moved fake_login_attempt to plugins

2 files changed, 21 insertions, 0 deletions

diff --git a/mediagoblin/plugins/basic_auth/__init__.py b/mediagoblin/plugins/basic_auth/__init__.py
index db5229a8..c8c3c391 100644
--- a/mediagoblin/plugins/basic_auth/__init__.py
+++ b/mediagoblin/plugins/basic_auth/__init__.py
@@ -102,4 +102,5 @@ hooks = {
     'auth_get_login_form': get_login_form,
     'auth_get_registration_form': get_registration_form,
     'auth_gen_password_hash': gen_password_hash,
+    'auth_fake_login_attempt': auth_lib.fake_login_attempt,
 }
diff --git a/mediagoblin/plugins/basic_auth/lib.py b/mediagoblin/plugins/basic_auth/lib.py
index 57820003..999abfd9 100644
--- a/mediagoblin/plugins/basic_auth/lib.py
+++ b/mediagoblin/plugins/basic_auth/lib.py
@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import bcrypt
+import random
 
 from mediagoblin.tools.template import render_template
 from mediagoblin.tools.mail import send_email
@@ -97,3 +98,22 @@ def send_fp_verification_email(user, request):
         [user.email],
         'GNU MediaGoblin - Change forgotten password!',
         rendered_email)
+
+
+def fake_login_attempt():
+    """
+    Pretend we're trying to login.
+
+    Nothing actually happens here, we're just trying to take up some
+    time, approximately the same amount of time as
+    bcrypt_check_password, so as to avoid figuring out what users are
+    on the system by intentionally faking logins a bunch of times.
+    """
+    rand_salt = bcrypt.gensalt(5)
+
+    hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
+
+    randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
+    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
+
+    randplus_stored_hash == randplus_hashed_pass