From 14efa7bdf19cf4042fe6455c0f9516f5b2d91a0c Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Fri, 17 May 2013 11:03:41 -0700 Subject: moved fake_login_attempt to plugins --- mediagoblin/plugins/basic_auth/lib.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'mediagoblin/plugins/basic_auth/lib.py') diff --git a/mediagoblin/plugins/basic_auth/lib.py b/mediagoblin/plugins/basic_auth/lib.py index 57820003..999abfd9 100644 --- a/mediagoblin/plugins/basic_auth/lib.py +++ b/mediagoblin/plugins/basic_auth/lib.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . import bcrypt +import random from mediagoblin.tools.template import render_template from mediagoblin.tools.mail import send_email @@ -97,3 +98,22 @@ def send_fp_verification_email(user, request): [user.email], 'GNU MediaGoblin - Change forgotten password!', rendered_email) + + +def fake_login_attempt(): + """ + Pretend we're trying to login. + + Nothing actually happens here, we're just trying to take up some + time, approximately the same amount of time as + bcrypt_check_password, so as to avoid figuring out what users are + on the system by intentionally faking logins a bunch of times. + """ + rand_salt = bcrypt.gensalt(5) + + hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt) + + randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt) + randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) + + randplus_stored_hash == randplus_hashed_pass -- cgit v1.2.3