def do_post(request, *args, **kwargs):
"""
Change password
:param username: users username, string, True
:param password: users password, string, True
:return: 200, OK
:return: 404
"""
log = request.log
_db = get_md2db()
dbc = _db.cursor()
# TODO: check users token
try:
newpassword = request.get_argument('newpassword')
except tornado.web.MissingArgumentError:
log.critical('Missing argument password')
return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT)
# CHANGE PASSWORD FROM FORGOT PASSWORD FLOW
h2p = get_url_token(request, log)
if h2p and len(h2p) > 60:
rh = BaseAPIRequestHandler(log)
rh.set_argument('hash', h2p)
rh.r_ip= request.r_ip
res = base_api.hash2params.retrieve_hash.do_get(rh)
if 'http_status' not in res or res['http_status'] != 200:
return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED)
username = res['username']
else:
# TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST
tk = request.auth_token
if not authorized_by_token(dbc, tk, log):
return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST)
username, oldpwdhashed, user_id = get_user_by_token(dbc, tk, log)
if not username:
log.critical('User not found by token')
return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST)
try:
oldpassword = request.get_argument('oldpassword')
except tornado.web.MissingArgumentError:
log.critical('Missing argument oldpassword')
return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT)
if not check_password(oldpwdhashed, username, oldpassword):
log.critical("Passwords don't match, entered : {}".format(oldpassword))
return base_common.msg.error(msgs.WRONG_PASSWORD)
# UPDATE USERS PASSWORD
password = format_password(username, newpassword)
uq = "update users set password = '******' where username = '******'".format(
password,
username
)
try:
dbc.execute(uq)
except Exception as e:
log.critical('Change password: {}'.format(e))
return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR)
_db.commit()
return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)
def do_get(request, *args, **kwargs):
"""
Change password
:param username: users new username, string, True
:param password: users password, string, True
:return: 200, OK
:return: 404
"""
log = request.log
_db = get_md2db()
dbc = _db.cursor()
h2p = get_url_token(request, log)
if not h2p or len(h2p) < 64:
log.critical('Wrong or expired token {}'.format(h2p))
return base_common.msg.error(msgs.WRONG_OR_EXPIRED_TOKEN)
rh = BaseAPIRequestHandler(log)
rh.set_argument('hash', h2p)
rh.r_ip = request.r_ip
res = base_api.hash2params.retrieve_hash.do_get(rh)
if 'http_status' not in res or res['http_status'] != 200:
return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED)
try:
user_id = res['user_id']
newusername = res['newusername']
password = res['password']
except KeyError as e:
log.critical('Missing hash parameter: {}'.format(e))
return base_common.msg.error(msgs.TOKEN_MISSING_ARGUMENT)
q = '''select username from users where id = '{}' '''.format(user_id)
try:
dbc.execute(q)
except IntegrityError as e:
log.critical('Error fetching user: {}'.format(e))
return base_common.msg.error(msgs.USER_NOT_FOUND)
if dbc.rowcount != 1:
log.critical('Users found {}'.format(dbc.rowcount))
return base_common.msg.error(msgs.USER_NOT_FOUND)
dbu = dbc.fetchone()
passwd = format_password(newusername, password);
q1 = '''update users set username = '******', password = '******' where id = '{}' '''.format(newusername, passwd, user_id)
try:
dbc.execute(q1)
except IntegrityError as e:
log.critical('Error updating user: {}'.format(e))
return base_common.msg.error(msgs.USER_UPDATE_ERROR)
_db.commit()
message = _get_email_message()
# SAVE EMAILS FOR SENDING
rh1 = BaseAPIRequestHandler(log)
rh1.set_argument('sender', support_mail)
rh1.set_argument('receiver', newusername)
rh1.set_argument('message', message)
res = base_api.mail_api.save_mail.do_put(rh1)
if 'http_status' not in res or res['http_status'] != 204:
return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE)
return base_common.msg.post_ok(msgs.USER_NAME_CHANGED)
def do_get(request, *args, **kwargs):
"""
Change password
:param username: users new username, string, True
:param password: users password, string, True
:return: 200, OK
:return: 404
"""
log = request.log
_db = get_db()
dbc = _db.cursor()
h2p = get_url_token(request, log)
if not h2p or len(h2p) < 64:
log.critical('Wrong or expired token {}'.format(h2p))
return base_common.msg.error(msgs.WRONG_OR_EXPIRED_TOKEN)
rh = BaseAPIRequestHandler(log)
rh.set_argument('hash', h2p)
rh.r_ip = request.r_ip
res = base_api.hash2params.retrieve_hash.do_get(rh)
if 'http_status' not in res or res['http_status'] != 200:
return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED)
try:
user_id = res['user_id']
newusername = res['newusername']
password = res['password']
except KeyError as e:
log.critical('Missing hash parameter: {}'.format(e))
return base_common.msg.error(msgs.TOKEN_MISSING_ARGUMENT)
q = '''select username from users where id = '{}' '''.format(user_id)
try:
dbc.execute(q)
except IntegrityError as e:
log.critical('Error fetching user: {}'.format(e))
return base_common.msg.error(msgs.USER_NOT_FOUND)
if dbc.rowcount != 1:
log.critical('Users found {}'.format(dbc.rowcount))
return base_common.msg.error(msgs.USER_NOT_FOUND)
dbu = dbc.fetchone()
passwd = format_password(newusername, password)
q1 = '''update users set username = '******', password = '******' where id = '{}' '''.format(
newusername, passwd, user_id)
try:
dbc.execute(q1)
except IntegrityError as e:
log.critical('Error updating user: {}'.format(e))
return base_common.msg.error(msgs.USER_UPDATE_ERROR)
_db.commit()
message = _get_email_message()
# SAVE EMAILS FOR SENDING
rh1 = BaseAPIRequestHandler(log)
rh1.set_argument('sender', support_mail)
rh1.set_argument('receiver', newusername)
rh1.set_argument('message', message)
res = base_api.mail_api.save_mail.do_put(rh1)
if 'http_status' not in res or res['http_status'] != 204:
return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE)
return base_common.msg.post_ok(msgs.USER_NAME_CHANGED)
def do_post(request, *args, **kwargs):
"""
Change password
:param newpassword: users newpassword, string, True
:param oldpassword: old password if user logged, string, True
:return: 200, OK
:return: 404
"""
log = request.log
_db = get_db()
dbc = _db.cursor()
# TODO: check users token
try:
newpassword = request.get_argument('newpassword')
except tornado.web.MissingArgumentError:
log.critical('Missing argument password')
return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT)
# CHANGE PASSWORD FROM FORGOT PASSWORD FLOW
h2p = get_url_token(request, log)
if h2p and len(h2p) > 60:
rh = BaseAPIRequestHandler(log)
rh.set_argument('hash', h2p)
rh.r_ip = request.r_ip
res = base_api.hash2params.retrieve_hash.do_get(rh)
if 'http_status' not in res or res['http_status'] != 200:
return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED)
username = res['username']
else:
# TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST
tk = request.auth_token
if not authorized_by_token(dbc, tk, log):
return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST)
# username, oldpwdhashed, user_id = get_user_by_token(dbc, tk, log)
dbuser = get_user_by_token(dbc, tk, log)
if not dbuser.username:
log.critical('User not found by token')
return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST)
try:
oldpassword = request.get_argument('oldpassword')
except tornado.web.MissingArgumentError:
log.critical('Missing argument oldpassword')
return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT)
if not check_password(dbuser.password, dbuser.username, oldpassword):
log.critical(
"Passwords don't match, entered : {}".format(oldpassword))
return base_common.msg.error(msgs.WRONG_PASSWORD)
username = dbuser.username
# UPDATE USERS PASSWORD
password = format_password(username, newpassword)
uq = "update users set password = '******' where username = '******'".format(
password, username)
try:
dbc.execute(uq)
except Exception as e:
log.critical('Change password: {}'.format(e))
return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR)
_db.commit()
return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)
def do_post(**kwargs):
"""
Change password
"""
_db = get_db()
dbc = _db.cursor()
request = kwargs['request_handler']
try:
newpassword = request.get_argument('newpassword')
except tornado.web.MissingArgumentError:
log.critical('Missing argument password')
return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT)
# CHANGE PASSWORD FROM FORGOT PASSWORD FLOW
h2p = get_url_token(request)
if h2p and len(h2p) > 60:
rh = BaseAPIRequestHandler()
rh.set_argument('hash', h2p)
rh.r_ip = request.r_ip
kwargs['request_handler'] = rh
res = base_api.hash2params.retrieve_hash.do_get(h2p, False, **kwargs)
if 'http_status' not in res or res['http_status'] != 200:
return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED)
username = res['username']
else:
# TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST
tk = request.auth_token
if not authorized_by_token(_db, tk):
return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST)
dbuser = get_user_by_token(_db, tk)
if not dbuser.username:
log.critical('User not found by token')
return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST)
try:
oldpassword = request.get_argument('oldpassword')
except tornado.web.MissingArgumentError:
log.critical('Missing argument oldpassword')
return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT)
if not check_password(dbuser.password, dbuser.username, oldpassword):
log.critical("Passwords don't match, entered : {}".format(oldpassword))
return base_common.msg.error(msgs.WRONG_PASSWORD)
username = dbuser.username
# UPDATE USERS PASSWORD
password = format_password(username, newpassword)
uq = "update users set password = '******' where username = '******'".format(
password,
username
)
try:
dbc.execute(uq)
except Exception as e:
log.critical('Change password: {}'.format(e))
return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR)
_db.commit()
return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)
