def resetChangePOST(auth, uid, token): # artificial delay (to slow down brute force attacks) sleep(auth.config.forced_delay) i = web.input() password = i.get('password', '').strip() password2 = i.get('password2', '').strip() try: user = auth._db.select('user', where='user_id = $uid', vars={'uid': uid}).list() if not user: raise AuthError('expired') user = user[0] if not tokens.check_token(user, token, auth.config.reset_expire_after): raise AuthError('expired') if password != password2: raise AuthError('match') if len(password) < auth.config.password_minlen: raise AuthError('bad password') auth.setPassword(user.user_login, password) auth.login(user) except AuthError, e: auth.session.auth_error = str(e) web.found(web.ctx.path) return
def resetChangePOST(auth, uid, token): # artificial delay (to slow down brute force attacks) sleep(auth.config.forced_delay) i = web.input() password = i.get('password', '').strip() password2 = i.get('password2', '').strip() try: user = auth._db.select('user', where='user_id = $uid', vars={'uid': uid}) if not len(user): raise AuthError, 'expired' user = user[0] if not tokens.check_token(user, token, auth.config.reset_expire_after): raise AuthError, 'expired' if password != password2: raise AuthError, 'match' if len(password) < auth.config.password_minlen: raise AuthError, 'bad password' auth.setPassword(user.user_login, password) auth.login(user) except AuthError, e: auth.session.auth_error = str(e) web.found(web.ctx.path) return
def create_user(): """Confirms registration by token""" if not request.json: return make_response(jsonify({'error': 'Empty request', 'status': 'error'}), 400) elif not all(key in request.json for key in ['email', 'password', 'public_key', 'token', 'login']): return make_response(jsonify({'error': 'Bad request', 'status': 'error'}), 400) params = request.json hashed_email = sha512(params['email'].encode('utf-8')).hexdigest() session = db_session.create_session() accept = check_token(params['token'], hashed_email) if not accept: return make_response(jsonify({'error': 'Token error', 'status': 'error'}), 400) login = sha512(params['login'].encode('utf-8')).hexdigest() password_salt = secrets.token_hex(16) password = sha512(str(params['password'] + password_salt).encode('utf-8')).hexdigest() public_key = params['public_key'] exist_login = session.query(User).filter(User.login == login).first() if exist_login: return make_response(jsonify({'error': 'Login already exist', 'status': 'error'}), 400) if not check_password(params['password']): return make_response(jsonify({'error': 'Incorrect password', 'status': 'error'}), 400) username = "******" + secrets.token_hex(4) username_exist = session.query(User).filter(User.username == username).first() start_time = time.time() while True: if time.time() - start_time > 5: return make_response(jsonify({'error': 'Username timeout', 'status': 'error'}), 400) if username_exist: username = "******" + secrets.token_hex(8) username_exist = session.query(User).filter(User.username == username).first() else: break temp_user = User(login=login, username=username, password=password, password_salt=password_salt, public_key=public_key) session.add(temp_user) temp_mail = UsedEmail(email=hashed_email) session.add(temp_mail) session.commit() return jsonify({'status': 'OK', 'username': username})
def resetChangeGET(auth, uid, token, template=None): # artificial delay (to slow down brute force attacks) sleep(auth.config.forced_delay) template = template or auth.config.template_reset_change or render.reset_change try: user = auth._db.select('user', where='user_id = $uid', vars={'uid': uid}) if not len(user) \ or not tokens.check_token(user[0], token, auth.config.reset_expire_after): raise AuthError except AuthError: auth_error = 'expired' else: auth_error = auth.session.get('auth_error', '') if auth_error: del auth.session['auth_error'] return template(error=auth_error, url_reset=auth.config.url_reset_token)
def resetChangeGET(auth, uid, token, template=None): # artificial delay (to slow down brute force attacks) sleep(auth.config.forced_delay) template = template or auth.config.template_reset_change or render.reset_change try: user = auth._db.select('user', where = 'user_id = $uid', vars = {'uid': uid} ) if not len(user) \ or not tokens.check_token(user[0], token, auth.config.reset_expire_after): raise AuthError except AuthError: auth_error = 'expired' else: auth_error = auth.session.get('auth_error', '') if auth_error: del auth.session['auth_error'] return template(error=auth_error, url_reset=auth.config.url_reset_token)