From b8ce2a48435c1aaed19428108a78c624217a2f7f Mon Sep 17 00:00:00 2001 From: maike Date: Mon, 6 Jul 2020 19:59:00 +0200 Subject: [PATCH] [email] Use NaCL instead of PyJWT for encoding --- kibicara/platforms/email/bot.py | 11 +++++++---- kibicara/platforms/email/webapi.py | 15 ++++++++++----- setup.py | 1 - 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/kibicara/platforms/email/bot.py b/kibicara/platforms/email/bot.py index 18ae272..a2da758 100644 --- a/kibicara/platforms/email/bot.py +++ b/kibicara/platforms/email/bot.py @@ -4,10 +4,11 @@ from kibicara.platforms.email.model import EmailRecipients, Email from kibicara.model import Hood -from kibicara.platformapi import Censor, Spawner, Message +from kibicara.platformapi import Censor, Spawner from kibicara.email import send_email from kibicara.config import config -import jwt +from nacl.encoding import URLSafeBase64Encoder +from nacl.secret import SecretBox class EmailBot(Censor): @@ -25,13 +26,15 @@ class EmailBot(Censor): 'email': recipient.email, 'hood': self.model.hood, } - token = jwt.encode(json, self.model.secret).decode('ascii') + secretbox = SecretBox(Email.secret) + token = secretbox.encrypt(json, encoder=URLSafeBase64Encoder) + asciitoken = token.decode('ascii') unsubscribe_link = ( config['root_url'] + 'api/' + self.model.id + '/email/unsubscribe/' - + token + + asciitoken ) message.text += ( "\n\n--\nIf you want to stop receiving these mails, " diff --git a/kibicara/platforms/email/webapi.py b/kibicara/platforms/email/webapi.py index c772305..73e408f 100644 --- a/kibicara/platforms/email/webapi.py +++ b/kibicara/platforms/email/webapi.py @@ -13,7 +13,8 @@ from kibicara.webapi.hoods import get_hood from ormantic.exceptions import NoMatch from pydantic import BaseModel from sqlite3 import IntegrityError -import jwt +from nacl.encoding import URLSafeBase64Encoder +from nacl.secret import SecretBox from os import urandom @@ -70,9 +71,11 @@ async def email_delete(hood=Depends(get_hood)): @hood_router.post('/recipient/') async def email_recipient_create(recipient: Recipient, hood=Depends(get_hood)): - token = jwt.encode({'email': recipient.email}, Email.secret).decode('ascii') + secretbox = SecretBox(Email.secret) + token = secretbox.encrypt({'email': recipient.email,}, encoder=URLSafeBase64Encoder) + asciitoken = token.decode('ascii') confirm_link = ( - config['root_url'] + "api/" + hood.id + "/email/recipient/confirm/" + token + config['root_url'] + "api/" + hood.id + "/email/recipient/confirm/" + asciitoken ) send_email( recipient.email, @@ -85,7 +88,8 @@ async def email_recipient_create(recipient: Recipient, hood=Depends(get_hood)): @hood_router.post('/recipient/confirm/{token}') async def email_recipient_confirm(token, hood=Depends(get_hood)): - json = jwt.decode(token, Email.secret) + secretbox = SecretBox(Email.secret) + json = secretbox.decrypt(token.encode('ascii'), encoder=URLSafeBase64Encoder) try: await EmailRecipients.objects.create(hood=hood.id, email=json['email']) return status.HTTP_201_CREATED @@ -95,7 +99,8 @@ async def email_recipient_confirm(token, hood=Depends(get_hood)): @hood_router.get('/unsubscribe/{token}', status_code=status.HTTP_200_OK) async def email_recipient_unsubscribe(token, hood=Depends(get_hood)): - json = jwt.decode(token) + secretbox = SecretBox(Email.secret) + json = secretbox.decrypt(token.encode('ascii'), encoder=URLSafeBase64Encoder) if hood.id is not json['hood']: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST) await EmailRecipients.objects.delete_many(hood=json['hood'], email=json['email']) diff --git a/setup.py b/setup.py index 50af4c9..e2cd0e1 100644 --- a/setup.py +++ b/setup.py @@ -28,6 +28,5 @@ setup( 'pytoml', 'requests', 'scrypt', - 'PyJWT', ], )