Fixed password handling #70

2022-10-18 19:50:13 +02:00 · 2022-10-18 19:50:13 +02:00 · 47a73a4298
commit 47a73a4298
parent a082b879ca
3 changed files with 19 additions and 19 deletions
--- a/kdb-bot/src/bot_api/controller/auth_controller.py
+++ b/kdb-bot/src/bot_api/controller/auth_controller.py
@ -12,6 +12,7 @@ from bot_api.filter.auth_user_select_criteria import AuthUserSelectCriteria
 from bot_api.json_processor import JSONProcessor
 from bot_api.logging.api_logger import ApiLogger
 from bot_api.model.auth_user_dto import AuthUserDTO
+from bot_api.model.reset_password_dto import ResetPasswordDTO
 from bot_api.model.token_dto import TokenDTO
 from bot_api.model.update_auth_user_dto import UpdateAuthUserDTO
 from bot_api.route.route import Route
@ -62,7 +63,7 @@ class AuthController:
        return jsonify(result.to_dict())

    @Route.get(f'{BasePath}/users/find/<email>')
-    @Route.authorize(role=AuthRoleEnum.admin)
+    @Route.authorize
    async def find_user_from_email(self, email: str) -> Response:
        result = await self._auth_service.find_auth_user_by_email_async(email)
        return jsonify(result.to_dict())
@ -99,7 +100,13 @@ class AuthController:

    @Route.post(f'{BasePath}/confirm-forgot-password/<id>')
    async def confirm_forgot_password(self, id: str):
-        await self._auth_service.confirm_forgot_password_async(id)
+        result = await self._auth_service.confirm_forgot_password_async(id)
+        return jsonify(result.to_dict())
+
+    @Route.post(f'{BasePath}/reset-password')
+    async def reset_password(self):
+        dto: ResetPasswordDTO = JSONProcessor.process(ResetPasswordDTO, request.get_json(force=True, silent=True))
+        await self._auth_service.reset_password_async(dto)
        return '', 200

    @Route.post(f'{BasePath}/update-user')
--- a/kdb-bot/src/bot_api/model/update_auth_user_dto.py
+++ b/kdb-bot/src/bot_api/model/update_auth_user_dto.py
@ -12,7 +12,7 @@ class UpdateAuthUserDTO(DtoABC):
            self,
            auth_user_dto: AuthUserDTO,
            new_auth_user_dto: AuthUserDTO,
-            change_password=False
+            change_password: bool = False
    ):
        DtoABC.__init__(self)

@ -35,7 +35,7 @@ class UpdateAuthUserDTO(DtoABC):
    def from_dict(self, values: dict):
        self._auth_user = values['authUser']
        self._new_auth_user = values['newAuthUser']
-        self._change_password = False if 'changePassword' not in values else values['changePassword']
+        self._change_password = False if 'changePassword' not in values else bool(values['changePassword'])

    def to_dict(self) -> dict:
        return {
--- a/kdb-bot/src/bot_api/service/auth_service.py
+++ b/kdb-bot/src/bot_api/service/auth_service.py
@ -240,24 +240,14 @@ class AuthService(AuthServiceABC):
                raise ServiceException(ServiceErrorCode.InvalidUser, 'User already exists')
            user.email = update_user_dto.new_auth_user.email

-        is_existing_password_set = False
-        is_new_password_set = False
-        # hash passwords in DTOs
-        if update_user_dto.auth_user.password is not None and update_user_dto.auth_user.password != '':
-            is_existing_password_set = True
-            update_user_dto.auth_user.password = self._hash_sha256(update_user_dto.auth_user.password, user.password_salt)
-
+        update_user_dto.auth_user.password = self._hash_sha256(update_user_dto.auth_user.password, user.password_salt)
        if update_user_dto.auth_user.password != user.password:
            raise ServiceException(ServiceErrorCode.InvalidUser, 'Wrong password')

-        if update_user_dto.new_auth_user.password is not None and update_user_dto.new_auth_user.password != '':
-            is_new_password_set = True
-            update_user_dto.new_auth_user.password = self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt)
-
        # update password
-        if is_existing_password_set and is_new_password_set and update_user_dto.auth_user.password != update_user_dto.new_auth_user.password:
+        if self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt) != user.password:
            user.password_salt = uuid.uuid4()
-            user.password = update_user_dto.new_auth_user.password
+            user.password = self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt)

        self._auth_users.update_auth_user(user)
        self._db.save_changes()
@ -302,7 +292,7 @@ class AuthService(AuthServiceABC):
            user.email = update_user_dto.new_auth_user.email

        # update password
-        if update_user_dto.change_password and update_user_dto.auth_user.password != update_user_dto.new_auth_user.password:
+        if update_user_dto.change_password and user.password != self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt):
            user.password_salt = uuid.uuid4()
            user.password = self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt)

@ -340,7 +330,7 @@ class AuthService(AuthServiceABC):
            if user is None:
                raise ServiceException(ServiceErrorCode.InvalidData, 'Token expired')
        except Exception as e:
-            self._logger.error(__name__, f'Refreshing token failed', e)
+            self._logger.error(__name__, f'Token invalid', e)
            return False

        return True
@ -435,5 +425,8 @@ class AuthService(AuthServiceABC):
        if user.password is None or rp_dto.password == '':
            raise ServiceException(ServiceErrorCode.InvalidData, f'Password not set')

+        user.password_salt = uuid.uuid4()
        user.password = self._hash_sha256(rp_dto.password, user.password_salt)
+        user.forgot_password_id = None
+        self._auth_users.update_auth_user(user)
        self._db.save_changes()