Salt the ip address before hashing

hc/accounts/tests/test_login.py

@@ -50,8 +50,8 @@ class LoginTestCase(BaseTestCase):
 
     @override_settings(SECRET_KEY="test-secret")
     def test_it_rate_limits_ips(self):
-        # 4b84.... is sha1("127.0.0.1test-secret")
-        obj = TokenBucket(value="ip-4b84b15bff6ee5796152495a230e45e3d7e947d9")
+        # 60be.... is sha1("127.0.0.1test-secret")
+        obj = TokenBucket(value="ip-60be45f44bd9ab3805871fb1137594e708c993ff")
         obj.tokens = 0
         obj.save()
 

hc/api/models.py

@@ -629,8 +629,8 @@ class TokenBucket(models.Model):
         mailbox = mailbox.split("+")[0]
         email = mailbox + "@" + domain
 
-        b = (email + settings.SECRET_KEY).encode()
-        value = "em-%s" % hashlib.sha1(b).hexdigest()
+        salted_encoded = (email + settings.SECRET_KEY).encode()
+        value = "em-%s" % hashlib.sha1(salted_encoded).hexdigest()
 
         # 20 emails per 3600 seconds (1 hour):
         return TokenBucket.authorize(value, 20, 3600)
@@ -640,7 +640,8 @@ class TokenBucket(models.Model):
         headers = request.META
         ip = headers.get("HTTP_X_FORWARDED_FOR", headers["REMOTE_ADDR"])
         ip = ip.split(",")[0]
-        value = "ip-%s" % hashlib.sha1(ip.encode()).hexdigest()
+        salted_encoded = (ip + settings.SECRET_KEY).encode()
+        value = "ip-%s" % hashlib.sha1(salted_encoded).hexdigest()
 
         # 20 login attempts from a single IP per 3600 seconds (1 hour):
         return TokenBucket.authorize(value, 20, 3600)