add passreset routes

Introduced `get|post` `/passreset` routes. These routes mimic the behavior of the existing PHP implementation, with the exception of HTTP status code returns. Routes added: GET /passreset POST /passreset Routers added: aurweb.routers.accounts * On an unknown user or mismatched resetkey (where resetkey must == user.resetkey), return HTTP status NOT_FOUND (404). * On another error in the request, return HTTP status BAD_REQUEST (400). Both `get|post` routes requires that the current user is **not** authenticated, hence `@auth_required(False, redirect="/")`. + Added auth_required decorator to aurweb.auth. + Added some more utility to aurweb.models.user.User. + Added `partials/error.html` template. + Added `passreset.html` template. + Added aurweb.db.ConnectionExecutor functor for paramstyle logic. Decoupling the executor logic from the database connection logic is needed for us to easily use the same logic with a fastapi database session, when we need to use aurweb.scripts modules. At this point, notification configuration is now required to complete tests involved with notifications properly, like passreset. `conf/config.dev` has been modified to include [notifications] sendmail, sender and reply-to overrides. Dockerfile and .gitlab-ci.yml have been updated to setup /etc/hosts and start postfix before running tests. * setup.cfg: ignore E741, C901 in aurweb.routers.accounts These two warnings (shown in the commit) are not dangerous and a bi-product of maintaining compatibility with our current code flow. Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-01-06 21:00:12 -08:00 · 2021-01-06 21:00:12 -08:00 · a33d076d8b
commit a33d076d8b
parent 4423326cec
15 changed files with 552 additions and 41 deletions
--- a/aurweb/asgi.py
+++ b/aurweb/asgi.py
@ -1,5 +1,4 @@
 import http
-import os

 from fastapi import FastAPI, HTTPException
 from fastapi.responses import HTMLResponse
@ -11,7 +10,7 @@ import aurweb.config

 from aurweb.auth import BasicAuthBackend
 from aurweb.db import get_engine
-from aurweb.routers import auth, html, sso, errors
+from aurweb.routers import accounts, auth, errors, html, sso

 routes = set()

@ -43,6 +42,7 @@ async def app_startup():
    app.include_router(sso.router)
    app.include_router(html.router)
    app.include_router(auth.router)
+    app.include_router(accounts.router)

    # Initialize the database engine and ORM.
    get_engine()
--- a/aurweb/db.py
+++ b/aurweb/db.py
@ -145,35 +145,21 @@ def connect():
    return get_engine().connect()


-class Connection:
+class ConnectionExecutor:
    _conn = None
    _paramstyle = None

-    def __init__(self):
-        aur_db_backend = aurweb.config.get('database', 'backend')
-
-        if aur_db_backend == 'mysql':
+    def __init__(self, conn, backend=aurweb.config.get("database", "backend")):
+        self._conn = conn
+        if backend == "mysql":
            import mysql.connector
-            aur_db_host = aurweb.config.get('database', 'host')
-            aur_db_name = aurweb.config.get('database', 'name')
-            aur_db_user = aurweb.config.get('database', 'user')
-            aur_db_pass = aurweb.config.get('database', 'password')
-            aur_db_socket = aurweb.config.get('database', 'socket')
-            self._conn = mysql.connector.connect(host=aur_db_host,
-                                                 user=aur_db_user,
-                                                 passwd=aur_db_pass,
-                                                 db=aur_db_name,
-                                                 unix_socket=aur_db_socket,
-                                                 buffered=True)
            self._paramstyle = mysql.connector.paramstyle
-        elif aur_db_backend == 'sqlite':
+        elif backend == "sqlite":
            import sqlite3
-            aur_db_name = aurweb.config.get('database', 'name')
-            self._conn = sqlite3.connect(aur_db_name)
-            self._conn.create_function("POWER", 2, math.pow)
            self._paramstyle = sqlite3.paramstyle
-        else:
-            raise ValueError('unsupported database backend')
+
+    def paramstyle(self):
+        return self._paramstyle

    def execute(self, query, params=()):
        if self._paramstyle in ('format', 'pyformat'):
@ -193,3 +179,43 @@ class Connection:

    def close(self):
        self._conn.close()
+
+
+class Connection:
+    _executor = None
+    _conn = None
+
+    def __init__(self):
+        aur_db_backend = aurweb.config.get('database', 'backend')
+
+        if aur_db_backend == 'mysql':
+            import mysql.connector
+            aur_db_host = aurweb.config.get('database', 'host')
+            aur_db_name = aurweb.config.get('database', 'name')
+            aur_db_user = aurweb.config.get('database', 'user')
+            aur_db_pass = aurweb.config.get('database', 'password')
+            aur_db_socket = aurweb.config.get('database', 'socket')
+            self._conn = mysql.connector.connect(host=aur_db_host,
+                                                 user=aur_db_user,
+                                                 passwd=aur_db_pass,
+                                                 db=aur_db_name,
+                                                 unix_socket=aur_db_socket,
+                                                 buffered=True)
+        elif aur_db_backend == 'sqlite':
+            import sqlite3
+            aur_db_name = aurweb.config.get('database', 'name')
+            self._conn = sqlite3.connect(aur_db_name)
+            self._conn.create_function("POWER", 2, math.pow)
+        else:
+            raise ValueError('unsupported database backend')
+
+        self._conn = ConnectionExecutor(self._conn)
+
+    def execute(self, query, params=()):
+        return self._conn.execute(query, params)
+
+    def commit(self):
+        self._conn.commit()
+
+    def close(self):
+        self._conn.close()
--- a/aurweb/routers/accounts.py
+++ b/aurweb/routers/accounts.py
@ -0,0 +1,102 @@
+from http import HTTPStatus
+
+from fastapi import APIRouter, Form, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from sqlalchemy import or_
+
+from aurweb import db
+from aurweb.auth import auth_required
+from aurweb.l10n import get_translator_for_request
+from aurweb.models.user import User
+from aurweb.scripts.notify import ResetKeyNotification
+from aurweb.templates import make_context, render_template
+
+router = APIRouter()
+
+
+@router.get("/passreset", response_class=HTMLResponse)
+@auth_required(False)
+async def passreset(request: Request):
+    context = make_context(request, "Password Reset")
+
+    for k, v in request.query_params.items():
+        context[k] = v
+
+    return render_template(request, "passreset.html", context)
+
+
+@router.post("/passreset", response_class=HTMLResponse)
+@auth_required(False)
+async def passreset_post(request: Request,
+                         user: str = Form(...),
+                         resetkey: str = Form(default=None),
+                         password: str = Form(default=None),
+                         confirm: str = Form(default=None)):
+    from aurweb.db import session
+
+    context = make_context(request, "Password Reset")
+
+    for k, v in dict(await request.form()).items():
+        context[k] = v
+
+    # The user parameter being required, we can match against
+    user = db.query(User, or_(User.Username == user,
+                              User.Email == user)).first()
+    if not user:
+        context["errors"] = ["Invalid e-mail."]
+        return render_template(request, "passreset.html", context,
+                               status_code=int(HTTPStatus.NOT_FOUND))
+
+    if resetkey:
+        context["resetkey"] = resetkey
+
+        if not user.ResetKey or resetkey != user.ResetKey:
+            context["errors"] = ["Invalid e-mail."]
+            return render_template(request, "passreset.html", context,
+                                   status_code=int(HTTPStatus.NOT_FOUND))
+
+        if not user or not password:
+            context["errors"] = ["Missing a required field."]
+            return render_template(request, "passreset.html", context,
+                                   status_code=int(HTTPStatus.BAD_REQUEST))
+
+        if password != confirm:
+            # If the provided password does not match the provided confirm.
+            context["errors"] = ["Password fields do not match."]
+            return render_template(request, "passreset.html", context,
+                                   status_code=int(HTTPStatus.BAD_REQUEST))
+
+        if len(password) < User.minimum_passwd_length():
+            # Translate the error here, which simplifies error output
+            # in the jinja2 template.
+            _ = get_translator_for_request(request)
+            context["errors"] = [_(
+                "Your password must be at least %s characters.") % (
+                str(User.minimum_passwd_length()))]
+            return render_template(request, "passreset.html", context,
+                                   status_code=int(HTTPStatus.BAD_REQUEST))
+
+        # We got to this point; everything matched up. Update the password
+        # and remove the ResetKey.
+        user.ResetKey = str()
+        user.update_password(password)
+
+        if user.session:
+            session.delete(user.session)
+            session.commit()
+
+        # Render ?step=complete.
+        return RedirectResponse(url="/passreset?step=complete",
+                                status_code=int(HTTPStatus.SEE_OTHER))
+
+    # If we got here, we continue with issuing a resetkey for the user.
+    resetkey = db.make_random_value(User, User.ResetKey)
+    user.ResetKey = resetkey
+    session.commit()
+
+    executor = db.ConnectionExecutor(db.get_engine().raw_connection())
+    ResetKeyNotification(executor, user.ID).send()
+
+    # Render ?step=confirm.
+    return RedirectResponse(url="/passreset?step=confirm",
+                            status_code=int(HTTPStatus.SEE_OTHER))
--- a/aurweb/routers/auth.py
+++ b/aurweb/routers/auth.py
@ -6,6 +6,7 @@ from fastapi.responses import HTMLResponse, RedirectResponse

 import aurweb.config

+from aurweb.auth import auth_required
 from aurweb.models.user import User
 from aurweb.templates import make_context, render_template

@ -21,12 +22,13 @@ def login_template(request: Request, next: str, errors: list = None):


@router.get("/login", response_class=HTMLResponse)
+@auth_required(False)
 async def login_get(request: Request, next: str = "/"):
-    """ Homepage route. """
    return login_template(request, next)


@router.post("/login", response_class=HTMLResponse)
+@auth_required(False)
 async def login_post(request: Request,
                     next: str = Form(...),
                     user: str = Form(default=str()),
@ -45,8 +47,8 @@ async def login_post(request: Request,
        cookie_timeout = aurweb.config.getint(
            "options", "persistent_cookie_timeout")

-    _, sid = user.login(request, passwd, cookie_timeout)
-    if not _:
+    sid = user.login(request, passwd, cookie_timeout)
+    if not sid:
        return login_template(request, next,
                              errors=["Bad username or password."])

@ -62,6 +64,7 @@ async def login_post(request: Request,


@router.get("/logout")
+@auth_required()
 async def logout(request: Request, next: str = "/"):
    """ A GET and POST route for logging out.

@ -81,5 +84,6 @@ async def logout(request: Request, next: str = "/"):


@router.post("/logout")
+@auth_required()
 async def logout_post(request: Request, next: str = "/"):
    return await logout(request=request, next=next)