From 7874122fa41c9521605eb30b5007e761b8558deb Mon Sep 17 00:00:00 2001
From: Tim Hawes <me@timhawes.com>
Date: Fri, 29 Sep 2023 21:52:31 +0100
Subject: [PATCH] nfctokens: always reject auth for random UIDs

---
 nfctokens/views.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nfctokens/views.py b/nfctokens/views.py
index 252f949..5205525 100644
--- a/nfctokens/views.py
+++ b/nfctokens/views.py
@@ -224,6 +224,11 @@ def nfc_token_auth(request):
     required_groups = data.get("groups")
     exclude_groups = data.get("exclude_groups", [])
 
+    if len(uid) == 8 and uid.startswith("08"):
+        return JsonResponse(
+            {"found": False, "authorized": False, "reason": "Random UID not allowed"}
+        )
+
     # lookup the token
     try:
         token = NFCToken.objects.get(uid=uid)