From be815086c077f9eb2c2c1593f0623212bc379a34 Mon Sep 17 00:00:00 2001 From: Chris Shyi Date: Mon, 18 Jun 2018 21:50:06 -0400 Subject: [PATCH] Use secrets.py to generate user secret Instead of using our own random string generator function, the user secret is now being generated using secrets.token_urlsafe(). The max length of the user secret has been increased to accommodate the size of the 32 byte string. --- spotifyvis/models.py | 2 +- spotifyvis/views.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/spotifyvis/models.py b/spotifyvis/models.py index 6e28a07..539bd46 100644 --- a/spotifyvis/models.py +++ b/spotifyvis/models.py @@ -28,7 +28,7 @@ class User(models.Model): verbose_name_plural = "Users" user_id = models.CharField(primary_key=True, max_length=MAX_ID) # the user's Spotify ID - user_secret = models.CharField(max_length=30, default='') + user_secret = models.CharField(max_length=50, default='') def __str__(self): return self.user_id diff --git a/spotifyvis/views.py b/spotifyvis/views.py index e44d998..38f0631 100644 --- a/spotifyvis/views.py +++ b/spotifyvis/views.py @@ -5,7 +5,7 @@ import random import requests import os import urllib -import json +import secrets import pprint import string from datetime import datetime @@ -146,7 +146,8 @@ def user_data(request): try: user = User.objects.get(user_id=user_data_response['id']) except User.DoesNotExist: - user = User(user_id=user_data_response['id'], user_secret=generate_random_string(30)) + # Python docs recommends 32 bytes of randomness against brute force attacks + user = User(user_id=user_data_response['id'], user_secret=secrets.token_urlsafe(32)) user.save() context = {