def post(self): (user_data, is_password_reset) = self.resolve_user_info() if not user_data: self.response.write("Oops. Something went wrong. Please try again.") return if not is_password_reset: existing = self.request_string("existing") if not user_data.validate_password(existing): # TODO(benkomalo): throttle incorrect password attempts self.render_form(message="Incorrect password", user_data=user_data) return password1 = self.request_string("password1") password2 = self.request_string("password2") if (not password1 or not password2 or password1 != password2): self.render_form(message="Passwords don't match", user_data=user_data) elif not auth.passwords.is_sufficient_password(password1, user_data.nickname, user_data.username): self.render_form(message="Password too weak", user_data=user_data) else: # We're good! user_data.set_password(password1) if is_password_reset: # Password resets are done when the user is not even logged in, # so redirect the host page to the login page (done via # client side JS) self.render_form(message="Password reset. Redirecting...", success=True, user_data=user_data) else: # Need to create a new auth token as the existing cookie will # expire. Use /postlogin to set the cookie. This requires # some redirects (/postlogin on http, then back to this # pwchange form in https). auth_token = AuthToken.for_user(user_data) self.redirect("%s?%s" % ( util.insecure_url("/postlogin"), util.build_params({ 'auth': auth_token.value, 'continue': self.secure_url_with_token( "/pwchange?success=1", user_data), })))
def post(self): (user_data, is_password_reset) = self.resolve_user_info() if not user_data: self.response.write( "Oops. Something went wrong. Please try again.") return if not is_password_reset: existing = self.request_string("existing") if not user_data.validate_password(existing): # TODO(benkomalo): throttle incorrect password attempts self.render_form(message="Incorrect password", user_data=user_data) return password1 = self.request_string("password1") password2 = self.request_string("password2") if (not password1 or not password2 or password1 != password2): self.render_form(message="Passwords don't match", user_data=user_data) elif not auth.passwords.is_sufficient_password( password1, user_data.nickname, user_data.username): self.render_form(message="Password too weak", user_data=user_data) else: # We're good! user_data.set_password(password1) if is_password_reset: # Password resets are done when the user is not even logged in, # so redirect the host page to the login page (done via # client side JS) self.render_form(message="Password reset. Redirecting...", success=True, user_data=user_data) else: # Need to create a new auth token as the existing cookie will # expire. Use /postlogin to set the cookie. This requires # some redirects (/postlogin on http, then back to this # pwchange form in https). auth_token = AuthToken.for_user(user_data) self.redirect("%s?%s" % (util.insecure_url("/postlogin"), util.build_params({ 'auth': auth_token.value, 'continue': self.secure_url_with_token( "/pwchange?success=1", user_data), })))
def render_outer(self): """Render the second part of the user signup step, after the user has verified ownership of their e-mail account. The request URI must include a valid token from an UnverifiedUser, and can be made via build_link(), or be made by a user without an existing password set. Note that the contents are actually rendered in an iframe so it can be sent over https (generated in render_form). """ (valid_token, _) = self.resolve_token() user_data = UserData.current() if valid_token and user_data: if not user_data.is_phantom: logging.info("User tried to verify e-mail and complete a " + "signup in a browser with an existing " + "signed-in user. Forcefully signing old user " + "out to avoid conflicts") self.redirect(util.create_logout_url(self.request.uri)) return # Ignore phantom users. user_data = None if not valid_token and not user_data: # Just take them to the homepage for now. self.redirect("/") return transfer_token = None if user_data: if user_data.has_password(): # The user already has a KA login - redirect them to their profile self.redirect(user_data.profile_root) return elif not user_data.has_sendable_email(): # This is a case where a Facebook user logged in and tried # to signup for a KA password. Unfortunately, since we don't # have their e-mail, we can't let them proceed, since, without # a valid e-mail we can't reset passwords, etc. logging.error("User tried to signup for password with " "no email associated with the account") self.redirect("/") return else: # Here we have a valid user, and need to transfer their identity # to the inner iframe that will be hosted on https. # Since their current cookies may not be transferred/valid in # https, mint a custom, short-lived token to transfer identity. transfer_token = TransferAuthToken.for_user(user_data).value template_values = { 'params': util.build_params({ 'token': valid_token, 'transfer_token': transfer_token, }), 'continue': self.request_string("continue", default="/") } self.render_jinja2_template('completesignup.html', template_values)