globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

profile hashes take the user email in account

Browse source
This commit is contained in:
Éloi Rivard 2021-11-30 14:56:39 +01:00
parent 456d996741
commit 4f82b9eca4
4 changed files with 14 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
canaille/account.py
View file

@ -358,7 +358,7 @@ def reset(uid, hash):
user = User.get(uid) user = User.get(uid)
if not user or hash != profile_hash( if not user or hash != profile_hash(
user.uid[0], user.userPassword[0] if user.has_password() else "" user.uid[0], user.mail[0], user.userPassword[0] if user.has_password() else ""
): ):
flash( flash(
_("The password reset link that brought you here was invalid."), _("The password reset link that brought you here was invalid."),

4
canaille/admin/mail.py
View file

@ -15,7 +15,7 @@ def reset_html(user):
reset_url = url_for( reset_url = url_for(
"account.reset", "account.reset",
uid=user.uid[0], uid=user.uid[0],
hash=profile_hash(user.uid[0], user.userPassword[0]), hash=profile_hash(user.uid[0], user.mail[0], user.userPassword[0]),
_external=True, _external=True,
) )
@ -38,7 +38,7 @@ def reset_txt(user):
reset_url = url_for( reset_url = url_for(
"account.reset", "account.reset",
uid=user.uid[0], uid=user.uid[0],
hash=profile_hash(user.uid[0], user.userPassword[0]), hash=profile_hash(user.uid[0], user.mail[0], user.userPassword[0]),
_external=True, _external=True,
) )

13
canaille/mails.py
View file

@ -5,11 +5,12 @@ from flask_themer import render_template
from .apputils import logo, send_email from .apputils import logo, send_email
def profile_hash(user, password): def profile_hash(user, email, password=None):
return hashlib.sha256( return hashlib.sha256(
current_app.config["SECRET_KEY"].encode("utf-8") current_app.config["SECRET_KEY"].encode("utf-8")
+ user.encode("utf-8") + user.encode("utf-8")
+ password.encode("utf-8") + email.encode("utf-8")
+ (password.encode("utf-8") if password else b"")
).hexdigest() ).hexdigest()
@ -19,7 +20,9 @@ def send_password_reset_mail(user):
"account.reset", "account.reset",
uid=user.uid[0], uid=user.uid[0],
hash=profile_hash( hash=profile_hash(
user.uid[0], user.userPassword[0] if user.has_password() else "" user.uid[0],
user.mail[0],
user.userPassword[0] if user.has_password() else "",
), ),
_external=True, _external=True,
) )
@ -57,7 +60,9 @@ def send_password_initialization_mail(user):
"account.reset", "account.reset",
uid=user.uid[0], uid=user.uid[0],
hash=profile_hash( hash=profile_hash(
user.uid[0], user.userPassword[0] if user.has_password() else "" user.uid[0],
user.mail[0],
user.userPassword[0] if user.has_password() else "",
), ),
_external=True, _external=True,
) )

4
tests/test_password_reset.py
View file

@ -5,7 +5,7 @@ def test_password_reset(testclient, slapd_connection, user):
user.attr_type_by_name(conn=slapd_connection) user.attr_type_by_name(conn=slapd_connection)
user.reload(conn=slapd_connection) user.reload(conn=slapd_connection)
with testclient.app.app_context(): with testclient.app.app_context():
hash = profile_hash("user", user.userPassword[0]) hash = profile_hash("user", user.mail[0], user.userPassword[0])
res = testclient.get("/reset/user/" + hash, status=200) res = testclient.get("/reset/user/" + hash, status=200)
@ -40,7 +40,7 @@ def test_password_reset_bad_password(testclient, slapd_connection, user):
user.attr_type_by_name(conn=slapd_connection) user.attr_type_by_name(conn=slapd_connection)
user.reload(conn=slapd_connection) user.reload(conn=slapd_connection)
with testclient.app.app_context(): with testclient.app.app_context():
hash = profile_hash("user", user.userPassword[0]) hash = profile_hash("user", user.mail[0], user.userPassword[0])
res = testclient.get("/reset/user/" + hash, status=200) res = testclient.get("/reset/user/" + hash, status=200)