def forgot_password_post():
"""Attempt to send user password reset or return respective error.
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
user_obj = get_user(email=email)
if user_obj:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for('reset_password',
verification_key=user_obj.verification_key))
mails.send_mail(to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link)
status.push_status_message((
'If there is an OSF account associated with {0}, an email with instructions on how to reset '
'the OSF password has been sent to {0}. If you do not receive an email and believe you should '
'have, please contact OSF Support. ').format(email), 'success')
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password_post():
"""Attempt to send user password reset or return respective error.
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
user_obj = get_user(email=email)
if user_obj:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for(
'reset_password',
verification_key=user_obj.verification_key
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message(
('An email with instructions on how to reset the password '
'for the account associated with {0} has been sent. If you '
'do not receive an email and believe you should have please '
'contact OSF Support.').format(email), 'success')
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password():
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
user_obj = get_user(username=email)
if user_obj:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for(
'reset_password',
verification_key=user_obj.verification_key
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message('Reset email sent to {0}'.format(email))
else:
status.push_status_message('Email {email} not found'.format(email=email))
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password():
"""Return forgot password page upon GET request. If POST, attempt to send
user password reset or return respective error.
"""
if request.method == 'GET':
return {}
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
user_obj = get_user(username=email)
if user_obj:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for('reset_password',
verification_key=user_obj.verification_key))
mails.send_mail(to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link)
status.push_status_message('Reset email sent to {0}'.format(email))
else:
status.push_status_message(
'Email {email} not found'.format(email=email))
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password():
"""Return forgot password page upon GET request. If POST, attempt to send
user password reset or return respective error.
"""
if request.method == 'GET':
return {}
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
user_obj = get_user(email=email)
if user_obj:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for('reset_password',
verification_key=user_obj.verification_key))
mails.send_mail(to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link)
status.push_status_message(
'An email with instructions on how to reset the password for the '
'account associated with {0} has been sent. If you do not receive '
'an email and believe you should have please '
'contact OSF Support.'.format(email))
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password_post():
"""
View for user to submit forgot password form.
HTTP Method: POST
:return {}
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if not form.validate():
# Don't go anywhere
forms.push_errors_to_status(form.errors)
else:
email = form.email.data
status_message = ('If there is an OSF account associated with {0}, an email with instructions on how to '
'reset the OSF password has been sent to {0}. If you do not receive an email and believe '
'you should have, please contact OSF Support. ').format(email)
kind = 'success'
# check if the user exists
user_obj = get_user(email=email)
if user_obj:
# rate limit forgot_password_post
if not throttle_period_expired(user_obj.email_last_sent, settings.SEND_EMAIL_THROTTLE):
status_message = 'You have recently requested to change your password. Please wait a few minutes ' \
'before trying again.'
kind = 'error'
else:
# TODO [OSF-6673]: Use the feature in [OSF-6998] for user to resend claim email.
# if the user account is not claimed yet
if (user_obj.is_invited and
user_obj.unclaimed_records and
not user_obj.date_last_login and
not user_obj.is_claimed and
not user_obj.is_registered):
status_message = 'You cannot reset password on this account. Please contact OSF Support.'
kind = 'error'
else:
# new random verification key (v2)
user_obj.verification_key_v2 = generate_verification_key(verification_type='password')
user_obj.email_last_sent = datetime.datetime.utcnow()
user_obj.save()
reset_link = furl.urljoin(
settings.DOMAIN,
web_url_for(
'reset_password_get',
uid=user_obj._id,
token=user_obj.verification_key_v2['token']
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message(status_message, kind=kind, trust=False)
return {}
def forgot_password_post(auth, **kwargs):
"""
View for user to submit forgot password form.
HTTP Method: POST
"""
# If user is already logged in, redirect to dashboard page.
if auth.logged_in:
return redirect(web_url_for('dashboard'))
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
status_message = ('If there is an OSF account associated with {0}, an email with instructions on how to '
'reset the OSF password has been sent to {0}. If you do not receive an email and believe '
'you should have, please contact OSF Support. ').format(email)
# check if the user exists
user_obj = get_user(email=email)
if user_obj:
# check forgot_password rate limit
if throttle_period_expired(user_obj.email_last_sent, settings.SEND_EMAIL_THROTTLE):
# new random verification key, allows OSF to check whether the reset_password request is valid,
# this verification key is used twice, one for GET reset_password and one for POST reset_password
# and it will be destroyed when POST reset_password succeeds
user_obj.verification_key = generate_verification_key()
user_obj.email_last_sent = datetime.datetime.utcnow()
user_obj.save()
reset_link = furl.urljoin(
settings.DOMAIN,
web_url_for(
'reset_password_get',
verification_key=user_obj.verification_key
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message(status_message, kind='success', trust=False)
else:
status.push_status_message('You have recently requested to change your password. Please wait a '
'few minutes before trying again.', kind='error', trust=False)
else:
status.push_status_message(status_message, kind='success', trust=False)
else:
forms.push_errors_to_status(form.errors)
# Don't go anywhere
return {}
def forgot_password_post(auth, **kwargs):
"""
View for user to submit forgot password form.
HTTP Method: POST
"""
# If user is already logged in, redirect to dashboard page.
if auth.logged_in:
return redirect(web_url_for('dashboard'))
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
status_message = ('If there is an OSF account associated with {0}, an email with instructions on how to '
'reset the OSF password has been sent to {0}. If you do not receive an email and believe '
'you should have, please contact OSF Support. ').format(email)
# check if the user exists
user_obj = get_user(email=email)
if user_obj:
# check forgot_password rate limit
if throttle_period_expired(user_obj.email_last_sent, settings.SEND_EMAIL_THROTTLE):
# new random verification key, allows OSF to check whether the reset_password request is valid,
# this verification key is used twice, one for GET reset_password and one for POST reset_password
# and it will be destroyed when POST reset_password succeeds
user_obj.verification_key = generate_verification_key()
user_obj.email_last_sent = datetime.datetime.utcnow()
user_obj.save()
reset_link = furl.urljoin(
settings.DOMAIN,
web_url_for(
'reset_password_get',
verification_key=user_obj.verification_key
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message(status_message, kind='success', trust=False)
else:
status.push_status_message('You have recently requested to change your password. Please wait a '
'few minutes before trying again.', kind='error', trust=False)
else:
status.push_status_message(status_message, kind='success', trust=False)
else:
forms.push_errors_to_status(form.errors)
# Don't go anywhere
return {}
def forgot_password_post():
"""Attempt to send user password reset or return respective error.
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
status_message = ('If there is an OSF account associated with {0}, an email with instructions on how to reset '
'the OSF password has been sent to {0}. If you do not receive an email and believe you '
'should have, please contact OSF Support. ').format(email)
user_obj = get_user(email=email)
if user_obj:
#TODO: Remove this rate limiting and replace it with something that doesn't write to the User model
now = datetime.datetime.utcnow()
last_attempt = user_obj.forgot_password_last_post or now - datetime.timedelta(seconds=FORGOT_PASSWORD_MINIMUM_TIME)
user_obj.forgot_password_last_post = now
time_since_last_attempt = now - last_attempt
if time_since_last_attempt.seconds >= FORGOT_PASSWORD_MINIMUM_TIME:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for(
'reset_password',
verification_key=user_obj.verification_key
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message(status_message, 'success')
else:
user_obj.save()
status.push_status_message('You have recently requested to change your password. Please wait a little '
'while before trying again.', 'error')
else:
status.push_status_message(status_message, 'success')
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password_post():
"""Attempt to send user password reset or return respective error.
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
status_message = (
'If there is an OSF account associated with {0}, an email with instructions on how to reset '
'the OSF password has been sent to {0}. If you do not receive an email and believe you '
'should have, please contact OSF Support. ').format(email)
user_obj = get_user(email=email)
if user_obj:
if throttle_period_expired(user_obj.email_last_sent,
settings.SEND_EMAIL_THROTTLE):
user_obj.verification_key = security.random_string(20)
user_obj.email_last_sent = datetime.datetime.utcnow()
user_obj.save()
reset_link = furl.urljoin(
settings.DOMAIN,
web_url_for('reset_password',
verification_key=user_obj.verification_key))
mails.send_mail(to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link)
status.push_status_message(status_message,
kind='success',
trust=False)
else:
status.push_status_message(
'You have recently requested to change your password. Please wait a little '
'while before trying again.',
kind='error',
trust=False)
else:
status.push_status_message(status_message,
kind='success',
trust=False)
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password_post():
"""Attempt to send user password reset or return respective error.
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
status_message = (
'If there is an OSF account associated with {0}, an email with instructions on how to reset '
'the OSF password has been sent to {0}. If you do not receive an email and believe you '
'should have, please contact OSF Support. ').format(email)
user_obj = get_user(email=email)
if user_obj:
#TODO: Remove this rate limiting and replace it with something that doesn't write to the User model
now = datetime.datetime.utcnow()
last_attempt = user_obj.forgot_password_last_post or now - datetime.timedelta(
seconds=FORGOT_PASSWORD_MINIMUM_TIME)
user_obj.forgot_password_last_post = now
time_since_last_attempt = now - last_attempt
if time_since_last_attempt.seconds >= FORGOT_PASSWORD_MINIMUM_TIME:
user_obj.verification_key = security.random_string(20)
user_obj.save()
reset_link = "http://{0}{1}".format(
request.host,
web_url_for('reset_password',
verification_key=user_obj.verification_key))
mails.send_mail(to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link)
status.push_status_message(status_message, 'success')
else:
user_obj.save()
status.push_status_message(
'You have recently requested to change your password. Please wait a little '
'while before trying again.', 'error')
else:
status.push_status_message(status_message, 'success')
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password_post():
"""Attempt to send user password reset or return respective error.
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if form.validate():
email = form.email.data
status_message = ('If there is an OSF account associated with {0}, an email with instructions on how to reset '
'the OSF password has been sent to {0}. If you do not receive an email and believe you '
'should have, please contact OSF Support. ').format(email)
user_obj = get_user(email=email)
if user_obj:
if throttle_period_expired(user_obj.email_last_sent, settings.SEND_EMAIL_THROTTLE):
user_obj.verification_key = security.random_string(20)
user_obj.email_last_sent = datetime.datetime.utcnow()
user_obj.save()
reset_link = furl.urljoin(
settings.DOMAIN,
web_url_for(
'reset_password',
verification_key=user_obj.verification_key
)
)
mails.send_mail(
to_addr=email,
mail=mails.FORGOT_PASSWORD,
reset_link=reset_link
)
status.push_status_message(status_message, kind='success', trust=False)
else:
status.push_status_message('You have recently requested to change your password. Please wait a little '
'while before trying again.',
kind='error',
trust=False)
else:
status.push_status_message(status_message, kind='success', trust=False)
forms.push_errors_to_status(form.errors)
return auth_login(forgot_password_form=form)
def forgot_password_form():
return form_utils.jsonify(ForgotPasswordForm(prefix='forgot_password'))
def _forgot_password_post(mail_template, reset_route, institutional=False):
"""
View for user to submit forgot password form (standard or institutional). Validates submitted
form and sends reset-password link via email if valid. If user has submitted another password
reset request recently, declines to create a new one and asks the user to not submit again for
awhile.
Standard and institutional forgot-password requests behave similarly but use slightly different
language and interfaces. When an institution is deactivated, the user should be given the
opportunity to reclaim their account. CAS co-ops the forgot-password functionality to send a
"set a new password" email link to the institutional user. The language of the email has been
adjusted from the standard context, the response html the status message from the reset
action is displayed as regular text, and the password form is not shown.
HTTP Method: POST
:return {}
"""
form = ForgotPasswordForm(request.form, prefix='forgot_password')
if not form.validate():
# Don't go anywhere
forms.push_errors_to_status(form.errors)
else:
email = form.email.data
status_message = ('If there is an OSF account associated with {0}, an email with instructions on how to '
'reset the OSF password has been sent to {0}. If you do not receive an email and believe '
'you should have, please contact OSF Support. ').format(email)
kind = 'success'
# check if the user exists
user_obj = get_user(email=email)
if user_obj:
# rate limit forgot_password_post
if not throttle_period_expired(user_obj.email_last_sent, settings.SEND_EMAIL_THROTTLE):
status_message = 'You have recently requested to change your password. Please wait a few minutes ' \
'before trying again.'
kind = 'error'
# TODO [OSF-6673]: Use the feature in [OSF-6998] for user to resend claim email.
elif user_obj.is_active:
# new random verification key (v2)
user_obj.verification_key_v2 = generate_verification_key(verification_type='password')
user_obj.email_last_sent = timezone.now()
user_obj.save()
reset_link = furl.urljoin(
settings.DOMAIN,
web_url_for(
reset_route,
uid=user_obj._id,
token=user_obj.verification_key_v2['token']
)
)
mails.send_mail(
to_addr=email,
mail=mail_template,
reset_link=reset_link,
can_change_preferences=False,
)
# institutional forgot password page displays the message as main text, not as an alert
if institutional:
# pass isError instead of kind to template to decouple python error flag from template's
# css class
return {'message': status_message, 'isError': (kind == 'error'),
'institutional': institutional}
status.push_status_message(status_message, kind=kind, trust=False)
return {}
