cardosofelipe/syndarix
1
0
Fork 0
forked from cardosofelipe/fast-next-template
Code Issues 18 Pull Requests Wiki Activity

Improve error handling, logging, and security in authentication services and utilities

Browse Source 
- Refactored `create_user` and `change_password` methods to add transaction rollback on failures and enhanced logging for error contexts.
- Updated security utilities to use constant-time comparison (`hmac.compare_digest`) to mitigate timing attacks.
- Adjusted API responses in registration and password reset flows for better security and user experience.
- Added session invalidation after password resets to enhance account security.
This commit is contained in:
Felipe Cardoso
2025-11-01 01:13:02 +01:00
parent cc98a76e24
commit 4de440ed2d
4 changed files with 82 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
backend/app/utils/security.py
View File

@@ -7,6 +7,7 @@ time-limited, single-use operations.
"""
import base64
import hashlib
import hmac
import json
import secrets
import time
@@ -92,13 +93,13 @@ def verify_upload_token(token: str) -> Optional[Dict[str, Any]]:
payload = token_data["payload"]
signature = token_data["signature"]
# Verify signature
# Verify signature using constant-time comparison to prevent timing attacks
payload_bytes = json.dumps(payload).encode('utf-8')
expected_signature = hashlib.sha256(
payload_bytes + settings.SECRET_KEY.encode('utf-8')
).hexdigest()
if signature != expected_signature:
if not hmac.compare_digest(signature, expected_signature):
return None
# Check expiration
@@ -185,13 +186,13 @@ def verify_password_reset_token(token: str) -> Optional[str]:
if payload.get("purpose") != "password_reset":
return None
# Verify signature
# Verify signature using constant-time comparison to prevent timing attacks
payload_bytes = json.dumps(payload).encode('utf-8')
expected_signature = hashlib.sha256(
payload_bytes + settings.SECRET_KEY.encode('utf-8')
).hexdigest()
if signature != expected_signature:
if not hmac.compare_digest(signature, expected_signature):
return None
# Check expiration
@@ -278,13 +279,13 @@ def verify_email_verification_token(token: str) -> Optional[str]:
if payload.get("purpose") != "email_verification":
return None
# Verify signature
# Verify signature using constant-time comparison to prevent timing attacks
payload_bytes = json.dumps(payload).encode('utf-8')
expected_signature = hashlib.sha256(
payload_bytes + settings.SECRET_KEY.encode('utf-8')
).hexdigest()
if signature != expected_signature:
if not hmac.compare_digest(signature, expected_signature):
return None
# Check expiration