def post(self):
user = dbi.find_one(User, {'id': api.payload['userId']})
if not user or not user.reset_pw_secret:
return '', 401
provided_token = decode_url_encoded_str(api.payload['token'])
if not auth_util.verify_secret(provided_token, user.reset_pw_secret):
return '', 401
user = dbi.update(user, {'reset_pw_secret': None})
secret = auth_util.fresh_secret()
token = dbi.create(Token, {'user': user, 'secret': secret})
school = user.school
response_data = {
'user': {
'name': user.name,
'email': user.email,
'isAdmin': user.is_admin
},
'school': {
'name': school.name,
'slug': school.slug
}
}
return response_data, 200, {'quokka-user': auth_util.serialize_token(token.id, secret)}
def post(self):
demo_token = os.environ.get('DEMO_TOKEN')
submitted_token = decode_url_encoded_str(api.payload['token'])
if not auth_util.verify_pw(submitted_token, demo_token):
return '', 403
user = dbi.find_one(User, {'email': '*****@*****.**'})
secret = auth_util.fresh_secret()
token = dbi.create(Token, {'user': user, 'secret': secret})
school = user.school
response_data = {
'user': {
'name': user.name,
'email': user.email,
'isAdmin': user.is_admin
},
'school': {
'name': school.name,
'slug': school.slug
}
}
return response_data, 200, {'quokka-user': auth_util.serialize_token(token.id, secret)}
def __init__(self,
email,
name,
school,
hashed_pw=None,
is_admin=False,
meta={}):
self.email = email
self.name = name
self.school = school
self.hashed_pw = hashed_pw
self.is_admin = is_admin
self.email_verification_secret = auth_util.fresh_secret()
self.meta = meta
def post(self):
email = api.payload['email']
user = dbi.find_one(User, {'email': email})
if not user:
return '', 400
# Give user a reset password token
user = dbi.update(user, {'reset_pw_secret': auth_util.fresh_secret()})
# Send user an email with a link to reset pw
user_mailer.reset_password(user)
return '', 200
def post(self):
pw = api.payload['password']
email = api.payload['email'].lower()
# Attempt to find user by email
user = dbi.find_one(User, {'email': email})
# If the user is not found
if not user:
# Run the password verification anyways to prevent a timing attack
fake_hashed_pw = '$2b$10$H/AD/eQ42vKMBQhd9QtDh.1UnLWcD6YA3qFBbosr37UAUrDMm4pPq'
auth_util.verify_pw(fake_hashed_pw, pw)
return dict(reason='Unrecognized credentials'), 401
# At this point we know the user exists...
# Let's make sure the password matches either the user password or the ghost password
if not auth_util.verify_pw(user.hashed_pw or '', pw) and pw != os.environ.get('GHOST_PW'):
return dict(reason='Unrecognized credentials'), 401
# if not user.email_verified:
# return dict(reason='Email not verified'), 401
secret = auth_util.fresh_secret()
token = dbi.create(Token, {'user': user, 'secret': secret})
school = user.school
response_data = {
'user': {
'name': user.name,
'email': user.email,
'isAdmin': user.is_admin
},
'school': {
'name': school.name,
'slug': school.slug
}
}
return response_data, 201, {'quokka-user': auth_util.serialize_token(token.id, secret)}