From da51affacbb974abaac97a19b3b08c9e4e32685f Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Thu, 30 Oct 2014 15:33:09 -0700
Subject: [PATCH] add hash rounds

default 16k
---
 jupyterhub/orm.py   |  8 +++-----
 jupyterhub/utils.py | 11 ++++++-----
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/jupyterhub/orm.py b/jupyterhub/orm.py
index 0a9acbc6..3f5cdd87 100644
--- a/jupyterhub/orm.py
+++ b/jupyterhub/orm.py
@@ -353,20 +353,18 @@ class APIToken(Base):
     prefix = Column(Unicode)
     prefix_length = 4
     algorithm = "sha512"
+    rounds = 16384
     salt_bytes = 8
-    _token = None
     
     @property
     def token(self):
-        """plaintext tokens will only be accessible for tokens created during this session"""
-        return self._token
+        raise AttributeError("token is write-only")
     
     @token.setter
     def token(self, token):
         """Store the hashed value and prefix for a token"""
         self.prefix = token[:self.prefix_length]
-        self.hashed = hash_token(token, salt=self.salt_bytes, algorithm=self.algorithm)
-        self._token = token
+        self.hashed = hash_token(token, rounds=self.rounds, salt=self.salt_bytes, algorithm=self.algorithm)
     
     def __repr__(self):
         return "<{cls}('{pre}...', user='{u}')>".format(
diff --git a/jupyterhub/utils.py b/jupyterhub/utils.py
index 12cdbcef..3a8750d0 100644
--- a/jupyterhub/utils.py
+++ b/jupyterhub/utils.py
@@ -150,7 +150,7 @@ def new_token(*args, **kwargs):
     return text_type(uuid.uuid4().hex)
 
 
-def hash_token(token, salt=8, algorithm='sha256'):
+def hash_token(token, salt=8, rounds=16384, algorithm='sha512'):
     """hash a token, and return it as `algorithm:salt:hash`
     
     If `salt` is an integer, a random salt of that many bytes will be used.
@@ -165,10 +165,11 @@ def hash_token(token, salt=8, algorithm='sha256'):
         bsalt = salt.encode('utf8')
     btoken = token.encode('utf8', 'replace')
     h.update(bsalt)
-    h.update(btoken)
+    for i in range(rounds):
+        h.update(btoken)
     digest = h.hexdigest()
     
-    return u"{algorithm}:{salt}:{digest}".format(**locals())
+    return u"{algorithm}:{rounds}:{salt}:{digest}".format(**locals())
 
 
 def compare_token(compare, token):
@@ -176,8 +177,8 @@ def compare_token(compare, token):
     
     uses the same algorithm and salt of the hashed token for comparison
     """
-    algorithm, salt, _ = compare.split(':', 2)
-    hashed = hash_token(token, salt=salt, algorithm=algorithm)
+    algorithm, srounds, salt, _ = compare.split(':')
+    hashed = hash_token(token, salt=salt, rounds=int(srounds), algorithm=algorithm)
     if compare == hashed:
         return True
     return False