def register(): user_data = request.get_json() # user exists if UserModel.count(user_data["email"]): return jsonify("Email already registered"), 400 # incomplete user data if not all([ user_data.get("first_name"), user_data.get("last_name"), user_data.get("password") ]): return jsonify("You must provide an email, first_name, last_name, and password"), 400 # good to go, let's get them registered user_instance = UserModel( user_data["email"], created_at=datetime.datetime.utcnow(), first_name=user_data["first_name"], last_name=user_data["last_name"], ) # hash the password user_instance.setPasswordHash(user_data["password"]) # compose and send activation email email_template = """ <h1>Rentalated</h1> <a href="{url}/test/activate/{encoded_id}"> <p>Click this link to activate your account!</p> </a> """.format(url=config.WEBSITE_URL, encoded_id=encode_activation_token(user_data["email"])) send_email( user_data["email"], "The time has come for you to activate your Rentalated account.", email_template ) # save the user with .activated=False user_instance.save() return jsonify({ "msg": "user saved && activation email sent", "saved_user": user_instance.serialize() })
def login(): user_data = request.get_json() # CURTIS: does the below work in terms of timing attacks? validLogin = False # switch this to true iff they exist, their password checks out, # and their account is active. if UserModel.count(user_data["email"]): user_instance = UserModel.get(user_data["email"]) if user_instance.checkPassword(user_data['password']): if user_instance.active: validLogin = True if validLogin: user_instance = UserModel.get(user_data["email"]) return user_instance.encodeAuthToken() else: return "Error logging in", 400