Files
notifications-admin/app/main/views/new_password.py
Leo Hemsted aff9d47323 don't hit API when checking new account email-token
we currently store new account email verify tokens in the database, and
check against that to work out if they've expired. But we don't need to
do that, tokens have their own timing mechanism. So lets just use that,
and free up the database to do other things.

Also, standardised the forgot password, change email, and new account
email verification timeouts to all be an hour, from the config val
'EMAIL_EXPIRY_SECONDS'
2017-11-01 15:32:24 +00:00

41 lines
1.7 KiB
Python

from datetime import datetime
import json
from flask import (render_template, url_for, redirect, flash, session, current_app)
from itsdangerous import SignatureExpired
from notifications_utils.url_safe_token import check_token
from app import user_api_client
from app.main import main
from app.main.forms import NewPasswordForm
@main.route('/new-password/<path:token>', methods=['GET', 'POST'])
def new_password(token):
try:
token_data = check_token(token, current_app.config['SECRET_KEY'], current_app.config['DANGEROUS_SALT'],
current_app.config['EMAIL_EXPIRY_SECONDS'])
except SignatureExpired:
flash('The link in the email we sent you has expired. Enter your email address to resend.')
return redirect(url_for('.forgot_password'))
email_address = json.loads(token_data)['email']
user = user_api_client.get_user_by_email(email_address)
if user.password_changed_at and datetime.strptime(user.password_changed_at, '%Y-%m-%d %H:%M:%S.%f') > \
datetime.strptime(json.loads(token_data)['created_at'], '%Y-%m-%d %H:%M:%S.%f'):
flash('The link in the email has already been used')
return redirect(url_for('main.index'))
form = NewPasswordForm()
if form.validate_on_submit():
user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
user_api_client.reset_failed_login_count(user.id)
session['user_details'] = {
'id': user.id,
'email': user.email_address,
'password': form.new_password.data}
return redirect(url_for('main.two_factor'))
else:
return render_template('views/new-password.html', token=token, form=form, user=user)