Fix session key security issues

Since the password was set to None, the session hash was always
identical and predictable for an attacker. A new random salt is
added to replace the password which served this funciton before.

Should the new session salt is set be default to a rendom value.
Should the salt be set to None for some reason, the
`get_session_auth_hash` method will raise a `ValueError`.

The password field is now removed from the user model. It will
raise a `FieldDoesNotExist` error, should the attribute be
access further preventing similar security issues.

Author: codingjoe

mailauth/contrib/user/migrations/0002_emailuser_session_salt.py

@@ -0,0 +1,19 @@
+# Generated by Django 2.2.1 on 2019-05-27 10:39
+
+import django.utils.crypto
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('mailauth_user', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='emailuser',
+            name='session_salt',
+            field=models.CharField(default=django.utils.crypto.get_random_string, editable=False, max_length=12),
+        ),
+    ]

mailauth/contrib/user/models.py

@@ -1,6 +1,7 @@
 from django.contrib.auth.base_user import BaseUserManager
 from django.contrib.auth.models import AbstractUser
 from django.db import models
+from django.utils.crypto import get_random_string, salted_hmac
 from django.utils.translation import ugettext_lazy as _
 
 
@@ -39,6 +40,10 @@ class AbstractEmailUser(AbstractUser):
     email = models.EmailField(_('email address'), unique=True, db_index=True)
     username = None
     password = None
+    session_salt = models.CharField(
+        max_length=12, editable=False,
+        default=get_random_string,
+    )
 
     def has_usable_password(self):
         return False
@@ -48,6 +53,16 @@ def has_usable_password(self):
     class Meta(AbstractUser.Meta):
         abstract = True
 
+    def get_session_auth_hash(self):
+        """Return an HMAC of the session_salt field."""
+        key_salt = "mailauth.contrib.user.models.EmailUserManager.get_session_auth_hash"
+        if not self.session_salt:
+            raise ValueError("'session_salt' must be set")
+        return salted_hmac(key_salt, self.session_salt).hexdigest()
+
+
+delattr(AbstractEmailUser, 'password')
+
 
 class EmailUser(AbstractEmailUser):
     class Meta(AbstractEmailUser.Meta):

tests/contrib/auth/test_models.py

@@ -1,4 +1,5 @@
 import pytest
+from django.core.exceptions import FieldDoesNotExist
 
 from mailauth.contrib.user.models import EmailUser
 
@@ -7,6 +8,31 @@ class TestAbstractEmailUser:
     def test_has_usable_password(self):
         assert not EmailUser().has_usable_password()
 
+    def test_get_session_auth_hash__default(self, db):
+        user = EmailUser(email='[email protected]')
+
+        assert user.session_salt
+        assert user.get_session_auth_hash()
+
+    def test_get_session_auth_hash__value_error(self, db):
+        user = EmailUser(email='[email protected]', session_salt=None)
+
+        with pytest.raises(ValueError) as e:
+            user.get_session_auth_hash()
+
+        assert "'session_salt' must be set" in str(e)
+
+    def test_get_session_auth_hash__unique(self, db):
+        spiderman = EmailUser(email='[email protected]')
+        ironman = EmailUser(email='[email protected]')
+
+        assert spiderman.get_session_auth_hash() != ironman.get_session_auth_hash()
+
+    def test_password_field(self):
+        user = EmailUser(email='[email protected]')
+        with pytest.raises(FieldDoesNotExist):
+            user.password
+
 
 class TestEmailUserManager: