Add checksum checking when validating VendorChecksum API tokens.

Review Request #12663 — Created Oct. 3, 2022 and submitted

Information

Djblets
release-3.x

Reviewers

This change makes the VendorChecksumTokenGenerator check the token's checksum
when validating tokens. This makes the token validation more precise and is
useful for weeding out any false positives during secret scanning.

This also fixes the character set that we're using for base62-encoding the
token checksums. The previous one had incorrectly swapped the placement of the
capital and lowercase characters in the set. Tokens that were generated using
the old character set are still considered valid.

Ran unit tests.

Summary ID
Add checksum checking when validating VendorChecksum API tokens.
666361c32af88feb525657abd59c032cb7b6f4eb
Description From Last Updated

We might just want to compare against checksum.swapcase() in the conditional directly, so that we don't perform this operation unless …

chipx86chipx86
chipx86
  1. Ship It!
  2. 
      
maubin
chipx86
  1. 
      
  2. djblets/secrets/token_generators/vendor_checksum.py (Diff revisions 1 - 2)
     
     
     
     
     
    Show all issues

    We might just want to compare against checksum.swapcase() in the conditional directly, so that we don't perform this operation unless it appears to be a valid token but the checksum fails. That'll be the rare case.

  3. 
      
maubin
chipx86
  1. Ship It!
  2. 
      
maubin
Review request changed
Status:
Completed
Change Summary:
Pushed to release-3.x (6b692e6)