Slowed down code checking to prevent brute forcing (#12)

2024-12-31 16:54:39 +01:00
parent db4c6bcade
commit 72dbc49c6f
5 changed files with 17 additions and 3 deletions
--- a/custom_components/auth_oidc/manifest.json
+++ b/custom_components/auth_oidc/manifest.json
@@ -16,7 +16,8 @@
  "requirements": [
    "python-jose>=3.3.0",
    "aiofiles>=24.1.0",
-    "jinja2>=3.1.4"
+    "jinja2>=3.1.4",
+    "bcrypt>=4.2.0"
  ],
-  "version": "0.4.0"
+  "version": "0.4.1"
 }
--- a/custom_components/auth_oidc/provider.py
+++ b/custom_components/auth_oidc/provider.py
@@ -6,6 +6,7 @@ import logging

 from typing import Dict, Optional
 import asyncio
+import bcrypt
 from homeassistant.auth import EVENT_USER_ADDED
 from homeassistant.auth.providers import (
    AUTH_PROVIDERS,
@@ -274,6 +275,14 @@ class OpenIdLoginFlow(LoginFlow):
    """Handler for the login flow."""

    async def _finalize_user(self, code: str) -> AuthFlowResult:
+        # Verify a dummy hash to make it last a bit longer
+        # as security measure (limits the amount of attempts you have in 5 min)
+        # Similar to what the HomeAssistant auth provider does
+        dummy = b"$2b$12$CiuFGszHx9eNHxPuQcwBWez4CwDTOcLTX5CbOpV6gef2nYuXkY7BO"
+        bcrypt.checkpw(b"foo", dummy)
+
+        # Actually look up the auth provider after,
+        # this doesn't take a lot of time (regardless of it's in there or not)
        sub = await self._auth_provider.async_get_subject(code)
        if sub:
            return await self.async_finish(