From 1f93bc6d8042f6ffa1ff205a16f26ee97a5fb10c Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Mon, 18 Jan 2021 16:17:40 +0100 Subject: [PATCH] [System] Implemented password reset function in user controller --- flaschengeist/controller/userController.py | 78 ++++++++++++++++++---- flaschengeist/models/user.py | 18 +++-- 2 files changed, 79 insertions(+), 17 deletions(-) diff --git a/flaschengeist/controller/userController.py b/flaschengeist/controller/userController.py index b359d92..1781755 100644 --- a/flaschengeist/controller/userController.py +++ b/flaschengeist/controller/userController.py @@ -1,22 +1,19 @@ -from flask import current_app, url_for -from sqlalchemy.orm.exc import NoResultFound -from werkzeug.exceptions import NotFound, BadRequest +import secrets +from flask import current_app +from datetime import datetime, timedelta, timezone +from werkzeug.exceptions import NotFound, BadRequest, Forbidden -from flaschengeist.utils.hook import Hook -from flaschengeist.models.user import User, Role -from flaschengeist.database import db from flaschengeist import logger +from flaschengeist.database import db +from flaschengeist.utils.hook import Hook +from flaschengeist.models.user import User, Role, _PasswordReset +from flaschengeist.controller import messageController, sessionController def login_user(username, password): logger.info("login user {{ {} }}".format(username)) - mail = username.split("@") - mail = len(mail) == 2 and len(mail[0]) > 0 and len(mail[1]) > 0 - query = User.userid == username - if mail: - query |= User.mail == username - user = User.query.filter(query).one_or_none() + user = find_user(username) if not user: logger.debug("User not found in Database.") user = User(userid=username) @@ -27,6 +24,49 @@ def login_user(username, password): return None +def request_reset(user: User): + logger.debug(f"New password reset request for {user.userid}") + reset = _PasswordReset.query.get(user._id) + if not reset: + reset = _PasswordReset(_user_id=user._id) + db.session.add(reset) + + expires = datetime.now(tz=timezone.utc) + if not reset.expires or reset.expires < expires: + expires = expires + timedelta(hours=12) + reset.expires = expires + reset.token = secrets.token_urlsafe(16) + + subject = "Flaschengeist - Passwort zurücksetzten" + domain = "flaschengeist.local" + text = f"""Hallo {user.display_name}, +Jemand hat das Zurücksetzen des Passworts für dein Flaschengeist Benutzerkonto angefordert. + +Benutzername: {user.userid} + +Falls das nicht beabsichtigt war, ignoriere diese E-Mail einfach. Es wird dann nichts passieren. + +Um dein Passwort zurückzusetzen, besuche folgende Adresse, der Link ist 12 Stunden gültig: + + + """ + db.session.commit() + messageController.send_message(messageController.Message(user, text, subject)) + + +def reset_password(token: str, password: str): + reset = _PasswordReset.query.filter(_PasswordReset.token == token).one_or_none() + logger.debug(f"Token is {'valid' if reset else 'invalid'}") + if not reset or reset.expires < datetime.now(tz=timezone.utc): + raise Forbidden + + modify_user(reset.user, None, password) + sessionController.delete_sessions(reset.user) + + db.session.delete(reset) + db.session.commit() + + @Hook def update_user(user): current_app.config["FG_AUTH_BACKEND"].update_user(user) @@ -60,6 +100,10 @@ def modify_user(user, password, new_password=None): """ current_app.config["FG_AUTH_BACKEND"].modify_user(user, password, new_password) + if new_password: + # TODO: Password changed mail + logger.error(f"Password changed for user {user.userid}") + def get_users(): return User.query.all() @@ -76,6 +120,16 @@ def get_user(uid): return user +def find_user(uid_mail): + mail = uid_mail.split("@") + mail = len(mail) == 2 and len(mail[0]) > 0 and len(mail[1]) > 0 + + query = User.userid == uid_mail + if mail: + query |= User.mail == uid_mail + return User.query.filter(query).one_or_none() + + def delete(user): current_app.config["FG_AUTH_BACKEND"].delete_user(user) db.session.delete(user) diff --git a/flaschengeist/models/user.py b/flaschengeist/models/user.py index 98a2f4a..a25fd33 100644 --- a/flaschengeist/models/user.py +++ b/flaschengeist/models/user.py @@ -1,11 +1,10 @@ -from datetime import date -from typing import Optional - from flask import url_for +from typing import Optional +from datetime import date, datetime from sqlalchemy.orm.collections import attribute_mapped_collection -from . import ModelSerializeMixin -from flaschengeist.database import db +from ..database import db +from . import ModelSerializeMixin, UtcDateTime association_table = db.Table( "user_x_role", @@ -103,6 +102,15 @@ class _UserAttribute(db.Model, ModelSerializeMixin): value: any = db.Column(db.PickleType(protocol=4)) +class _PasswordReset(db.Model): + """Table containing password reset requests""" + __tablename__ = "password_reset" + _user_id: User = db.Column("user", db.Integer, db.ForeignKey("user.id"), primary_key=True) + user: User = db.relationship("User", foreign_keys=[_user_id]) + token: str = db.Column(db.String(30)) + expires: datetime = db.Column(UtcDateTime) + + class _Avatar: """Wrapper class for avatar binaries"""