def test_bcrypt_gen_password_hash(): pw = "youwillneverguessthis" # Normal password hash generation, and check on that hash hashed_pw = auth_tools.bcrypt_gen_password_hash(pw) assert auth_tools.bcrypt_check_password(pw, hashed_pw) assert not auth_tools.bcrypt_check_password("notthepassword", hashed_pw) # Same thing, extra salt. hashed_pw = auth_tools.bcrypt_gen_password_hash(pw, "3><7R45417") assert auth_tools.bcrypt_check_password(pw, hashed_pw, "3><7R45417") assert not auth_tools.bcrypt_check_password("notthepassword", hashed_pw, "3><7R45417")
def test_bcrypt_gen_password_hash(): pw = 'youwillneverguessthis' # Normal password hash generation, and check on that hash hashed_pw = auth_tools.bcrypt_gen_password_hash(pw) assert auth_tools.bcrypt_check_password(pw, hashed_pw) assert not auth_tools.bcrypt_check_password('notthepassword', hashed_pw) # Same thing, extra salt. hashed_pw = auth_tools.bcrypt_gen_password_hash(pw, '3><7R45417') assert auth_tools.bcrypt_check_password(pw, hashed_pw, '3><7R45417') assert not auth_tools.bcrypt_check_password('notthepassword', hashed_pw, '3><7R45417')
def change_pass(request): form = forms.ChangePassForm(request.form) user = request.user if request.method == 'POST' and form.validate(): if not tools.bcrypt_check_password( form.old_password.data, user.pw_hash): form.old_password.errors.append( _('Wrong password')) return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_pass.html', {'form': form, 'user': user}) # Password matches user.pw_hash = tools.bcrypt_gen_password_hash( form.new_password.data) user.save() messages.add_message( request, messages.SUCCESS, _('Your password was changed successfully')) return redirect(request, 'mediagoblin.edit.account') return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_pass.html', {'form': form, 'user': user})
def change_pass(request): form = forms.ChangePassForm(request.form) user = request.user if request.method == 'POST' and form.validate(): if not tools.bcrypt_check_password(form.old_password.data, user.pw_hash): form.old_password.errors.append(_('Wrong password')) return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_pass.html', { 'form': form, 'user': user }) # Password matches user.pw_hash = tools.bcrypt_gen_password_hash(form.new_password.data) user.save() messages.add_message(request, messages.SUCCESS, _('Your password was changed successfully')) return redirect(request, 'mediagoblin.edit.account') return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_pass.html', { 'form': form, 'user': user })
def gen_password_hash(raw_pass, extra_salt=None): return auth_tools.bcrypt_gen_password_hash(raw_pass, extra_salt)
def verify_forgot_password(request): """ Check the forgot-password verification and possibly let the user change their password because of it. """ # get form data variables, and specifically check for presence of token formdata = _process_for_token(request) if not formdata['has_token']: return render_404(request) formdata_vars = formdata['vars'] # Catch error if token is faked or expired try: token = get_timed_signer_url("mail_verification_token") \ .loads(formdata_vars['token'], max_age=10*24*3600) except BadSignature: messages.add_message( request, messages.ERROR, _('The verification key or user id is incorrect.')) return redirect( request, 'index') # check if it's a valid user id user = User.query.filter_by(id=int(token)).first() # no user in db if not user: messages.add_message( request, messages.ERROR, _('The user id is incorrect.')) return redirect( request, 'index') # check if user active and has email verified if user.has_privilege(u'active'): cp_form = forms.ChangeForgotPassForm(formdata_vars) if request.method == 'POST' and cp_form.validate(): user.pw_hash = tools.bcrypt_gen_password_hash( cp_form.password.data) user.save() messages.add_message( request, messages.INFO, _("You can now log in using your new password.")) return redirect(request, 'mediagoblin.auth.login') else: return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_fp.html', {'cp_form': cp_form}) ## Commenting this out temporarily because I'm checking into ## what's going on with user.email_verified. ## ## ... if this commit lasts long enough for anyone but me (cwebber) to ## notice it, they should pester me to remove this or remove it ## themselves ;) # # if not user.email_verified: # messages.add_message( # request, messages.ERROR, # _('You need to verify your email before you can reset your' # ' password.')) if not user.status == 'active': messages.add_message( request, messages.ERROR, _('You are no longer an active user. Please contact the system' ' admin to reactivate your accoutn.')) return redirect( request, 'index')
def verify_forgot_password(request): """ Check the forgot-password verification and possibly let the user change their password because of it. """ # get form data variables, and specifically check for presence of token formdata = _process_for_token(request) if not formdata['has_token']: return render_404(request) formdata_vars = formdata['vars'] # Catch error if token is faked or expired try: token = get_timed_signer_url("mail_verification_token") \ .loads(formdata_vars['token'], max_age=10*24*3600) except BadSignature: messages.add_message( request, messages.ERROR, _('The verification key or user id is incorrect.')) return redirect(request, 'index') # check if it's a valid user id user = User.query.filter_by(id=int(token)).first() # no user in db if not user: messages.add_message(request, messages.ERROR, _('The user id is incorrect.')) return redirect(request, 'index') # check if user active and has email verified if user.has_privilege(u'active'): cp_form = forms.ChangeForgotPassForm(formdata_vars) if request.method == 'POST' and cp_form.validate(): user.pw_hash = tools.bcrypt_gen_password_hash( cp_form.password.data) user.save() messages.add_message( request, messages.INFO, _("You can now log in using your new password.")) return redirect(request, 'mediagoblin.auth.login') else: return render_to_response( request, 'mediagoblin/plugins/basic_auth/change_fp.html', {'cp_form': cp_form}) ## Commenting this out temporarily because I'm checking into ## what's going on with user.email_verified. ## ## ... if this commit lasts long enough for anyone but me (cwebber) to ## notice it, they should pester me to remove this or remove it ## themselves ;) # # if not user.email_verified: # messages.add_message( # request, messages.ERROR, # _('You need to verify your email before you can reset your' # ' password.')) if not user.status == 'active': messages.add_message( request, messages.ERROR, _('You are no longer an active user. Please contact the system' ' admin to reactivate your account.')) return redirect(request, 'index')