Fix timestamp format in simpleauth

jthomale · jthomale · commit a78914c02f45 · 2023-12-13T15:27:33.000-06:00
Testing the recent changes to utils.redisobjs on staging, attempting to
log into the inventory app resulted in a TypeError when comparing the
stored (Redis) last login timestamp with the timestamp in the HTTP
header. I realized that the changes around the new 'encoded_obj' faux
Redis type meant it was now interpreting the timestamp as a string when
pulling it from Redis. I updated the api.simpleauth authentication class
so that it explicitly converts BOTH timestamps to floats when comparing
them and then explicitly stores the timestamp in Redis as a string. I
also did a little code cleanup.
diff --git a/django/sierra/api/simpleauth.py b/django/sierra/api/simpleauth.py
@@ -15,40 +15,30 @@
 
 
 class SimpleSignatureAuthentication(authentication.BaseAuthentication):
+
     def authenticate(self, request):
-        ret_val = None
         username = request.META.get('HTTP_X_USERNAME', None)
         timestamp = request.META.get('HTTP_X_TIMESTAMP', None)
-        client_signature = request.META.get('HTTP_AUTHORIZATION', 'Basic ')
-        client_signature = client_signature.split('Basic ')[1]
+        client_signature = request.META.get(
+            'HTTP_AUTHORIZATION', 'Basic '
+        ).split('Basic ')[1]
         body = ensure_str(request.body)
+        bad_credentials_msg = 'Incorrect username or password'
+        invalid_timestamp_msg = 'Timestamp invalid.'
 
         if username and timestamp and client_signature:
             try:
                 api_user = models.APIUser.objects.get(user__username=username)
             except models.APIUser.DoesNotExist:
-                raise exceptions.AuthenticationFailed('Incorrect username or '
-                                                      'password.')
-
+                raise exceptions.AuthenticationFailed(bad_credentials_msg)
             user_timestamp = ro.RedisObject('user_timestamp', username)
             last_ts = user_timestamp.get() or 0
-
-            if last_ts >= float(timestamp):
-                raise exceptions.AuthenticationFailed('Timestamp invalid.')
-
-            secret = api_user.secret
-            user = api_user.user
-
-            hasher = hashlib.sha256('{}{}{}{}'.format(username, secret,
-                                                      timestamp,
-                                                      body).encode('utf-8'))
-            server_signature = hasher.hexdigest()
-
-            if server_signature != client_signature:
-                raise exceptions.AuthenticationFailed('Incorrect username or '
-                                                      'password.')
-            else:
-                user_timestamp.set(float(timestamp))
-                ret_val = (user, None)
-
-        return ret_val
+            if float(last_ts) >= float(timestamp):
+                raise exceptions.AuthenticationFailed(invalid_timestamp_msg)
+            server_signature = hashlib.sha256(
+                f'{username}{api_user.secret}{timestamp}{body}'.encode('utf-8')
+            ).hexdigest()
+            if server_signature == client_signature:
+                user_timestamp.set(str(timestamp))
+                return (api_user.user, None)
+            raise exceptions.AuthenticationFailed(bad_credentials_msg)
