From f355c38fe18968475bce1b04b1b1b22fae37ff23 Mon Sep 17 00:00:00 2001
From: Maxim Devaev <mdevaev@gmail.com>
Date: Mon, 8 Jan 2024 21:45:30 +0200
Subject: additional checks for auth token

---
 kvmd/apps/kvmd/auth.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kvmd/apps/kvmd/auth.py b/kvmd/apps/kvmd/auth.py
index 8b0d104d..4571884b 100644
--- a/kvmd/apps/kvmd/auth.py
+++ b/kvmd/apps/kvmd/auth.py
@@ -120,13 +120,20 @@ class AuthManager:
             for (token, token_user) in self.__tokens.items():
                 if user == token_user:
                     return token
-            token = secrets.token_hex(32)
+            token = self.__make_new_token()
             self.__tokens[token] = user
             get_logger().info("Logged in user %r", user)
             return token
         else:
             return None
 
+    def __make_new_token(self) -> str:
+        for _ in range(10):
+            token = secrets.token_hex(32)
+            if token not in self.__tokens:
+                return token
+        raise AssertionError("Can't generate new unique token")
+
     def logout(self, token: str) -> None:
         assert self.__enabled
         user = self.__tokens.pop(token, "")
-- 
cgit v1.2.3