def reset_password(auth, **kwargs):
if auth.logged_in:
return auth_logout(redirect_url=request.url)
verification_key = kwargs['verification_key']
form = ResetPasswordForm(request.form)
user_obj = get_user(verification_key=verification_key)
if not user_obj:
error_data = {
'message_short':
'Invalid url.',
'message_long':
'The verification key in the URL is invalid or '
'has expired.'
}
raise HTTPError(400, data=error_data)
if request.method == 'POST' and form.validate():
# new random verification key, allows CAS to authenticate the user w/o password one time only.
user_obj.verification_key = security.random_string(20)
user_obj.set_password(form.password.data)
user_obj.save()
status.push_status_message('Password reset', 'success')
# Redirect to CAS and authenticate the user with a verification key.
return redirect(
cas.get_login_url(web_url_for('user_account', _absolute=True),
auto=True,
username=user_obj.username,
verification_key=user_obj.verification_key))
forms.push_errors_to_status(form.errors)
return {
'verification_key': verification_key,
}
def reset_password(auth, **kwargs):
if auth.logged_in:
return auth_logout(redirect_url=request.url)
verification_key = kwargs['verification_key']
form = ResetPasswordForm(request.form)
user_obj = get_user(verification_key=verification_key)
if not user_obj:
error_data = {'message_short': 'Invalid url.',
'message_long': 'The verification key in the URL is invalid or '
'has expired.'}
raise HTTPError(400, data=error_data)
if request.method == 'POST' and form.validate():
# new random verification key, allows CAS to authenticate the user w/o password one time only.
user_obj.verification_key = security.random_string(20)
user_obj.set_password(form.password.data)
user_obj.save()
status.push_status_message('Password reset', 'success')
# Redirect to CAS and authenticate the user with a verification key.
return redirect(cas.get_login_url(
web_url_for('user_account', _absolute=True),
auto=True,
username=user_obj.username,
verification_key=user_obj.verification_key
))
forms.push_errors_to_status(form.errors)
return {
'verification_key': verification_key,
}
def reset_password(auth, **kwargs):
if auth.logged_in:
logout()
verification_key = kwargs['verification_key']
form = ResetPasswordForm(request.form)
user_obj = get_user(verification_key=verification_key)
if not user_obj:
error_data = {
'message_short':
'Invalid url.',
'message_long':
'The verification key in the URL is invalid or '
'has expired.'
}
raise HTTPError(400, data=error_data)
if request.method == 'POST' and form.validate():
user_obj.verification_key = None
user_obj.set_password(form.password.data)
user_obj.save()
status.push_status_message('Password reset')
return redirect('/account/')
forms.push_errors_to_status(form.errors)
return {
'verification_key': verification_key,
}
def reset_password_post(uid=None, token=None):
"""
View for user to submit reset password form.
HTTP Method: POST
:param uid: the user id
:param token: the token in verification key
:return:
:raises: HTTPError(http.BAD_REQUEST) if verification key for the user is invalid, has expired or was used
"""
form = ResetPasswordForm(request.form)
# Check if request bears a valid pair of `uid` and `token`
user_obj = OSFUser.load(uid)
if not (user_obj and user_obj.verify_password_token(token=token)):
error_data = {
'message_short':
'Invalid Request.',
'message_long':
'The requested URL is invalid, has expired, or was already used',
}
raise HTTPError(http.BAD_REQUEST, data=error_data)
if not form.validate():
# Don't go anywhere
forms.push_errors_to_status(form.errors)
else:
# clear verification key (v2)
user_obj.verification_key_v2 = {}
# new verification key (v1) for CAS
user_obj.verification_key = generate_verification_key(
verification_type=None)
try:
user_obj.set_password(form.password.data)
user_obj.save()
except exceptions.ChangePasswordError as error:
for message in error.messages:
status.push_status_message(message,
kind='warning',
trust=False)
else:
status.push_status_message('Password reset',
kind='success',
trust=False)
# redirect to CAS and authenticate the user automatically with one-time verification key.
return redirect(
cas.get_login_url(web_url_for('user_account', _absolute=True),
username=user_obj.username,
verification_key=user_obj.verification_key))
return {
'uid': user_obj._id,
'token': user_obj.verification_key_v2['token'],
}
def reset_password_post(uid=None, token=None):
"""
View for user to submit reset password form.
HTTP Method: POST
:param uid: the user id
:param token: the token in verification key
:return:
:raises: HTTPError(http.BAD_REQUEST) if verification key for the user is invalid, has expired or was used
"""
form = ResetPasswordForm(request.form)
# Check if request bears a valid pair of `uid` and `token`
user_obj = User.load(uid)
if not (user_obj and user_obj.verify_password_token(token=token)):
error_data = {
'message_short': 'Invalid Request.',
'message_long': 'The requested URL is invalid, has expired, or was already used',
}
raise HTTPError(http.BAD_REQUEST, data=error_data)
if not form.validate():
# Don't go anywhere
forms.push_errors_to_status(form.errors)
else:
# clear verification key (v2)
user_obj.verification_key_v2 = {}
# new verification key (v1) for CAS
user_obj.verification_key = generate_verification_key(verification_type=None)
try:
user_obj.set_password(form.password.data)
user_obj.save()
except exceptions.ChangePasswordError as error:
for message in error.messages:
status.push_status_message(message, kind='warning', trust=False)
else:
status.push_status_message('Password reset', kind='success', trust=False)
# redirect to CAS and authenticate the user automatically with one-time verification key.
return redirect(cas.get_login_url(
web_url_for('user_account', _absolute=True),
username=user_obj.username,
verification_key=user_obj.verification_key
))
return {
'uid': user_obj._id,
'token': user_obj.verification_key_v2['token'],
}
def reset_password_post(auth, verification_key=None, **kwargs):
"""
View for user to submit reset password form.
HTTP Method: POST
:raises: HTTPError(http.BAD_REQUEST) if verification_key is invalid
"""
# If user is already logged in, log user out
if auth.logged_in:
return auth_logout(redirect_url=request.url)
form = ResetPasswordForm(request.form)
# Check if request bears a valid verification_key
user_obj = get_user(verification_key=verification_key)
if not user_obj:
error_data = {
'message_short': 'Invalid url.',
'message_long': 'The verification key in the URL is invalid or has expired.'
}
raise HTTPError(400, data=error_data)
if form.validate():
# new random verification key, allows CAS to authenticate the user w/o password, one-time only.
# this overwrite also invalidates the verification key generated by forgot_password_post
user_obj.verification_key = generate_verification_key()
try:
user_obj.set_password(form.password.data)
user_obj.save()
except exceptions.ChangePasswordError as error:
for message in error.messages:
status.push_status_message(message, kind='warning', trust=False)
else:
status.push_status_message('Password reset', kind='success', trust=False)
# redirect to CAS and authenticate the user with the one-time verification key.
return redirect(cas.get_login_url(
web_url_for('user_account', _absolute=True),
username=user_obj.username,
verification_key=user_obj.verification_key
))
else:
forms.push_errors_to_status(form.errors)
# Don't go anywhere
return {
'verification_key': verification_key
}, 400
def reset_password_post(auth, verification_key=None, **kwargs):
"""
View for user to submit reset password form.
HTTP Method: POST
:raises: HTTPError(http.BAD_REQUEST) if verification_key is invalid
"""
# If user is already logged in, log user out
if auth.logged_in:
return auth_logout(redirect_url=request.url)
form = ResetPasswordForm(request.form)
# Check if request bears a valid verification_key
user_obj = get_user(verification_key=verification_key)
if not user_obj:
error_data = {
'message_short': 'Invalid url.',
'message_long': 'The verification key in the URL is invalid or has expired.'
}
raise HTTPError(400, data=error_data)
if form.validate():
# new random verification key, allows CAS to authenticate the user w/o password, one-time only.
# this overwrite also invalidates the verification key generated by forgot_password_post
user_obj.verification_key = generate_verification_key()
try:
user_obj.set_password(form.password.data)
user_obj.save()
except exceptions.ChangePasswordError as error:
for message in error.messages:
status.push_status_message(message, kind='warning', trust=False)
else:
status.push_status_message('Password reset', kind='success', trust=False)
# redirect to CAS and authenticate the user with the one-time verification key.
return redirect(cas.get_login_url(
web_url_for('user_account', _absolute=True),
username=user_obj.username,
verification_key=user_obj.verification_key
))
else:
forms.push_errors_to_status(form.errors)
# Don't go anywhere
return {
'verification_key': verification_key
}, 400
def reset_password(**kwargs):
verification_key = kwargs['verification_key']
form = ResetPasswordForm(request.form)
user_obj = get_user(verification_key=verification_key)
if not user_obj:
error_data = {'message_short': 'Invalid url.',
'message_long': 'The verification key in the URL is invalid or '
'has expired.'}
raise exceptions.HTTPError(400, data=error_data)
if request.method == 'POST' and form.validate():
user_obj.verification_key = None
user_obj.set_password(form.password.data)
user_obj.save()
status.push_status_message('Password reset')
return redirect('/account/')
forms.push_errors_to_status(form.errors)
return {
'verification_key': verification_key,
}
def reset_password_form():
return form_utils.jsonify(ResetPasswordForm())