mj-saunders
/
epicyon
forked from indymedia/epicyon
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Random token

master
Bob Mottram 2019-07-12 17:09:25 +01:00
parent 99eba0c2ca
commit 050ce03ad0
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -105,6 +105,8 @@ Follow Accept from **Bob** to **Alice** with attached capabilities.
When posts are subsequently sent from the following instance (server-to-server) they should have the corresponding capability id string attached within the Create wrapper. To handle the *shared inbox* scenario this should be a list rather than a single string. In the above example that would be *['http://bobdomain.net/caps/alice@alicedomain.net#rOYtHApyr4ZWDUgEE1KqjhTe0kI3T2wJ']*. It should contain a random token which is hard to guess by brute force methods. When posts are subsequently sent from the following instance (server-to-server) they should have the corresponding capability id string attached within the Create wrapper. To handle the *shared inbox* scenario this should be a list rather than a single string. In the above example that would be *['http://bobdomain.net/caps/alice@alicedomain.net#rOYtHApyr4ZWDUgEE1KqjhTe0kI3T2wJ']*. It should contain a random token which is hard to guess by brute force methods.
NOTE: the token should be random and not a hash of anything. Making it a hash would give an adversary a much better chance of calculating it.
``` text ``` text
Alice Alice
| |

2
daemon.py
View File

@ -208,7 +208,7 @@ class PubServer(BaseHTTPRequestHandler):
if self._webfinger(): if self._webfinger():
self.server.GETbusy=False self.server.GETbusy=False
return return
# show avatar # show avatar or background image
if '/users/' in self.path: if '/users/' in self.path:
if self.path.endswith('.png') or \ if self.path.endswith('.png') or \
self.path.endswith('.jpg') or \ self.path.endswith('.jpg') or \