def test_change_password_failures(client):
new_password = "******"
user = users_factories.UserFactory()
access_token = create_access_token(identity=user.email)
client.auth_header = {"Authorization": f"Bearer {access_token}"}
response = client.post(
"/native/v1/change_password",
json={
"currentPassword": "******",
"newPassword": new_password
},
)
assert response.status_code == 400
assert response.json["code"] == "INVALID_PASSWORD"
response = client.post(
"/native/v1/change_password",
json={
"currentPassword": users_factories.DEFAULT_PASSWORD,
"newPassword": "******"
},
)
assert response.status_code == 400
assert response.json["code"] == "WEAK_PASSWORD"
db.session.refresh(user)
assert user.password == crypto.hash_password(
users_factories.DEFAULT_PASSWORD)
def _build(cls, model_class, *args, **kwargs):
password = kwargs.get("password", DEFAULT_PASSWORD)
kwargs["password"] = crypto.hash_password(password)
if "publicName" not in kwargs and kwargs["firstName"] and kwargs[
"lastName"]:
kwargs["publicName"] = "%s %s" % (kwargs["firstName"],
kwargs["lastName"])
instance = super()._build(model_class, *args, **kwargs)
instance.clearTextPassword = DEFAULT_PASSWORD
return instance
def test_reset_password_for_unvalidated_email(client):
new_password = "******"
user = users_factories.UserFactory(isEmailValidated=False)
token = users_factories.ResetPasswordToken(user=user)
data = {"reset_password_token": token.value, "new_password": new_password}
response = client.post("/native/v1/reset_password", json=data)
assert response.status_code == 204
db.session.refresh(user)
assert user.password == crypto.hash_password(new_password)
assert user.isEmailValidated
def test_reset_password_success(client):
new_password = "******"
user = users_factories.UserFactory()
token = users_factories.ResetPasswordToken(user=user)
data = {"reset_password_token": token.value, "new_password": new_password}
response = client.post("/native/v1/reset_password", json=data)
assert response.status_code == 204
db.session.refresh(user)
assert user.password == crypto.hash_password(new_password)
token = Token.query.get(token.id)
assert token.isUsed
def test_change_password_success(client):
new_password = "******"
user = users_factories.UserFactory()
access_token = create_access_token(identity=user.email)
client.auth_header = {"Authorization": f"Bearer {access_token}"}
response = client.post(
"/native/v1/change_password",
json={
"currentPassword": users_factories.DEFAULT_PASSWORD,
"newPassword": new_password
},
)
assert response.status_code == 204
db.session.refresh(user)
assert user.password == crypto.hash_password(new_password)
def hash_secret(self, create, extracted):
self.secret = crypto.hash_password(extracted or DEFAULT_SECRET)
def generate_api_key(offerer_id: int) -> tuple[ApiKey, str]:
clear_secret = secrets.token_hex(32)
prefix = _generate_api_key_prefix()
key = ApiKey(offererId=offerer_id, prefix=prefix, secret=crypto.hash_password(clear_secret))
return key, f"{prefix}{API_KEY_SEPARATOR}{clear_secret}"
def setPassword(self, newpass):
self.clearTextPassword = newpass
self.password = crypto.hash_password(newpass)
def _build(cls, model_class, *args, **kwargs):
password = kwargs.get("password", DEFAULT_PASSWORD)
kwargs["password"] = crypto.hash_password(password)
instance = super()._build(model_class, *args, **kwargs)
instance.clearTextPassword = DEFAULT_PASSWORD
return instance
def random_hashed_password() -> bytes:
return crypto.hash_password(random_token(length=12))
from pcapi.models import Offerer
from pcapi.models import Stock
from pcapi.models import UserOfferer
from pcapi.models import Venue
from pcapi.repository import repository
from pcapi.repository.user_queries import find_user_by_email
from pcapi.utils import crypto
from . import constants
from . import exceptions
from . import models
from .models import User
logger = logging.getLogger(__name__)
HASHED_PLACEHOLDER = crypto.hash_password("placeholder")
def check_user_and_credentials(user: User, password: str) -> None:
# Order is important to prevent end-user to guess user emails
# We need to check email and password before checking email validation
if not user:
# Hash the given password, just like we would do if the user
# existed. This avoids user enumeration by comparing server
# response time.
crypto.check_password(password, HASHED_PLACEHOLDER)
raise exceptions.InvalidIdentifier()
if not user.checkPassword(password) or not user.isActive:
logging.info("Failed authentication attempt",
extra={
"user": user.id,
def test_check_password(self):
hashed = crypto.hash_password("secret")
assert not crypto.check_password("wrong", hashed)
assert crypto.check_password("secret", hashed)
def test_hash_password_uses_md5(self):
hashed = crypto.hash_password("secret")
assert hashed == b"5ebe2294ecd0e0f08eab7690d2a6ee69"
def test_hash_password_uses_bcrypt(self):
hashed = crypto.hash_password("secret")
assert hashed != "secret"
assert hashed.startswith(b"$2b$") # bcrypt prefix