Temporary fix for user enumeration via password reset API

There is a noticable delay when providing a valid username
to the password reset API. Ideally we want to fix this by handling
request in an async fashion, but that will likely have to wait
until we have moved to the planned worker/api model.

This just makes the API always take at least 3 seconds.

Change-Id: I82d46e9d64c65930dbe7d8821941ee9173431d56
This commit is contained in:
Adrian Turjak 2018-09-12 12:21:05 +12:00
parent 8e2b734398
commit 3fe9d171cb
2 changed files with 23 additions and 0 deletions

View File

@ -12,6 +12,10 @@
# License for the specific language governing permissions and limitations
# under the License.
from datetime import datetime
import time
import sys
from decorator import decorator
from rest_framework.response import Response
@ -75,3 +79,21 @@ def authenticated(func, *args, **kwargs):
401)
return func(*args, **kwargs)
@decorator
def minimal_duration(func, min_time=1, *args, **kwargs):
"""
Make a function (or API call) take at least some time.
"""
# doesn't apply during tests
if 'test' in sys.argv:
return func(*args, **kwargs)
start = datetime.utcnow()
return_val = func(*args, **kwargs)
end = datetime.utcnow()
duration = end - start
if duration.total_seconds() < min_time:
time.sleep(min_time - duration.total_seconds())
return return_val

View File

@ -395,6 +395,7 @@ class ResetPassword(TaskView):
default_actions = ['ResetUserPasswordAction', ]
@utils.minimal_duration(min_time=3)
def post(self, request, format=None):
"""
Unauthenticated endpoint bound to the password reset action.