def get(self): if self.user: # Prompt user to logout self.session.add_flash('message_reset_password_1', key='homepage_flashes') self.redirect("/") else: # Get token from URL input_token = self.request.get('token') # Check if format of token is valid TOKEN_RE = re.compile(r"^([0-9]{1,30})\-.{3,20}$") if not TOKEN_RE.match(input_token): # Set invalid reset_id so that a normal error message is sent reset_id = 1 else: # Split token to obtain reset_id and temp_pw. reset_id = int(input_token.split('-')[0]) temp_pw = input_token.split('-')[1] # Use reset_id to find entry in ResetPasswordRequest DB. self.r = ResetPasswordRequest.by_id(reset_id) # Check if entry exists if not self.r: # Show message that link is not valid. self.session.add_flash('message_reset_password_2', key='homepage_flashes') self.redirect("/") # Check if entry is not older than one hour. elif datetime.datetime.now() - datetime.timedelta(hours = 1) > self.r.created: # Show message that too much time has passed. self.session.add_flash('message_reset_password_3', key='homepage_flashes') self.redirect("/") # Check if temp_pw is valid elif not ResetPasswordRequest.check_for_valid_request(self.r.email, temp_pw): # Show message that the link is not valid. self.session.add_flash('message_reset_password_4', key='homepage_flashes') self.redirect("/") # If no error, get user by_email, # log in and render reset_password.html else: email = self.r.email self.user = User.by_email(email) self.login(self.user) state = self.make_state() self.render('reset_password.html', user = self.user, token = input_token, state = state)
def post(self): if self.user: # Prompt user to log out. self.render('message.html', user = self.user, message_forgot_password_1 = True) else: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Receive input from web-page: eamil input_email = self.request.get('email').lower() error = '' self.user = User.by_email(input_email) if not self.user: state = self.make_state() # Render page with error-message. self.render('forgot_password.html', form_email = input_email, error = True, state = state) else: # Generate new temporary random password length = 10 temp_pw = ''.join(random.choice(ascii_letters)for x in xrange(length)) # Create entry in ResetPasswordRequest DB u = ResetPasswordRequest.create_request(input_email, temp_pw) u.put() # Send email with a link to the ResetPassword page. # The link includes email and temporary password to # authenticate the user. # ADAPT LINK TO GAE URL resetToken = str(u.key().id())+"-"+temp_pw link = "http://PROJECT_ID.appspot.com/reset_pw/?token=%s" %(resetToken) self.send_email(self.user.email, 'email_subject.html', 'email_forgot_password.html', subject_type = 'forgot_password', username = self.user.name, link = link) # Render message-page with message that email was sent self.render('message.html', input_email = input_email, message_forgot_password_2 = True)
def post(self): if self.user: if not self.check_state(): self.redirect("/") return # Get user input: password and verify_password input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') # Get token from web page input_token = self.request.get('token') # Check if token is valid TOKEN_RE = re.compile(r"^([0-9]{1,30})\-.{3,20}$") if not TOKEN_RE.match(input_token): # Set invalid reset_id so that a normal error message is sent reset_id = 1 else: reset_id = int(input_token.split('-')[0]) temp_pw = input_token.split('-')[1] # Use reset_id to find entry in ResetPasswordRequest DB. self.r = ResetPasswordRequest.by_id(reset_id) # Check if entry exists if not self.r: # Show message to contact via email self.session.add_flash('message_reset_password_5', key='homepage_flashes') self.redirect("/") #Check if entry is not older than one hour. elif datetime.datetime.now() - datetime.timedelta(hours = 1) > self.r.created: # Show message that too much time has passed. self.session.add_flash('message_reset_password_3', key='homepage_flashes') self.redirect("/") #Check if temp_pw is valid elif not ResetPasswordRequest.check_for_valid_request(self.r.email, temp_pw): # Show message to contact via email self.session.add_flash('message_reset_password_5', key='homepage_flashes') self.redirect("/") else: # Check if password and verify_password are valid. # Set error-messages. error_password="" error_verify_password="" have_error = False if not valid_password(input_password): # Show the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Show the error-message: passwords do not match. error_verify_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('reset_password.html', user = self.user, token = input_token, error_password = error_password, error_verify_password = error_verify_password, state = state) else: # Update user object in DB and memcache User.update(self.user, pw=input_password) # Invalidate entity in ResetPasswordRequest db ResetPasswordRequest.update(self.r, temp_pw_hash = "deactivated") # Show message that the password has been changed. self.session.add_flash('message_reset_password_7', key='homepage_flashes') self.redirect("/") else: # Show message to use the link in the email. self.session.add_flash('message_reset_password_6', key='homepage_flashes') self.redirect("/")
def post(self): if self.user: # Prompt user to log out. self.session.add_flash('message_forgot_password_1', key='homepage_flashes') self.redirect("/") else: if not self.check_state(): self.redirect("/") return # Receive input from web-page: eamil input_email = self.request.get('email').lower() have_error = False if not valid_email(input_email): # Show the error-message: not a valid email. have_error = True if have_error: state = self.make_state() # Render page with error-message. self.render('forgot_password.html', form_email = input_email, error = True, state = state) return self.user = User.by_email(input_email) if not self.user: logging.warning('Unknown email from forgot password page received!') # Redirect to "/". Flash message that email was sent. self.session.add_flash('message_forgot_password_2', key='homepage_flashes') self.session.add_flash(input_email, key='input_email') self.redirect("/") else: # Generate new temporary random password length = 10 temp_pw = ''.join(random.choice(ascii_letters)for x in xrange(length)) # Create entry in ResetPasswordRequest DB r = ResetPasswordRequest.create(input_email, temp_pw) # Send email with a link to the ResetPassword page. # The link includes email and temporary password to # authenticate the user. # ADAPT LINK TO GAE URL resetToken = str(r.key().id())+"-"+temp_pw link = "http://YOUR_APP_ID.appspot.com/reset_pw/?token=%s" %(resetToken) self.send_email(self.user.email, 'email_subject.html', 'email_forgot_password.html', subject_type = 'forgot_password', username = self.user.name, link = link) # Redirect to "/". Flash message that email was sent. self.session.add_flash('message_forgot_password_2', key='homepage_flashes') self.session.add_flash(input_email, key='input_email') self.redirect("/")
def post(self): if self.user: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Get user input: password and verify_password input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') # Get token from web page input_token = self.request.get('token') # Check if token is valid TOKEN_RE = re.compile(r"^([0-9]{1,30})\-.{3,20}$") if not TOKEN_RE.match(input_token): # Set invalid reset_id so that a normal error message is sent reset_id = 1 else: reset_id = int(input_token.split('-')[0]) temp_pw = input_token.split('-')[1] # Use reset_id to find entry in ResetPasswordRequest DB. self.p = ResetPasswordRequest.by_id(reset_id) # Check if entry exists if not self.p: # Show message to contact via email self.render('message.html', user = self.user, message_reset_password_5 = True) #Check if entry is not older than one hour. elif datetime.datetime.now() - datetime.timedelta(hours = 1) > self.p.created: # Show message that too much time has passed. self.render('message.html', user = self.user, message_reset_password_3 = True) #Check if temp_pw is valid elif not ResetPasswordRequest.check_for_valid_request(self.p.email, temp_pw): # Show message to contact via email self.render('message.html', user = self.user, message_reset_password_5 = True) else: # Check if password and verify_password are valid. # Set error-messages. error_password="" error_verify_password="" have_error = False if not valid_password(input_password): # Show the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Show the error-message: passwords do not match. error_verify_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('reset_password.html', user = self.user, token = input_token, error_password = error_password, error_verify_password = error_verify_password, state = state) else: # Generate password-hash and store in DB pw_hash = make_pw_hash(self.user.email, input_password) self.user.pw_hash = pw_hash self.user.put() # Update memcache User.update_user_cache(self.user) # Invalidate entity in ResetPasswordRequest db self.p = ResetPasswordRequest.by_email(self.user.email) self.p.temp_pw_hash = "deactivated" self.p.put() # Show message that the password has been changed. self.render('message.html', user = self.user, message_reset_password_7 = True) else: # Show message to use the linke in the email. self.render('message.html', user = self.user, message_reset_password_6 = True)