def login_password(): # Handle POST error_message = None if request.method == 'POST': user_name = request.form.get('username', '') if '@illinois.edu' not in user_name: user_name += '@illinois.edu' pw = request.form.get('password', '') # Get user object user_query = PasswordUser.select().where(PasswordUser.email == user_name) # Check password if user_query.exists(): user_obj = user_query.get() pw_encrypted = hash_password(pw, user_obj.salt) if pw_encrypted == user_obj.salted_hash: session['user_id'] = user_obj.id session['is_passworded'] = True session['csrf_token'] = secure_token(64) return redirect('/') # POST failed error_message = 'Invalid username and/or password.' # Handle GET/failed POST return render_template('login.html', error_message=error_message)
def reset_password(): error_message = None # Handle GET (user clicked on email link) if request.method == 'GET': # Get token token = request.args.get('token', '') pw_query = PasswordUser.select().where(PasswordUser.password_reset_token == token) # Check for user if not pw_query.exists(): return json_status(410, "Invalid token.") # Require long-enough reset token if len(token) != DEFAULT_TOKEN_LENGTH: return json_status(410, "Invalid token.") # Get user + construct password reset page user = pw_query.get() session['csrf_token'] = secure_token() # To prevent CSRF session['reset_id'] = user.id # Invalidate user's existing password reset token user.password_reset_token = secure_token() user.save() # Show finished page return render_template('reset-newpassword.html', session=session) # Handle POST (user requested new password) else: requireCSRFToken() # Get user user_query = PasswordUser.select().where(PasswordUser.id == session['reset_id']) if not user_query.exists(): return json_status(500, "No matching user.") user = user_query.get() # Validate requested password password = request.form.get('password', '') if len(password) < 12 or len(set(password)) < 8: return render_template('reset-newpassword.html', session=session, error_message='Passwords must be 12+ characters long and contain 8+ different characters.') # Update user's password new_salt = secure_token() user.salt = new_salt user.salted_hash = hash_password(password, new_salt) user.save() # Redirect user to complete page return render_template('reset-complete.html')
def add_user(): requirePasswordedUser() requireCSRFToken() # Get data email = request.values.get('email', None) is_passworded = request.values.get('is_passworded', None) # Validate data if email is None or is_passworded is None: return json_status(400, "One or more of (email, is_passworded) is missing.") if len(email) < 2 or len(email) > 256: return json_status(400, "Email must be between 2 and 256 (inclusive) characters long.") if '@' not in email: email += '@illinois.edu' elif '@illinois.edu' not in email: return json_status(400, "Emails must be either netids or @illinois.edu emails") is_passworded = is_passworded.lower() if is_passworded not in ["true", "false"]: return json_status(400, "Invalid is_passworded value") is_passworded = (is_passworded == "true") # Prevent duplication if PasswordUser.select().where(PasswordUser.email==email).exists() or AuthcodeUser.select().where(AuthcodeUser.email==email).exists(): return json_status(400, "User already exists") # Create user password = None user = None if is_passworded: password = secure_token(12) salt = secure_token() salted_hash = hash_password(password, salt) user = PasswordUser(email=email, salt=salt, salted_hash=salted_hash) else: user = AuthcodeUser(email=email, authcode=secure_token()) user.save() # Trigger event hooks (to notify the user) if is_passworded: on_create_password_user(user, password) else: on_create_authcode_user(user) # Done! return json_status(200, user.id)