mirror of
https://github.com/simple-login/app.git
synced 2024-11-16 00:48:32 +01:00
e4d4317988
* Reset all password tokens on password reset * Added csrf validation on email change request and validation * Return the same wether is a valid email or not --------- Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
75 lines
2.4 KiB
Python
75 lines
2.4 KiB
Python
import uuid
|
|
|
|
from flask import request, flash, render_template, url_for, g
|
|
from flask_wtf import FlaskForm
|
|
from wtforms import StringField, validators
|
|
|
|
from app.auth.base import auth_bp
|
|
from app.auth.views.login_utils import after_login
|
|
from app.db import Session
|
|
from app.extensions import limiter
|
|
from app.models import ResetPasswordCode
|
|
|
|
|
|
class ResetPasswordForm(FlaskForm):
|
|
password = StringField(
|
|
"Password",
|
|
validators=[validators.DataRequired(), validators.Length(min=8, max=100)],
|
|
)
|
|
|
|
|
|
@auth_bp.route("/reset_password", methods=["GET", "POST"])
|
|
@limiter.limit(
|
|
"10/minute", deduct_when=lambda r: hasattr(g, "deduct_limit") and g.deduct_limit
|
|
)
|
|
def reset_password():
|
|
form = ResetPasswordForm(request.form)
|
|
|
|
reset_password_code_str = request.args.get("code")
|
|
|
|
reset_password_code: ResetPasswordCode = ResetPasswordCode.get_by(
|
|
code=reset_password_code_str
|
|
)
|
|
|
|
if not reset_password_code:
|
|
# Trigger rate limiter
|
|
g.deduct_limit = True
|
|
error = (
|
|
"The reset password link can be used only once. "
|
|
"Please request a new link to reset password."
|
|
)
|
|
return render_template("auth/reset_password.html", form=form, error=error)
|
|
|
|
if reset_password_code.is_expired():
|
|
error = "The link has been already expired. Please make a new request of the reset password link"
|
|
return render_template("auth/reset_password.html", form=form, error=error)
|
|
|
|
if form.validate_on_submit():
|
|
user = reset_password_code.user
|
|
new_password = form.password.data
|
|
|
|
# avoid user reusing the old password
|
|
if user.check_password(new_password):
|
|
error = "You cannot reuse the same password"
|
|
return render_template("auth/reset_password.html", form=form, error=error)
|
|
|
|
user.set_password(new_password)
|
|
|
|
flash("Your new password has been set", "success")
|
|
|
|
# this can be served to activate user too
|
|
user.activated = True
|
|
|
|
# remove all reset password codes
|
|
ResetPasswordCode.filter_by(user_id=user.id).delete()
|
|
|
|
# change the alternative_id to log user out on other browsers
|
|
user.alternative_id = str(uuid.uuid4())
|
|
|
|
Session.commit()
|
|
|
|
# do not use login_user(user) here
|
|
# to make sure user needs to go through MFA if enabled
|
|
return after_login(user, url_for("dashboard.index"))
|
|
|
|
return render_template("auth/reset_password.html", form=form)
|