Пример #1
0
def resetChangePOST(auth, uid, token):
    # artificial delay (to slow down brute force attacks)
    sleep(auth.config.forced_delay)

    i = web.input()
    password = i.get('password', '').strip()
    password2 = i.get('password2', '').strip()
    try:
        user = auth._db.select('user',
                               where='user_id = $uid',
                               vars={'uid': uid}).list()
        if not user:
            raise AuthError('expired')
        user = user[0]
        if not tokens.check_token(user, token, auth.config.reset_expire_after):
            raise AuthError('expired')
        if password != password2:
            raise AuthError('match')
        if len(password) < auth.config.password_minlen:
            raise AuthError('bad password')

        auth.setPassword(user.user_login, password)
        auth.login(user)
    except AuthError, e:
        auth.session.auth_error = str(e)
        web.found(web.ctx.path)
        return
Пример #2
0
def resetChangePOST(auth, uid, token):
    # artificial delay (to slow down brute force attacks)
    sleep(auth.config.forced_delay)

    i = web.input()
    password = i.get('password', '').strip()
    password2 = i.get('password2', '').strip()
    try:
        user = auth._db.select('user',
                               where='user_id = $uid',
                               vars={'uid': uid})
        if not len(user):
            raise AuthError, 'expired'
        user = user[0]
        if not tokens.check_token(user, token, auth.config.reset_expire_after):
            raise AuthError, 'expired'
        if password != password2:
            raise AuthError, 'match'
        if len(password) < auth.config.password_minlen:
            raise AuthError, 'bad password'

        auth.setPassword(user.user_login, password)
        auth.login(user)
    except AuthError, e:
        auth.session.auth_error = str(e)
        web.found(web.ctx.path)
        return
Пример #3
0
def create_user():
    """Confirms registration by token"""
    if not request.json:
        return make_response(jsonify({'error': 'Empty request', 'status': 'error'}), 400)

    elif not all(key in request.json for key in
                 ['email', 'password', 'public_key', 'token', 'login']):
        return make_response(jsonify({'error': 'Bad request', 'status': 'error'}), 400)

    params = request.json
    hashed_email = sha512(params['email'].encode('utf-8')).hexdigest()
    session = db_session.create_session()

    accept = check_token(params['token'], hashed_email)
    if not accept:
        return make_response(jsonify({'error': 'Token error', 'status': 'error'}), 400)

    login = sha512(params['login'].encode('utf-8')).hexdigest()
    password_salt = secrets.token_hex(16)
    password = sha512(str(params['password'] + password_salt).encode('utf-8')).hexdigest()
    public_key = params['public_key']

    exist_login = session.query(User).filter(User.login == login).first()
    if exist_login:
        return make_response(jsonify({'error': 'Login already exist', 'status': 'error'}), 400)

    if not check_password(params['password']):
        return make_response(jsonify({'error': 'Incorrect password', 'status': 'error'}), 400)

    username = "******" + secrets.token_hex(4)
    username_exist = session.query(User).filter(User.username == username).first()
    start_time = time.time()
    while True:
        if time.time() - start_time > 5:
            return make_response(jsonify({'error': 'Username timeout', 'status': 'error'}), 400)
        if username_exist:
            username = "******" + secrets.token_hex(8)
            username_exist = session.query(User).filter(User.username == username).first()
        else:
            break

    temp_user = User(login=login, username=username, password=password, password_salt=password_salt,
                     public_key=public_key)
    session.add(temp_user)

    temp_mail = UsedEmail(email=hashed_email)
    session.add(temp_mail)

    session.commit()
    return jsonify({'status': 'OK', 'username': username})
Пример #4
0
def resetChangeGET(auth, uid, token, template=None):
    # artificial delay (to slow down brute force attacks)
    sleep(auth.config.forced_delay)

    template = template or auth.config.template_reset_change or render.reset_change
    try:
        user = auth._db.select('user',
                               where='user_id = $uid',
                               vars={'uid': uid})
        if not len(user) \
          or not tokens.check_token(user[0], token, auth.config.reset_expire_after):
            raise AuthError
    except AuthError:
        auth_error = 'expired'
    else:
        auth_error = auth.session.get('auth_error', '')
        if auth_error:
            del auth.session['auth_error']
    return template(error=auth_error, url_reset=auth.config.url_reset_token)
Пример #5
0
def resetChangeGET(auth, uid, token, template=None):
    # artificial delay (to slow down brute force attacks)
    sleep(auth.config.forced_delay)
    
    template = template or auth.config.template_reset_change or render.reset_change
    try:
        user = auth._db.select('user',
            where = 'user_id = $uid',
            vars = {'uid': uid}
        )
        if not len(user) \
          or not tokens.check_token(user[0], token, auth.config.reset_expire_after):
            raise AuthError
    except AuthError:
        auth_error = 'expired'
    else:
        auth_error = auth.session.get('auth_error', '')
        if auth_error:
            del auth.session['auth_error']
    return template(error=auth_error, url_reset=auth.config.url_reset_token)