Use secret

collective · Apr 16, 2024 · 05ff6bf · 05ff6bf
1 parent 107ac28
commit 05ff6bf
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/collective/volto/formsupport/utils.py b/src/collective/volto/formsupport/utils.py
@@ -4,6 +4,9 @@
 import pyotp
 import base64
 
+from plone.keyring.interfaces import IKeyManager
+from zope.component import getUtility
+
 from collections import deque
 
 
@@ -46,14 +49,16 @@ def get_blocks(context):
 
 def generate_email_token(uid="", email=""):
     """Generates the email verification token"""
+    keymanager = getUtility(IKeyManager)
 
-    totp = pyotp.TOTP(base64.b32encode((uid + email).encode()))
+    totp = pyotp.TOTP(base64.b32encode((uid + email + keymanager.secret()).encode()))
 
     return totp.now()
 
 
 def validate_email_token(uid="", email="", token=""):
+    keymanager = getUtility(IKeyManager)
 
-    totp = pyotp.TOTP(base64.b32encode((uid + email).encode()))
+    totp = pyotp.TOTP(base64.b32encode((uid + email + keymanager.secret()).encode()))
 
     return totp.verify(token, valid_window=EMAIL_OTP_LIFETIME)