def _set_recovered_password(self, address, token): """Set the password based on a recovery token.""" _log.info("Set recovery password for %s (token %s)", address, token) if not _recover_throttler.is_allowed(): _log.warn("Throttling to avoid brute-force attacks") raise HTTPErrorEx( httplib.SERVICE_UNAVAILABLE, "Request throttled", headers={"Retry-After", str(_recover_throttler.interval_sec)}) password = self.request_text_or_field("password") ok, msg = validate({"password": password}, {"password": (REQUIRED, STRING, _PASSWORD_REGEXP)}) if not ok: # pragma: no cover raise HTTPError(httplib.BAD_REQUEST, "Password not acceptable") db_sess = self.db_session() try: users.set_recovered_password(db_sess, address, token, password) db_sess.commit() except (ValueError, NotFound): # Wrong token or unknown email address - for security reasons, these # must behave identically. db_sess.rollback() raise HTTPError(httplib.UNPROCESSABLE_ENTITY, "Invalid token or email address") self.send_success(httplib.OK)
def test_set_recovered_password_mainline(self): self.mock_cursor.fetchone.return_value = "etaoinshrdlu", datetime.datetime.now( ) - datetime.timedelta(seconds=10) users.set_recovered_password(self.mock_session, "*****@*****.**", "etaoinshrdlu", "newpw") self.mock_session.execute.assert_has_calls([ call(ANY, {'email': "*****@*****.**"}), call(ANY, { 'email': "*****@*****.**", 'hashed_password': ANY }) ])
def _set_recovered_password(self, address, token): """Set the password based on a recovery token.""" _log.info("Set recovery password for %s (token %s)", address, token) if not _recover_throttler.is_allowed(): _log.warn("Throttling to avoid brute-force attacks") raise HTTPErrorEx(httplib.SERVICE_UNAVAILABLE, "Request throttled", headers={"Retry-After", str(_recover_throttler.interval_sec)}) password = self.request_text_or_field("password") ok, msg = validate({"password": password}, {"password": (REQUIRED, STRING, _PASSWORD_REGEXP)}) if not ok: raise HTTPError(httplib.BAD_REQUEST, "Password not acceptable") db_sess = self.db_session() try: users.set_recovered_password(db_sess, address, token, password) db_sess.commit() except ValueError as e: # Wrong token. raise HTTPError(httplib.UNPROCESSABLE_ENTITY, "Invalid token or email address") except NotFound: # Unknown email address - for security reasons, this must # behave identically to the case where the email is # recognised. raise HTTPError(httplib.UNPROCESSABLE_ENTITY, "Invalid token or email address") self.send_success(httplib.OK)
def test_set_recovered_password_mainline(self): self.mock_cursor.fetchone.return_value = "etaoinshrdlu", datetime.datetime.now() - datetime.timedelta(seconds=10) users.set_recovered_password(self.mock_session, "*****@*****.**", "etaoinshrdlu", "newpw") self.mock_session.execute.assert_has_calls([call(ANY, {'email': "*****@*****.**"}), call(ANY, {'email': "*****@*****.**", 'hashed_password': ANY})])