def test_password(p): hashed = hash_password(p) hashed2 = hash_password(p) self.assertNotEqual(hashed, hashed2) # Should be salted self.assertTrue(is_password_correct(p, hashed)) self.assertTrue(is_password_correct(p, hashed2)) self.assertFalse(is_password_correct(p + "a", hashed))
def create_user(db_sess, password, full_name, email, expires): # Check if the user already exists. try: lookup_user_id(db_sess, email) except NotFound: pass else: _log.info("Email %s already exists", email) raise AlreadyExists() hashed_password = utils.hash_password(password) user_id = uuid.uuid4() expires_date = (datetime.datetime.now() + datetime.timedelta(days = expires)).strftime("%Y-%m-%d %H:%M:%S") if expires else None user = { "user_id": user_id, "hashed_password": hashed_password, "full_name": full_name, "email": email, "expires": expires_date } db_sess.execute(""" INSERT INTO users (user_id, password, full_name, email, expires) VALUES (:user_id, :hashed_password, :full_name, :email, :expires) """, user) return user
def set_recovered_password(db_sess, email, token, password): """Use a password recovery token to set a new password. Checks the email address and token are correct, and sets the new password. If the email address is unknown, throws ValueError. If there is no token in the database, throws NotFound. If the token is wrong, throws ValueError. """ expected_token = _get_valid_token(db_sess, email) if token == expected_token: _log.warn("Set password for %s", email) hashed_password = utils.hash_password(password) db_sess.execute(""" UPDATE users SET password = :hashed_password, recovery_token = NULL, recovery_token_created = NULL WHERE email = :email """, {"email": email, "hashed_password": hashed_password}), else: raise ValueError('Wrong token')