def post(self, request):
email = request.data["email"]
email_validator = EmailValidator()
email_validator(email)
# prevent timing attack - is this necessary?
try:
user = get_user_model().objects.get(email=email,
email_verified=True)
token = PasswordResetToken(user=user, token=secrets.token_hex())
token.save()
uid = user.id
token = token.token
password_reset_start.send(sender=self.__class__, user=user)
except get_user_model().DoesNotExist:
password_reset_start_reject.send(sender=self.__class__,
email=email)
uid = -1
token = ""
email = "*****@*****.**"
send_email(
email,
"RACTF - Reset Your Password",
"password_reset",
url=settings.FRONTEND_URL +
"password_reset?id={}&secret={}".format(uid, token),
)
return FormattedResponse()
def post(self, request):
request.user.totp_device.delete()
request.user.save()
remove_2fa.send(sender=self.__class__, user=request.user)
send_email(request.user.email, "RACTF - 2FA Has Been Disabled",
"2fa_removed")
return FormattedResponse()
def create(self, validated_data):
user = validated_data['user']
user.set_password(validated_data['password'])
user.save()
token = user.email_token
send_email(user.email,
'RACTF - Verify your email',
'verify',
url='verify?id={}&secret={}'.format(user.id, token))
register.send(sender=self.__class__, user=user)
return user
def test_mails(app):
from backend.mail import mail, send_email
with mail.record_messages() as outbox:
send_email(
recipients='*****@*****.**',
subject='Test Email',
body='Welcome to supermarkt.org',
)
assert len(outbox) == 1
email = outbox[0]
assert email.subject == 'Test Email'
assert email.body == 'Welcome to supermarkt.org'
assert len(email.recipients) == 1
assert '*****@*****.**' in email.recipients
assert email.sender == 'Supermarkt <*****@*****.**>'
def post(self, request):
email = request.data['email']
email_validator = EmailValidator()
email_validator(email)
# prevent timing attack - is this necessary?
try:
user = get_user_model().objects.get(email=email)
uid = user.id
token = user.password_reset_token
password_reset_start.send(sender=self.__class__, user=user)
except get_user_model().DoesNotExist:
password_reset_start_reject.send(sender=self.__class__,
email=email)
uid = -1
token = ''
email = '*****@*****.**'
send_email(email,
'RACTF - Reset Your Password',
'password_reset',
url='password_reset?id={}&secret={}'.format(uid, token))
return FormattedResponse()
def post(self, request):
serializer = self.serializer_class(data=request.data,
context={"request": request})
if not serializer.is_valid():
return FormattedResponse(
m="invalid_token_or_uid",
d=serializer.errors,
status=HTTP_400_BAD_REQUEST,
)
user = serializer.validated_data["user"]
if user.email_verified:
return FormattedResponse(
m="invalid_token_or_uid",
d=serializer.errors,
status=HTTP_400_BAD_REQUEST,
)
send_email(user.email,
'RACTF - Verify your email',
'verify',
url=settings.FRONTEND_URL +
'verify?id={}&secret={}'.format(user.id, user.email_token))
return FormattedResponse('email_resent')
def register_user(self, username, email, password, invite, **kwargs):
if config.get('email_regex') and not re.compile(config.get('email_regex')).match(email) or \
not email.endswith(config.get('email_domain')):
raise FormattedException(m='invalid_email',
status_code=HTTP_400_BAD_REQUEST)
register_end_time = config.get('register_end_time')
if not (config.get('enable_registration') and time.time() >= config.get('register_start_time')) \
and (register_end_time < 0 or register_end_time > time.time()):
register_reject.send(sender=self.__class__,
username=username,
email=email)
raise FormattedException(m='registration_not_open',
status_code=HTTP_403_FORBIDDEN)
user = get_user_model()(username=username, email=email)
if get_user_model().objects.filter(
username=username) or get_user_model().objects.filter(
email=email):
raise FormattedException(m='email_or_username_in_use',
status_code=HTTP_403_FORBIDDEN)
if not get_user_model().objects.all().exists():
user.is_staff = True
user.is_superuser = True
password_validation.validate_password(password, user)
user.set_password(password)
if config.get("invite_required"):
if InviteCode.objects.filter(code=invite):
code = InviteCode.objects.get(code=invite)
if code:
if code.uses >= code.max_uses:
raise FormattedException(
m="invite_already_used",
status_code=HTTP_403_FORBIDDEN)
code.uses += 1
if code.uses >= code.max_uses:
code.fully_used = True
code.save()
if code.auto_team:
user.team = code.auto_team
else:
raise FormattedException(m="invalid_invite",
status_code=HTTP_403_FORBIDDEN)
token = user.email_token
if not settings.MAIL["SEND"]:
user.email_verified = True
if not config.get("enable_teams"):
user.save()
user.team = Team.objects.create(
owner=user,
name=username,
password=secrets.token_hex(32),
)
user.save()
send_email(user.email,
'RACTF - Verify your email',
'verify',
url=settings.FRONTEND_URL +
'verify?id={}&secret={}'.format(user.id, token))
register.send(sender=self.__class__, user=user)
return user