def resetChangePOST(auth, uid, token):
# artificial delay (to slow down brute force attacks)
sleep(auth.config.forced_delay)
i = web.input()
password = i.get('password', '').strip()
password2 = i.get('password2', '').strip()
try:
user = auth._db.select('user',
where='user_id = $uid',
vars={'uid': uid}).list()
if not user:
raise AuthError('expired')
user = user[0]
if not tokens.check_token(user, token, auth.config.reset_expire_after):
raise AuthError('expired')
if password != password2:
raise AuthError('match')
if len(password) < auth.config.password_minlen:
raise AuthError('bad password')
auth.setPassword(user.user_login, password)
auth.login(user)
except AuthError, e:
auth.session.auth_error = str(e)
web.found(web.ctx.path)
return
def resetChangePOST(auth, uid, token):
# artificial delay (to slow down brute force attacks)
sleep(auth.config.forced_delay)
i = web.input()
password = i.get('password', '').strip()
password2 = i.get('password2', '').strip()
try:
user = auth._db.select('user',
where='user_id = $uid',
vars={'uid': uid})
if not len(user):
raise AuthError, 'expired'
user = user[0]
if not tokens.check_token(user, token, auth.config.reset_expire_after):
raise AuthError, 'expired'
if password != password2:
raise AuthError, 'match'
if len(password) < auth.config.password_minlen:
raise AuthError, 'bad password'
auth.setPassword(user.user_login, password)
auth.login(user)
except AuthError, e:
auth.session.auth_error = str(e)
web.found(web.ctx.path)
return
def create_user():
"""Confirms registration by token"""
if not request.json:
return make_response(jsonify({'error': 'Empty request', 'status': 'error'}), 400)
elif not all(key in request.json for key in
['email', 'password', 'public_key', 'token', 'login']):
return make_response(jsonify({'error': 'Bad request', 'status': 'error'}), 400)
params = request.json
hashed_email = sha512(params['email'].encode('utf-8')).hexdigest()
session = db_session.create_session()
accept = check_token(params['token'], hashed_email)
if not accept:
return make_response(jsonify({'error': 'Token error', 'status': 'error'}), 400)
login = sha512(params['login'].encode('utf-8')).hexdigest()
password_salt = secrets.token_hex(16)
password = sha512(str(params['password'] + password_salt).encode('utf-8')).hexdigest()
public_key = params['public_key']
exist_login = session.query(User).filter(User.login == login).first()
if exist_login:
return make_response(jsonify({'error': 'Login already exist', 'status': 'error'}), 400)
if not check_password(params['password']):
return make_response(jsonify({'error': 'Incorrect password', 'status': 'error'}), 400)
username = "******" + secrets.token_hex(4)
username_exist = session.query(User).filter(User.username == username).first()
start_time = time.time()
while True:
if time.time() - start_time > 5:
return make_response(jsonify({'error': 'Username timeout', 'status': 'error'}), 400)
if username_exist:
username = "******" + secrets.token_hex(8)
username_exist = session.query(User).filter(User.username == username).first()
else:
break
temp_user = User(login=login, username=username, password=password, password_salt=password_salt,
public_key=public_key)
session.add(temp_user)
temp_mail = UsedEmail(email=hashed_email)
session.add(temp_mail)
session.commit()
return jsonify({'status': 'OK', 'username': username})
def resetChangeGET(auth, uid, token, template=None):
# artificial delay (to slow down brute force attacks)
sleep(auth.config.forced_delay)
template = template or auth.config.template_reset_change or render.reset_change
try:
user = auth._db.select('user',
where='user_id = $uid',
vars={'uid': uid})
if not len(user) \
or not tokens.check_token(user[0], token, auth.config.reset_expire_after):
raise AuthError
except AuthError:
auth_error = 'expired'
else:
auth_error = auth.session.get('auth_error', '')
if auth_error:
del auth.session['auth_error']
return template(error=auth_error, url_reset=auth.config.url_reset_token)
def resetChangeGET(auth, uid, token, template=None):
# artificial delay (to slow down brute force attacks)
sleep(auth.config.forced_delay)
template = template or auth.config.template_reset_change or render.reset_change
try:
user = auth._db.select('user',
where = 'user_id = $uid',
vars = {'uid': uid}
)
if not len(user) \
or not tokens.check_token(user[0], token, auth.config.reset_expire_after):
raise AuthError
except AuthError:
auth_error = 'expired'
else:
auth_error = auth.session.get('auth_error', '')
if auth_error:
del auth.session['auth_error']
return template(error=auth_error, url_reset=auth.config.url_reset_token)
