don't salt & extra hash uuids

They have enough entropy on their own, so use just the hash and no salt. ref: https://security.stackexchange.com/a/151262/155114
2025-10-15 14:03:02 +00:00 · 2017-07-24 14:40:29 +02:00
parent 710ed0a5c8
commit 2654794968
1 changed files with 13 additions and 1 deletions
--- a/jupyterhub/orm.py
+++ b/jupyterhub/orm.py
@@ -268,7 +268,19 @@ class Hashed(object):
    def token(self, token):
        """Store the hashed value and prefix for a token"""
        self.prefix = token[:self.prefix_length]
-        self.hashed = hash_token(token, rounds=self.rounds, salt=self.salt_bytes, algorithm=self.algorithm)
+        if len(token) >= 32:
+            # Tokens are generally UUIDs, which have sufficient entropy on their own
+            # and don't need salt & hash rounds.
+            # ref: https://security.stackexchange.com/a/151262/155114
+            rounds = 1
+            salt_bytes = b''
+        else:
+            # users can still specify API tokens in a few ways,
+            # so trigger salt & hash rounds if they provide a short token
+            app_log.warning("Applying salt & hash rounds to %sB token" % len(token))
+            rounds = self.rounds
+            salt_bytes = self.salt_bytes
+        self.hashed = hash_token(token, rounds=rounds, salt=salt_bytes, algorithm=self.algorithm)

    def match(self, token):
        """Is this my token?"""