From 47a73a42981fe198bdce951d8af8ed039f0d2e08 Mon Sep 17 00:00:00 2001 From: Sven Heidemann Date: Tue, 18 Oct 2022 19:50:13 +0200 Subject: [PATCH] Fixed password handling #70 --- .../src/bot_api/controller/auth_controller.py | 11 +++++++-- .../src/bot_api/model/update_auth_user_dto.py | 4 ++-- kdb-bot/src/bot_api/service/auth_service.py | 23 +++++++------------ 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/kdb-bot/src/bot_api/controller/auth_controller.py b/kdb-bot/src/bot_api/controller/auth_controller.py index b74c9518..2d03b37a 100644 --- a/kdb-bot/src/bot_api/controller/auth_controller.py +++ b/kdb-bot/src/bot_api/controller/auth_controller.py @@ -12,6 +12,7 @@ from bot_api.filter.auth_user_select_criteria import AuthUserSelectCriteria from bot_api.json_processor import JSONProcessor from bot_api.logging.api_logger import ApiLogger from bot_api.model.auth_user_dto import AuthUserDTO +from bot_api.model.reset_password_dto import ResetPasswordDTO from bot_api.model.token_dto import TokenDTO from bot_api.model.update_auth_user_dto import UpdateAuthUserDTO from bot_api.route.route import Route @@ -62,7 +63,7 @@ class AuthController: return jsonify(result.to_dict()) @Route.get(f'{BasePath}/users/find/') - @Route.authorize(role=AuthRoleEnum.admin) + @Route.authorize async def find_user_from_email(self, email: str) -> Response: result = await self._auth_service.find_auth_user_by_email_async(email) return jsonify(result.to_dict()) @@ -99,7 +100,13 @@ class AuthController: @Route.post(f'{BasePath}/confirm-forgot-password/') async def confirm_forgot_password(self, id: str): - await self._auth_service.confirm_forgot_password_async(id) + result = await self._auth_service.confirm_forgot_password_async(id) + return jsonify(result.to_dict()) + + @Route.post(f'{BasePath}/reset-password') + async def reset_password(self): + dto: ResetPasswordDTO = JSONProcessor.process(ResetPasswordDTO, request.get_json(force=True, silent=True)) + await self._auth_service.reset_password_async(dto) return '', 200 @Route.post(f'{BasePath}/update-user') diff --git a/kdb-bot/src/bot_api/model/update_auth_user_dto.py b/kdb-bot/src/bot_api/model/update_auth_user_dto.py index 9caa9473..254c0c72 100644 --- a/kdb-bot/src/bot_api/model/update_auth_user_dto.py +++ b/kdb-bot/src/bot_api/model/update_auth_user_dto.py @@ -12,7 +12,7 @@ class UpdateAuthUserDTO(DtoABC): self, auth_user_dto: AuthUserDTO, new_auth_user_dto: AuthUserDTO, - change_password=False + change_password: bool = False ): DtoABC.__init__(self) @@ -35,7 +35,7 @@ class UpdateAuthUserDTO(DtoABC): def from_dict(self, values: dict): self._auth_user = values['authUser'] self._new_auth_user = values['newAuthUser'] - self._change_password = False if 'changePassword' not in values else values['changePassword'] + self._change_password = False if 'changePassword' not in values else bool(values['changePassword']) def to_dict(self) -> dict: return { diff --git a/kdb-bot/src/bot_api/service/auth_service.py b/kdb-bot/src/bot_api/service/auth_service.py index 5887bb9a..3057cd84 100644 --- a/kdb-bot/src/bot_api/service/auth_service.py +++ b/kdb-bot/src/bot_api/service/auth_service.py @@ -240,24 +240,14 @@ class AuthService(AuthServiceABC): raise ServiceException(ServiceErrorCode.InvalidUser, 'User already exists') user.email = update_user_dto.new_auth_user.email - is_existing_password_set = False - is_new_password_set = False - # hash passwords in DTOs - if update_user_dto.auth_user.password is not None and update_user_dto.auth_user.password != '': - is_existing_password_set = True - update_user_dto.auth_user.password = self._hash_sha256(update_user_dto.auth_user.password, user.password_salt) - + update_user_dto.auth_user.password = self._hash_sha256(update_user_dto.auth_user.password, user.password_salt) if update_user_dto.auth_user.password != user.password: raise ServiceException(ServiceErrorCode.InvalidUser, 'Wrong password') - if update_user_dto.new_auth_user.password is not None and update_user_dto.new_auth_user.password != '': - is_new_password_set = True - update_user_dto.new_auth_user.password = self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt) - # update password - if is_existing_password_set and is_new_password_set and update_user_dto.auth_user.password != update_user_dto.new_auth_user.password: + if self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt) != user.password: user.password_salt = uuid.uuid4() - user.password = update_user_dto.new_auth_user.password + user.password = self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt) self._auth_users.update_auth_user(user) self._db.save_changes() @@ -302,7 +292,7 @@ class AuthService(AuthServiceABC): user.email = update_user_dto.new_auth_user.email # update password - if update_user_dto.change_password and update_user_dto.auth_user.password != update_user_dto.new_auth_user.password: + if update_user_dto.change_password and user.password != self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt): user.password_salt = uuid.uuid4() user.password = self._hash_sha256(update_user_dto.new_auth_user.password, user.password_salt) @@ -340,7 +330,7 @@ class AuthService(AuthServiceABC): if user is None: raise ServiceException(ServiceErrorCode.InvalidData, 'Token expired') except Exception as e: - self._logger.error(__name__, f'Refreshing token failed', e) + self._logger.error(__name__, f'Token invalid', e) return False return True @@ -435,5 +425,8 @@ class AuthService(AuthServiceABC): if user.password is None or rp_dto.password == '': raise ServiceException(ServiceErrorCode.InvalidData, f'Password not set') + user.password_salt = uuid.uuid4() user.password = self._hash_sha256(rp_dto.password, user.password_salt) + user.forgot_password_id = None + self._auth_users.update_auth_user(user) self._db.save_changes()