def handle_password_reset(username, new_password, new_password2):
"""
Handles the submitted password reset request. Returns True if successful,
False otherwise. Also handles all messages displayed to the user.
"""
if not validation_utils.validate_password(new_password, new_password2):
return False
auth_utils.set_password(username, new_password)
# Clean up the password reset key, so that it cannot be used again.
query = """
UPDATE users
SET password_reset_key = NULL, password_reset_expiration = NULL
WHERE email = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [username])
# Get the user's email.
query = """
SELECT first_name, email
FROM members
NATURAL JOIN users
WHERE email = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [username])
result = cursor.fetchone()
# Send confirmation email to user.
email = result['email']
name = result['first_name']
msg = email_templates.ResetPasswordSuccessfulEmail.format(name)
subject = "Password reset successful"
email_utils.send_email(email, msg, subject, gmail=True)
return True
def authenticate(email, password):
"""
Takes a username and password and checks if this corresponds to an actual
user. Returns user_id if successful, else None. If a legacy algorithm is
used, then the password is rehashed using the current algorithm.
"""
# Make sure the password is not too long (hashing extremely long passwords
# can be used to attack the site, so we set an upper limit well beyond what
# people generally use for passwords).
if len(password) > constants.MAX_PASSWORD_LENGTH:
return None
# Get the correct password hash and user_id from the database.
s = "SELECT user_id, password_hash FROM users WHERE email=%s"
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(s, [email])
result = cursor.fetchone()
if result is None:
return None
user_id = result['user_id']
password_hash = result['password_hash']
# Parse the hash into a PasswordHashParser object.
parser = auth_utils.PasswordHashParser()
if parser.parse(password_hash):
if parser.verify_password(password):
# Check if password was legacy.
if parser.is_legacy():
# Rehash the password.
auth_utils.set_password(username, password)
# User is authenticated.
return user_id
return None
def handle_create_account(email, password, password2, first_name, middle_name,
preferred_name, last_name, dob):
query = """
SELECT email
FROM users
WHERE email = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [email])
result = cursor.fetchone()
if result is not None:
return (False, "You already have an account. Try recovering it?")
if not validation_utils.validate_password(password, password2):
return (False, "")
flask.g.pymysql_db.begin()
try:
confirm_account_key = auth_utils.generate_confirm_account_key()
# Insert the new row into users.
query = """
INSERT INTO users (email, password_hash, confirm_account_key)
VALUES (%s, %s, %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [email, "", confirm_account_key])
# Set the password.
auth_utils.set_password(email, password)
query = """
SELECT user_id FROM users WHERE email = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [email])
result = cursor.fetchone()
user_id = result["user_id"]
# Set rest of the info...
query = """
INSERT INTO members (user_id, first_name, preferred_name, middle_name,
last_name, date_of_birth)
VALUES(%s, %s, %s, %s, %s, %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [
user_id, first_name, preferred_name, middle_name, last_name,
dob
])
query = """
INSERT INTO applications (user_id, application_year)
VALUES(%s, %s)
"""
## TODO: Make sure to select it only from the current application year
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [user_id, app_year.year + "0000"])
query = """
SELECT application_id FROM applications
WHERE user_id = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [user_id])
application_id = cursor.fetchone()
application_id = application_id['application_id']
query = """
INSERT INTO status (user_id, application_id, status)
VALUES(%s, %s, %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, [user_id, application_id, 'Not Started'])
flask.g.pymysql_db.commit()
subject = "Thanks for creating an account!"
msg = email_templates.CreateAccountSuccessfulEmail.format(first_name)
email_utils.send_email(email, msg, subject)
except Exception as e:
print(e)
flask.g.pymysql_db.rollback()
return (
False,
"An unexpected error occurred. Make sure that you entered a valid email! If the error persists, please contact the hacktech organizers"
)
return (True, "")