4",
+    "bcrypt>=4.2.0"
   ],
-  "version": "0.4.0"
+  "version": "0.4.1"
 }
\ No newline at end of file
diff --git a/custom_components/auth_oidc/provider.py b/custom_components/auth_oidc/provider.py
index 2167703..f9ebb91 100644
--- a/custom_components/auth_oidc/provider.py
+++ b/custom_components/auth_oidc/provider.py
@@ -6,6 +6,7 @@ import logging
 
 from typing import Dict, Optional
 import asyncio
+import bcrypt
 from homeassistant.auth import EVENT_USER_ADDED
 from homeassistant.auth.providers import (
     AUTH_PROVIDERS,
@@ -274,6 +275,14 @@ class OpenIdLoginFlow(LoginFlow):
     """Handler for the login flow."""
 
     async def _finalize_user(self, code: str) -> AuthFlowResult:
+        # Verify a dummy hash to make it last a bit longer
+        # as security measure (limits the amount of attempts you have in 5 min)
+        # Similar to what the HomeAssistant auth provider does
+        dummy = b"$2b$12$CiuFGszHx9eNHxPuQcwBWez4CwDTOcLTX5CbOpV6gef2nYuXkY7BO"
+        bcrypt.checkpw(b"foo", dummy)
+
+        # Actually look up the auth provider after,
+        # this doesn't take a lot of time (regardless of it's in there or not)
         sub = await self._auth_provider.async_get_subject(code)
         if sub:
             return await self.async_finish(
diff --git a/pyproject.toml b/pyproject.toml
index 2265434..aee10bf 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "hass-oidc-auth"
-version = "0.4.0"
+version = "0.4.1"
 description = "OIDC component for Home Assistant"
 authors = [
     { name = "Christiaan Goossens", email = "contact@christiaangoossens.nl" }
@@ -10,6 +10,7 @@ dependencies = [
     "python-jose>=3.3.0",
     "aiofiles>=24.1.0",
     "jinja2>=3.1.4",
+    "bcrypt>=4.2.0",
 ]
 readme = "README.md"
 requires-python = ">= 3.13"
diff --git a/requirements-dev.lock b/requirements-dev.lock
index ae216ae..a0d4d65 100644
--- a/requirements-dev.lock
+++ b/requirements-dev.lock
@@ -62,6 +62,7 @@ audioop-lts==0.2.1
 awesomeversion==24.6.0
     # via homeassistant
 bcrypt==4.2.0
+    # via hass-oidc-auth
     # via homeassistant
 bleak==0.22.3
     # via bleak-retry-connector
diff --git a/requirements.lock b/requirements.lock
index f2739f9..cb7bfc0 100644
--- a/requirements.lock
+++ b/requirements.lock
@@ -12,6 +12,8 @@
 -e file:.
 aiofiles==24.1.0
     # via hass-oidc-auth
+bcrypt==4.2.1
+    # via hass-oidc-auth
 ecdsa==0.19.0
     # via python-jose
 jinja2==3.1.5