From: Magnus Hagander <magnus@hagander.net>
Date: Tue, 12 Aug 2025 14:52:08 +0000 (+0200)
Subject: Validate crypto key lengths independently for each cauth version
X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=0f9f429594e64bb7c8f27f5a16112a811cd142b9;p=pgweb.git

Validate crypto key lengths independently for each cauth version

Since different versions have different requirements on crypto key
length, we should also check it individually and not just assume the
user did it right.
---

diff --git a/pgweb/account/admin.py b/pgweb/account/admin.py
index dd89e9a5..d24c7e7c 100644
--- a/pgweb/account/admin.py
+++ b/pgweb/account/admin.py
@@ -34,6 +34,20 @@ class CommunityAuthSiteAdminForm(forms.ModelForm):
     def clean(self):
         d = super().clean()
 
+        if 'cryptkey' in self.cleaned_data:
+            key = base64.b64decode(self.cleaned_data['cryptkey'])
+            if self.cleaned_data['version'] == 2:
+                keylen = 32
+            elif self.cleaned_data['version'] == 3:
+                keylen = 64
+            elif self.cleaned_data['version'] == 4:
+                keylen = 32
+            else:
+                self.add_error('version', 'Unknown version')
+                keylen = 0
+            if len(key) != keylen:
+                self.add_error('cryptkey', 'For version {}, crypto keys muyst be {} bytes'.format(self.cleaned_data['version'], keylen))
+
         if d.get('push_changes', False) and not d.get('apiurl', ''):
             self.add_error('push_changes', 'API url must be specified to enable push changes!')