def register():
user_data = request.get_json()
# user exists
if UserModel.count(user_data["email"]):
return jsonify("Email already registered"), 400
# incomplete user data
if not all([
user_data.get("first_name"),
user_data.get("last_name"),
user_data.get("password")
]):
return jsonify("You must provide an email, first_name, last_name, and password"), 400
# good to go, let's get them registered
user_instance = UserModel(
user_data["email"],
created_at=datetime.datetime.utcnow(),
first_name=user_data["first_name"],
last_name=user_data["last_name"],
)
# hash the password
user_instance.setPasswordHash(user_data["password"])
# compose and send activation email
email_template = """
<h1>Rentalated</h1>
<a href="{url}/test/activate/{encoded_id}">
<p>Click this link to activate your account!</p>
</a>
""".format(url=config.WEBSITE_URL, encoded_id=encode_activation_token(user_data["email"]))
send_email(
user_data["email"],
"The time has come for you to activate your Rentalated account.",
email_template
)
# save the user with .activated=False
user_instance.save()
return jsonify({
"msg": "user saved && activation email sent",
"saved_user": user_instance.serialize()
})
def login():
user_data = request.get_json()
# CURTIS: does the below work in terms of timing attacks?
validLogin = False
# switch this to true iff they exist, their password checks out,
# and their account is active.
if UserModel.count(user_data["email"]):
user_instance = UserModel.get(user_data["email"])
if user_instance.checkPassword(user_data['password']):
if user_instance.active:
validLogin = True
if validLogin:
user_instance = UserModel.get(user_data["email"])
return user_instance.encodeAuthToken()
else:
return "Error logging in", 400
