From 87ddf52c97b8abc632cb0447b0efd57171e5f476 Mon Sep 17 00:00:00 2001 From: James Brechtel Date: Mon, 12 Mar 2018 16:06:18 -0400 Subject: [PATCH] Stop leaking Nonce generator on authentication --- Database/MongoDB/Query.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Database/MongoDB/Query.hs b/Database/MongoDB/Query.hs index f50bfbe..087641c 100644 --- a/Database/MongoDB/Query.hs +++ b/Database/MongoDB/Query.hs @@ -263,7 +263,7 @@ authSCRAMSHA1 :: MonadIO m => Username -> Password -> Action m Bool -- ^ Authenticate with the current database, using the SCRAM-SHA-1 authentication mechanism (default in MongoDB server >= 3.0) authSCRAMSHA1 un pw = do let hmac = HMAC.hmac SHA1.hash 64 - nonce <- (Nonce.new >>= Nonce.nonce128 >>= return . B64.encode) + nonce <- liftIO (Nonce.withGenerator Nonce.nonce128 >>= return . B64.encode) let firstBare = B.concat [B.pack $ "n=" ++ (T.unpack un) ++ ",r=", nonce] let client1 = ["saslStart" =: (1 :: Int), "mechanism" =: ("SCRAM-SHA-1" :: String), "payload" =: (B.unpack . B64.encode $ B.concat [B.pack "n,,", firstBare]), "autoAuthorize" =: (1 :: Int)] server1 <- runCommand client1