Commit c76f9248 authored by Floréal Cabanettes's avatar Floréal Cabanettes

Use random token for register instead of hash of user data for improved...

Use random token for register instead of hash of user data for improved security + remove duplicated field in user
parent 348e0c79
import random
import string
def random_string(string_length=50):
"""Generate a random string of letters and digits """
letters_and_digits = string.ascii_letters + string.digits
return ''.join(random.choice(letters_and_digits) for i in range(string_length))
from mongoengine import Document, StringField, DateTimeField, IntField, BooleanField
from mongoengine import Document, StringField, DateTimeField, BooleanField
import datetime
......@@ -10,4 +10,4 @@ class User(Document):
date_last_connexion = DateTimeField(required=False, null=True)
role = StringField(required=True, choices=["admin", "editor", "moderator", "basic"])
active = BooleanField(required=False, default=False)
enabled = BooleanField(required=False, default=True)
mail_token = StringField(required=False)
......@@ -7,8 +7,8 @@ msgid ""
msgstr ""
"Project-Id-Version: PROJECT VERSION\n"
"Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
"POT-Creation-Date: 2019-09-08 17:41+0200\n"
"PO-Revision-Date: 2019-09-08 17:42+0200\n"
"POT-Creation-Date: 2019-09-08 18:45+0200\n"
"PO-Revision-Date: 2019-09-08 18:45+0200\n"
"Last-Translator: \n"
"Language: fr\n"
"Language-Team: fr <LL@li.org>\n"
......@@ -19,11 +19,11 @@ msgstr ""
"Generated-By: Babel 2.7.0\n"
"X-Generator: Poedit 2.0.6\n"
#: app.py:55 view/panel.py:11
#: app.py:58 view/panel.py:11
msgid "Panel"
msgstr "Panel"
#: app.py:67
#: app.py:70
msgid "Login"
msgstr "Connexion"
......@@ -73,3 +73,7 @@ msgstr "Un utilisateur existe déjà avec cette adresse e-mail"
#: view/register.py:53
msgid "Invalid request"
msgstr "Requête invalide"
#: view/register.py:63
msgid "Your account is now active. You can login in"
msgstr "Votre compte est maintenant activé. Vous pouvez vous connecter"
......@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PROJECT VERSION\n"
"Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
"POT-Creation-Date: 2019-09-08 17:41+0200\n"
"POT-Creation-Date: 2019-09-08 18:45+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
......@@ -17,11 +17,11 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n"
"Generated-By: Babel 2.7.0\n"
#: app.py:55 view/panel.py:11
#: app.py:58 view/panel.py:11
msgid "Panel"
msgstr ""
#: app.py:67
#: app.py:70
msgid "Login"
msgstr ""
......@@ -67,3 +67,7 @@ msgstr ""
msgid "Invalid request"
msgstr ""
#: view/register.py:63
msgid "Your account is now active. You can login in"
msgstr ""
......@@ -6,6 +6,7 @@ from flask_bcrypt import generate_password_hash
from mongoengine.errors import NotUniqueError, DoesNotExist
from werkzeug.exceptions import BadRequest
from functions import random_string
from settings import SITE_NAME, PASSWORD_HASH_ROUNDS
from mail import send_mail
......@@ -30,11 +31,12 @@ def register():
if nb_user == 0:
role = "admin"
password = generate_password_hash(data["password"], PASSWORD_HASH_ROUNDS)
mail_token = random_string()
user = User(name=data["name"], email=data["email"],
password=password, role=role, active=False)
password=password, role=role, active=False, mail_token=mail_token)
try:
user.save()
token = "?token=" + hashlib.md5((data["name"] + data["email"]).encode()).hexdigest() + "&mail=" + data["email"]
token = "?token=" + mail_token + "&mail=" + data["email"]
send_mail(data["email"], f"{SITE_NAME} - " + _("please activate your account"),
_("Welcome %s,\n\nPlease click on this link to activate your account on %s:\n") %
(data["name"], SITE_NAME) + request.url_root + "activate" + token)
......@@ -56,9 +58,9 @@ def activate_account():
except DoesNotExist:
pass
else:
user_token = hashlib.md5((user.name + user.email).encode()).hexdigest()
if user_token == token:
if user.mail_token == token:
user.active = True
user.mail_token = None
user.save()
flash("success|" + _("Your account is now active. You can login in"))
return redirect(url_for("login"))
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment