def change_password():
"""Updates the password for the user"""
if not request.json:
response = {'message': 'no post body'}
return jsonify(response), 400
else:
# Check the post body for the correct keys
if 'old_password' not in request.json:
response = {'message': 'old_password missing in post body'}
return jsonify(response), 400
if 'new_password' not in request.json:
response = {'message': 'new_password missing in post body'}
return jsonify(response), 400
if 'new_password2' not in request.json:
response = {'message': 'new_password2 missing in post body'}
return jsonify(response), 400
# Check to see if the old password was correct
user_management = UserManagement()
old_password = request.json['old_password']
username = get_jwt_identity()
authorized = user_management.authenticate_user(username=username,
password=old_password)
log_request(request, username, authorized)
if not authorized:
msg = 'Current password is incorrect.'
response = {'message': msg, 'errors': [msg]}
return jsonify(response), 400
# Check to make sure the two new passwords match
new_password = request.json['new_password']
new_password2 = request.json['new_password2']
if new_password != new_password2:
msg = 'New passwords did not match.'
response = {'message': msg, 'errors': [msg]}
return jsonify(response), 400
# Update the user's password
updated, errors = user_management.update_password(username,
new_password,
display_error=True)
if updated:
response = {
'message': 'password updated for %s' % (username),
'errors': []
}
return jsonify(response), 201
else:
response = {'message': 'password update failed', 'errors': errors}
return jsonify(response), 400
def user_authenticate():
"""
Authenticates a user and returns a json web token
In the response body, refresh_token is the refresh token
and jwt is the access token
"""
if not request.json:
response = {'message': 'no post body'}
return jsonify(response), 400
auth_user = request.json
if 'username' not in auth_user or 'password' not in auth_user:
response = {'message': 'missing key in post body'}
return jsonify(response), 400
username = auth_user['username']
password = auth_user['password']
user_management = UserManagement()
user = user_management.get_user(username)
if not user:
authorized = False
else:
authorized = user_management.authenticate_user(username=username,
password=password)
last_reset = str(user['pw_update_ts'])
domain = conf.SUBDOMAIN
bad_attempts = count_bad_login_attempts(username, 'dev', last_reset)
if bad_attempts > 10:
msg = 'account locked for user %s' % (auth_user['username'])
response = {'message': msg}
return jsonify(response), 423
log_request(request, username, authorized)
if authorized:
access_token = create_access_token(identity=username)
refresh_token = create_refresh_token(identity=username)
response = jsonify({'login': True})
set_access_cookies(response,
access_token,
max_age=conf.JWT_ACCESS_TOKEN_EXPIRES)
set_refresh_cookies(response,
refresh_token,
max_age=conf.JWT_REFRESH_TOKEN_EXPIRES)
return response, 200
else:
msg = 'authentication failed for user %s' % (auth_user['username'])
response = {'message': msg}
return jsonify(response), 401
def test_change_password():
user_management = UserManagement()
user_management.delete_user(conf.TEST_USER)
user_management.add_user(conf.TEST_USER, conf.TEST_PASSWORD)
response = CLIENT.post('/service/user/authenticate',
json=dict(username=conf.TEST_USER,
password=conf.TEST_PASSWORD))
assert response.status_code == 200
jwt = utils._get_cookie_from_response(response, 'access_token_cookie')
csrf = utils._get_cookie_from_response(response, 'csrf_access_token')
# JSON body is required to update password
response = CLIENT.post('/service/user/change-password',
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Old password must be correct to change password
response = CLIENT.post('/service/user/change-password',
json=dict(old_password='******',
new_password=conf.TEST_PASSWORD + '!1',
new_password2=conf.TEST_PASSWORD + '!1'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# New passwords must match to update password
response = CLIENT.post('/service/user/change-password',
json=dict(old_password=conf.TEST_PASSWORD,
new_password=conf.TEST_PASSWORD + '!1',
new_password2=conf.TEST_PASSWORD + '!2'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 400
# Success!
response = CLIENT.post('/service/user/change-password',
json=dict(old_password=conf.TEST_PASSWORD,
new_password=conf.TEST_PASSWORD + '!1',
new_password2=conf.TEST_PASSWORD + '!1'),
headers={
'Cookies': 'access_token_cookie=%s' % (jwt),
'X-CSRF-TOKEN': csrf['csrf_access_token']
})
assert response.status_code == 201
# Make sure password update worked
authorized = user_management.authenticate_user(
username=conf.TEST_USER, password='******')
url = '/service/user/logout'
response = CLIENT.post(url)
assert response.status_code == 200
user_management.delete_user(conf.TEST_USER)
user = user_management.get_user(conf.TEST_USER)
assert user == None