def web_request_change_password():
"""
Change password request.
"""
if SESSION_USERID in session:
userid = session[SESSION_USERID]
email = session[SESSION_EMAIL]
else:
# Session Timeout
app.logger.error("web_request_change_password: session expired")
rendered = render_template("login_form.html",
frm_uname=UNAME,
frm_userid="",
frm_password="",
frm_status="* PREVIOUS SESSION EXPIRED *")
return ensure_no_caching(rendered), 200
# Hash the current password
password = util.hash_a_secret(request.form["password"])
# Get database row for this userid
row = util.dbuser_get(userid)
if row is None:
# User not found - impossible!
wtext = util.sprintf(
"web_request_change_password: user {%s} NOT FOUND; logged out",
userid)
app.logger.error(wtext)
response = build_logout_response("<h3>*** " + wtext + "</h3>")
return response, 400
# Extract row columns for userid
(dummy, email, db_password, stamp) = row
# Valid password entered?
if password != db_password:
#Invalid password
app.logger.error(
"web_request_change_password: user {%s} provided an INVALID PASSWORD",
userid)
rendered = render_template("chgpswd_form.html",
frm_uname=UNAME,
frm_userid=userid,
frm_password=email,
frm_status="* INVALID PASSWORD *")
return ensure_no_caching(rendered), 200
# Hash the new password field
ok_password = util.hash_a_secret(request.form["password1"])
# Update user with new password
if util.dbuser_update_password(userid, ok_password):
# Success
rendered = main_form_renderer(userid, email, "Password changed")
app.logger.info(
"web_request_change_password: userid {%s / %s} successfully changed password",
userid, email)
return ensure_no_caching(rendered), 200
# Report database update error
app.logger.error(
"web_request_change_password: Could not update password for user {%s}",
userid)
rendered = main_form_renderer(userid, email,
"*** Password change FAILED ***")
return ensure_no_caching(rendered), 204
def web_request_register():
"""
Process a web register form
"""
userid = request.form["userid"]
email = request.form["email"]
# Validate email address
if not util.verify_email_recipient(email):
rendered = render_template("register_form.html",
frm_uname=UNAME,
frm_userid=userid,
frm_email=email,
frm_password1="",
frm_password2="",
frm_status="* INVALID EMAIL ADDRESS *")
app.logger.error(
"web_request_register: userid {%s / %s} provided an INVALID EMAIL ADDRESS",
userid, email)
return ensure_no_caching(rendered), 200
# Hash the first password field (Javascript in the register_form ensured that they are equal)
ok_password = util.hash_a_secret(request.form["password1"])
# Add user to database
if util.dbuser_add(userid, ok_password, email):
# Success
session[SESSION_USERID] = userid
session[SESSION_EMAIL] = email
hello = util.sprintf("Hello, %s", userid)
rendered = main_form_renderer(userid, email, hello)
app.logger.info(
"web_request_register: userid {%s / %s} successfully registered",
userid, email)
return ensure_no_caching(rendered), 200
# Failed, user already exists
app.logger.error("web_request_register: user {%s} already exists", userid)
rendered = render_template("register_form.html",
frm_uname=UNAME,
frm_userid=userid,
frm_email=email,
frm_password1="",
frm_password2="",
frm_status="* USER ALREADY EXISTS *")
return ensure_no_caching(rendered), 200
def web_request_login():
"""
Process a web login form (userid, password)
"""
userid = request.form["userid"]
if app.debug:
app.logger.debug("web_request_login: userid is {%s}", userid)
# Hash the password
password = util.hash_a_secret(request.form["password"])
# Get database row for this userid
row = util.dbuser_get(userid)
if row is None:
# User not found
app.logger.error("web_request_login: user {%s} NOT FOUND", userid)
rendered = render_template("login_form.html",
frm_uname=UNAME,
frm_userid=userid,
frm_password="",
frm_status="* NO SUCH USER ID *")
return ensure_no_caching(rendered), 200
# Extract row columns for userid
(dummy, email, db_password, stamp) = row
# Valid password entered?
if password != db_password:
#Invalid password
app.logger.error(
"web_request_login: user {%s} provided an INVALID PASSWORD",
userid)
rendered = render_template("login_form.html",
frm_uname=UNAME,
frm_userid=userid,
frm_password=email,
frm_status="* INVALID PASSWORD *")
return ensure_no_caching(rendered), 200
# Password valid
session[SESSION_USERID] = userid
session[SESSION_EMAIL] = email
hello = util.sprintf("Hello, %s", userid)
rendered = main_form_renderer(userid, email, hello)
app.logger.info("web_request_login: user {%s} successfully logged in",
userid)
return ensure_no_caching(rendered), 200
def reset_password():
"""
Reset a user's password to RESET_PASSWORD
"""
userid = get_user_id()
if userid == "":
return
ptext = util.sprintf("reset_password: Are you REALLY REALLY REALLY sure that you want to reset the password of user {%s}? (y/Y=yes; anything else=no): ", userid)
yesorno = prompt(ptext)
if yesorno in ("y", "Y"):
with app.app_context():
# Open database
dbpath = app.config["DBPATH"]
util.dbopen(dbpath)
# Reset password
hashed_password = util.hash_a_secret(RESET_PASSWORD)
# Update the user's password
if util.dbuser_update_password(userid, hashed_password):
app.logger.info("reset_password: User {%s} password set to {%s}",
userid, RESET_PASSWORD)
# Close database
util.dbclose()
else:
print("reset_password: Cancelled")