def _handle_successful_authentication_and_login(user, request): """ Handles clearing the failed login counter, login tracking, and setting session timeout. """ if LoginFailures.is_feature_enabled(): LoginFailures.clear_lockout_counter(user) _track_user_login(user, request) try: django_login(request, user) request.session.set_expiry(604800 * 4) log.debug("Setting user session expiry to 4 weeks") # .. event_implemented_name: SESSION_LOGIN_COMPLETED SESSION_LOGIN_COMPLETED.send_event(user=UserData( pii=UserPersonalData( username=user.username, email=user.email, name=user.profile.name, ), id=user.id, is_active=user.is_active, ), ) except Exception as exc: AUDIT_LOG.critical( "Login failed - Could not create session. Is memcached running?") log.critical( "Login failed - Could not create session. Is memcached running?") log.exception(exc) raise
def _handle_successful_authentication_and_login(user, request): """ Handles clearing the failed login counter, login tracking, and setting session timeout. """ if LoginFailures.is_feature_enabled(): LoginFailures.clear_lockout_counter(user) _track_user_login(user, request) try: django_login(request, user) request.session.set_expiry(604800 * 4) log.debug("Setting user session expiry to 4 weeks") except Exception as exc: AUDIT_LOG.critical("Login failed - Could not create session. Is memcached running?") log.critical("Login failed - Could not create session. Is memcached running?") log.exception(exc) raise
def post(self, request, *args, **kwargs): # We have to make a copy of request.POST because it is a QueryDict object which is immutable until copied. # We have to use request.POST because the password_reset_confirm method takes in the request and a user's # password is set to the request.POST['new_password1'] field. We have to also normalize the new_password2 # field so it passes the equivalence check that new_password1 == new_password2 # In order to switch out of having to do this copy, we would want to move the normalize_password code into # a custom User model's set_password method to ensure it is always happening upon calling set_password. request.POST = request.POST.copy() request.POST['new_password1'] = normalize_password( request.POST['new_password1']) request.POST['new_password2'] = normalize_password( request.POST['new_password2']) is_account_recovery = 'is_account_recovery' in request.GET password = request.POST['new_password1'] response = self._validate_password(password, request) if response: return response response = self._process_password_reset_success( request, self.token, self.uidb64, extra_context=self.platform_name) # If password reset was unsuccessful a template response is returned (status_code 200). # Check if form is invalid then show an error to the user. # Note if password reset was successful we get response redirect (status_code 302). password_reset_successful = response.status_code == 302 if not password_reset_successful: return self._handle_password_reset_failure(response) updated_user = User.objects.get(id=self.uid_int) if is_account_recovery: self._handle_primary_email_update(updated_user) updated_user.save() if password_reset_successful and is_account_recovery: self._handle_password_creation(request, updated_user) # Handles clearing the failed login counter upon password reset. if LoginFailures.is_feature_enabled(): LoginFailures.clear_lockout_counter(updated_user) update_session_auth_hash(request, updated_user) send_password_reset_success_email(updated_user, request) return response
def test_check_password_policy_compliance_exception(self): """ Tests _enforce_password_policy_compliance fails with an exception thrown """ assert not LoginFailures.objects.filter(user=self.user).exists() enforce_compliance_on_login = '******' with patch(enforce_compliance_on_login) as mock_enforce_compliance_on_login: mock_enforce_compliance_on_login.side_effect = NonCompliantPasswordException() response, _ = self._login_response( self.user_email, self.password ) response_content = json.loads(response.content.decode('utf-8')) assert not response_content.get('success') assert len(mail.outbox) == 1 assert 'Password reset' in mail.outbox[0].subject failure_record = LoginFailures.objects.get(user=self.user) assert failure_record.failure_count == 1 LoginFailures.clear_lockout_counter(user=self.user)
def post(self, request, **kwargs): """ Reset learner password using passed token and new credentials """ reset_status = False uidb36 = kwargs.get('uidb36') token = kwargs.get('token') has_required_values, uid_int = self._check_token_has_required_values( uidb36, token) if not has_required_values: AUDIT_LOG.exception("Invalid password reset confirm token") return Response({'reset_status': reset_status}) request.data._mutable = True # lint-amnesty, pylint: disable=protected-access request.data['new_password1'] = normalize_password( request.data['new_password1']) request.data['new_password2'] = normalize_password( request.data['new_password2']) password = request.data['new_password1'] try: user = User.objects.get(id=uid_int) if not default_token_generator.check_token(user, token): AUDIT_LOG.exception("Token validation failed") return Response({'reset_status': reset_status}) validate_password(password, user=user) if settings.ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY: # Checks the Pwned Databases for password vulnerability. pwned_response = check_pwned_password(password) if pwned_response.get('vulnerability', 'no') == 'yes': error_status = { 'reset_status': reset_status, 'err_msg': accounts.AUTHN_PASSWORD_COMPROMISED_MSG } return Response(error_status) form = SetPasswordForm(user, request.data) if form.is_valid(): form.save() reset_status = True if 'is_account_recovery' in request.GET: try: old_primary_email = user.email user.email = user.account_recovery.secondary_email user.account_recovery.delete() # emit an event that the user changed their secondary email to the primary email tracker.emit( SETTING_CHANGE_INITIATED, { "setting": "email", "old": old_primary_email, "new": user.email, "user_id": user.id, }) user.save() except ObjectDoesNotExist: err = 'Account recovery process initiated without AccountRecovery instance for user {username}' log.error(err.format(username=user.username)) # Handles clearing the failed login counter upon password reset. if LoginFailures.is_feature_enabled(): LoginFailures.clear_lockout_counter(user) send_password_reset_success_email(user, request) update_session_auth_hash(request, user) except ValidationError as err: AUDIT_LOG.exception("Password validation failed") error_status = { 'reset_status': reset_status, 'err_msg': ' '.join(err.messages) } return Response(error_status) except Exception: # pylint: disable=broad-except AUDIT_LOG.exception("Setting new password failed") return Response({'reset_status': reset_status})