示例#1
0
def reset_password():

	error_message = None

	# Handle GET (user clicked on email link)
	if request.method == 'GET':

		# Get token
		token = request.args.get('token', '')
		pw_query = PasswordUser.select().where(PasswordUser.password_reset_token == token)

		# Check for user
		if not pw_query.exists():
			return json_status(410, "Invalid token.")

		# Require long-enough reset token
		if len(token) != DEFAULT_TOKEN_LENGTH:
			return json_status(410, "Invalid token.")

		# Get user + construct password reset page
		user = pw_query.get()
		session['csrf_token'] = secure_token()  # To prevent CSRF
		session['reset_id'] = user.id

		# Invalidate user's existing password reset token
		user.password_reset_token = secure_token()
		user.save()

		# Show finished page
		return render_template('reset-newpassword.html', session=session)

	# Handle POST (user requested new password)
	else:
		requireCSRFToken()

		# Get user	
		user_query = PasswordUser.select().where(PasswordUser.id == session['reset_id'])
		if not user_query.exists():
			return json_status(500, "No matching user.")
		user = user_query.get()

		# Validate requested password
		password = request.form.get('password', '')
		if len(password) < 12 or len(set(password)) < 8:
			return render_template('reset-newpassword.html', session=session, error_message='Passwords must be 12+ characters long and contain 8+ different characters.')
		
		# Update user's password
		new_salt = secure_token()
		user.salt = new_salt
		user.salted_hash = hash_password(password, new_salt)
		user.save()

		# Redirect user to complete page
		return render_template('reset-complete.html')
示例#2
0
def login_password():

	# Handle POST
	error_message = None
	if request.method == 'POST':
		user_name = request.form.get('username', '')
		if '@illinois.edu' not in user_name:
			user_name += '@illinois.edu'
		pw = request.form.get('password', '')
		
		# Get user object
		user_query = PasswordUser.select().where(PasswordUser.email == user_name)

		# Check password
		if user_query.exists():
			user_obj = user_query.get()
			pw_encrypted = hash_password(pw, user_obj.salt)
			if pw_encrypted == user_obj.salted_hash:
				session['user_id'] = user_obj.id
				session['is_passworded'] = True
				session['csrf_token'] = secure_token(64)
				return redirect('/')
		
		# POST failed
		error_message = 'Invalid username and/or password.'
	
	# Handle GET/failed POST
	return render_template('login.html', error_message=error_message)
示例#3
0
def forgot_authentication():

	# Handle POST
	error_message = None
	if request.method == 'POST':

		# Get email
		email = request.form.get('email', '')
		if '@illinois.edu' not in email:
			if email == '' or '@' in email:
				error_message = 'Invalid email address. (Did you forget the @illinois.edu?)'
			else:
				# Accept netIDs too
				email = email + "@illinois.edu"

		# Do password/authcode reset
		if error_message is None:

			pw_query = PasswordUser.select().where(PasswordUser.email == email)
			authcode_query = AuthcodeUser.select().where(AuthcodeUser.email == email)

			if pw_query.exists() or authcode_query.exists():

				# Initialize mail object
				mail = Mail()
				mail.subject = "[CS242 Discussion Sections]"

				# Generate secure token
				token = secure_token()

				# Get user/email type
				if pw_query.exists():
					mail.subject += 'Password Reset'
					mail.message = 'Click the link below to reset your password.\n\n' + ROOT_DOMAIN + '/auth/reset/confirm?token=' + token

				else:
					mail.subject += 'Authcode Link'
					mail.message = 'Click the link below to authenticate.\n\n' + ROOT_DOMAIN + '/auth/code?token=' + token + '\n\nIf you have questions, please contact a TA.\n\nThanks,\nCS242 staff.'

				# Send mail
				mail.send([email])

				# If mail sent successfully, update user models
				if pw_query.exists():
					user = pw_query.get()
					user.password_reset_token = token
				else:
					user = authcode_query.get()
					user.authcode = token
				user.save()

				# Redirect to success page
				return render_template('reset-thanks.html')

			else:
				error_message = 'Your email isn\'t on our list. Ask a TA to add you to the site.'

	# Default/GET case
	return render_template('reset-form.html', error_message=error_message)
示例#4
0
def add_user():
	requirePasswordedUser()
	requireCSRFToken()

	# Get data
	email = request.values.get('email', None)
	is_passworded = request.values.get('is_passworded', None)

	# Validate data
	if email is None or is_passworded is None: 
		return json_status(400, "One or more of (email, is_passworded) is missing.")
	if len(email) < 2 or len(email) > 256:
		return json_status(400, "Email must be between 2 and 256 (inclusive) characters long.")
	if '@' not in email:
		email += '@illinois.edu'
	elif '@illinois.edu' not in email:
		return json_status(400, "Emails must be either netids or @illinois.edu emails")
	is_passworded = is_passworded.lower()
	if is_passworded not in ["true", "false"]:
		return json_status(400, "Invalid is_passworded value")
	is_passworded = (is_passworded == "true")

	# Prevent duplication
	if PasswordUser.select().where(PasswordUser.email==email).exists() or AuthcodeUser.select().where(AuthcodeUser.email==email).exists():
		return json_status(400, "User already exists")

	# Create user
	password = None
	user = None
	if is_passworded:
		password = secure_token(12)
		salt = secure_token()
		salted_hash = hash_password(password, salt)
		user = PasswordUser(email=email, salt=salt, salted_hash=salted_hash)
	else:
		user = AuthcodeUser(email=email, authcode=secure_token())
	user.save()

	# Trigger event hooks (to notify the user)
	if is_passworded:
		on_create_password_user(user, password)
	else:
		on_create_authcode_user(user)

	# Done!
	return json_status(200, user.id)
示例#5
0
def login_authcode():

	# Get authcode
	authcode = request.args.get('token', None)
	if not authcode:
		return redirect('/auth/reset')
	
	# Get associated user
	user_query = AuthcodeUser.select().where(AuthcodeUser.authcode == authcode)
	if not user_query.exists():
		return redirect('/auth/reset')
	user_obj = user_query.get()

	# Log them in
	session['user_id'] = user_obj.id
	session['is_passworded'] = False
	session['csrf_token'] = secure_token()

	# Go to homepage
	return redirect('/')