From f9308cfef18acb36833e12deb31f30cbda2868e8 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 2 Mar 2020 14:34:57 -0500
Subject: [PATCH] Voucher must be 44 bytes of urlsafe base64

---
 src/_zkapauthorizer/model.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/_zkapauthorizer/model.py b/src/_zkapauthorizer/model.py
index 79ffe1c..9088f04 100644
--- a/src/_zkapauthorizer/model.py
+++ b/src/_zkapauthorizer/model.py
@@ -49,6 +49,10 @@ from twisted.python.filepath import (
     FilePath,
 )
 
+from ._base64 import (
+    urlsafe_b64decode,
+)
+
 from .storage_common import (
     BYTES_PER_PASS,
     required_passes,
@@ -796,7 +800,13 @@ class Voucher(object):
         this voucher if it has been redeemed, ``None`` if it has not been
         redeemed.
     """
-    number = attr.ib()
+    number = attr.ib(
+        validator=attr.validators.and_(
+            attr.validators.instance_of(unicode),
+            is_base64_encoded(urlsafe_b64decode),
+            has_length(44),
+        ),
+    )
     created = attr.ib(
         default=None,
         validator=attr.validators.optional(attr.validators.instance_of(datetime)),
-- 
GitLab