Add checksum checking when validating VendorChecksum API tokens.

Review Request #12663 — Created Oct. 3, 2022 and submitted

maubin
Djblets
release-3.x
12651
djblets

This change makes the VendorChecksumTokenGenerator check the token's checksum
when validating tokens. This makes the token validation more precise and is
useful for weeding out any false positives during secret scanning.

This also fixes the character set that we're using for base62-encoding the
token checksums. The previous one had incorrectly swapped the placement of the
capital and lowercase characters in the set. Tokens that were generated using
the old character set are still considered valid.

Ran unit tests.

Summary
Add checksum checking when validating VendorChecksum API tokens.
Description From Last Updated

We might just want to compare against checksum.swapcase() in the conditional directly, so that we don't perform this operation unless …

chipx86chipx86
chipx86
  1. Ship It!
  2. 
      
maubin
chipx86
  1. 
      
  2. djblets/secrets/token_generators/vendor_checksum.py (Diff revisions 1 - 2)
     
     
     
     
     

    We might just want to compare against checksum.swapcase() in the conditional directly, so that we don't perform this operation unless it appears to be a valid token but the checksum fails. That'll be the rare case.

  3. 
      
maubin
chipx86
  1. Ship It!
  2. 
      
maubin
Review request changed

Status: Closed (submitted)

Change Summary:

Pushed to release-3.x (6b692e6)
Loading...