def _handle_successful_authentication_and_login(user, request):
"""
Handles clearing the failed login counter, login tracking, and setting session timeout.
"""
if LoginFailures.is_feature_enabled():
LoginFailures.clear_lockout_counter(user)
_track_user_login(user, request)
try:
django_login(request, user)
request.session.set_expiry(604800 * 4)
log.debug("Setting user session expiry to 4 weeks")
# .. event_implemented_name: SESSION_LOGIN_COMPLETED
SESSION_LOGIN_COMPLETED.send_event(user=UserData(
pii=UserPersonalData(
username=user.username,
email=user.email,
name=user.profile.name,
),
id=user.id,
is_active=user.is_active,
), )
except Exception as exc:
AUDIT_LOG.critical(
"Login failed - Could not create session. Is memcached running?")
log.critical(
"Login failed - Could not create session. Is memcached running?")
log.exception(exc)
raise
def _handle_successful_authentication_and_login(user, request):
"""
Handles clearing the failed login counter, login tracking, and setting session timeout.
"""
if LoginFailures.is_feature_enabled():
LoginFailures.clear_lockout_counter(user)
_track_user_login(user, request)
try:
django_login(request, user)
request.session.set_expiry(604800 * 4)
log.debug("Setting user session expiry to 4 weeks")
except Exception as exc:
AUDIT_LOG.critical("Login failed - Could not create session. Is memcached running?")
log.critical("Login failed - Could not create session. Is memcached running?")
log.exception(exc)
raise
def post(self, request, *args, **kwargs):
# We have to make a copy of request.POST because it is a QueryDict object which is immutable until copied.
# We have to use request.POST because the password_reset_confirm method takes in the request and a user's
# password is set to the request.POST['new_password1'] field. We have to also normalize the new_password2
# field so it passes the equivalence check that new_password1 == new_password2
# In order to switch out of having to do this copy, we would want to move the normalize_password code into
# a custom User model's set_password method to ensure it is always happening upon calling set_password.
request.POST = request.POST.copy()
request.POST['new_password1'] = normalize_password(
request.POST['new_password1'])
request.POST['new_password2'] = normalize_password(
request.POST['new_password2'])
is_account_recovery = 'is_account_recovery' in request.GET
password = request.POST['new_password1']
response = self._validate_password(password, request)
if response:
return response
response = self._process_password_reset_success(
request, self.token, self.uidb64, extra_context=self.platform_name)
# If password reset was unsuccessful a template response is returned (status_code 200).
# Check if form is invalid then show an error to the user.
# Note if password reset was successful we get response redirect (status_code 302).
password_reset_successful = response.status_code == 302
if not password_reset_successful:
return self._handle_password_reset_failure(response)
updated_user = User.objects.get(id=self.uid_int)
if is_account_recovery:
self._handle_primary_email_update(updated_user)
updated_user.save()
if password_reset_successful and is_account_recovery:
self._handle_password_creation(request, updated_user)
# Handles clearing the failed login counter upon password reset.
if LoginFailures.is_feature_enabled():
LoginFailures.clear_lockout_counter(updated_user)
update_session_auth_hash(request, updated_user)
send_password_reset_success_email(updated_user, request)
return response
def test_check_password_policy_compliance_exception(self):
"""
Tests _enforce_password_policy_compliance fails with an exception thrown
"""
assert not LoginFailures.objects.filter(user=self.user).exists()
enforce_compliance_on_login = '******'
with patch(enforce_compliance_on_login) as mock_enforce_compliance_on_login:
mock_enforce_compliance_on_login.side_effect = NonCompliantPasswordException()
response, _ = self._login_response(
self.user_email,
self.password
)
response_content = json.loads(response.content.decode('utf-8'))
assert not response_content.get('success')
assert len(mail.outbox) == 1
assert 'Password reset' in mail.outbox[0].subject
failure_record = LoginFailures.objects.get(user=self.user)
assert failure_record.failure_count == 1
LoginFailures.clear_lockout_counter(user=self.user)
def post(self, request, **kwargs):
""" Reset learner password using passed token and new credentials """
reset_status = False
uidb36 = kwargs.get('uidb36')
token = kwargs.get('token')
has_required_values, uid_int = self._check_token_has_required_values(
uidb36, token)
if not has_required_values:
AUDIT_LOG.exception("Invalid password reset confirm token")
return Response({'reset_status': reset_status})
request.data._mutable = True # lint-amnesty, pylint: disable=protected-access
request.data['new_password1'] = normalize_password(
request.data['new_password1'])
request.data['new_password2'] = normalize_password(
request.data['new_password2'])
password = request.data['new_password1']
try:
user = User.objects.get(id=uid_int)
if not default_token_generator.check_token(user, token):
AUDIT_LOG.exception("Token validation failed")
return Response({'reset_status': reset_status})
validate_password(password, user=user)
if settings.ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY:
# Checks the Pwned Databases for password vulnerability.
pwned_response = check_pwned_password(password)
if pwned_response.get('vulnerability', 'no') == 'yes':
error_status = {
'reset_status': reset_status,
'err_msg': accounts.AUTHN_PASSWORD_COMPROMISED_MSG
}
return Response(error_status)
form = SetPasswordForm(user, request.data)
if form.is_valid():
form.save()
reset_status = True
if 'is_account_recovery' in request.GET:
try:
old_primary_email = user.email
user.email = user.account_recovery.secondary_email
user.account_recovery.delete()
# emit an event that the user changed their secondary email to the primary email
tracker.emit(
SETTING_CHANGE_INITIATED, {
"setting": "email",
"old": old_primary_email,
"new": user.email,
"user_id": user.id,
})
user.save()
except ObjectDoesNotExist:
err = 'Account recovery process initiated without AccountRecovery instance for user {username}'
log.error(err.format(username=user.username))
# Handles clearing the failed login counter upon password reset.
if LoginFailures.is_feature_enabled():
LoginFailures.clear_lockout_counter(user)
send_password_reset_success_email(user, request)
update_session_auth_hash(request, user)
except ValidationError as err:
AUDIT_LOG.exception("Password validation failed")
error_status = {
'reset_status': reset_status,
'err_msg': ' '.join(err.messages)
}
return Response(error_status)
except Exception: # pylint: disable=broad-except
AUDIT_LOG.exception("Setting new password failed")
return Response({'reset_status': reset_status})