def reset_password():
"""
Endpoint for password reset emails, which validates the token
and UID pair, then redirects to the password set form.
"""
token = request.args.get('token')
uid = request.args.get('uid')
u = User.query.get(int(uid))
if not u or not reset.valid_token(u, token):
flash('Your reset request is invalid or expired.', category='warning')
return redirect(url_for('.login'))
session['reset_token'] = token
session['reset_user_id'] = uid
return redirect(url_for('.reset_pick_password'))
def reset_pick_password():
token = session.get('reset_token')
user_id = session.get('reset_user_id')
if not token or not user_id:
return redirect(url_for('.login'))
u = User.query.get(int(user_id))
if not u or not reset.valid_token(u, token):
flash(
'Your reset request is invalid or expired.',
category='warning'
)
return redirect(url_for('.login'))
form = UserResetForm()
if form.validate_on_submit():
u.set_password(form.password.data)
db.session.commit()
# The user has successfully reset their password,
# so we want to clean up any other reset tokens as
# well as our stashed session token.
reset.clear_tokens(u)
session.pop('reset_token', None)
session.pop('reset_user_id', None)
flash(
'The password for {username} has been reset.'.format(
username=u.username
),
category='success'
)
return redirect(url_for('.login'))
return render_template('reset.html', form=form)