diff options
author | Frederick Muriuki Muriithi | 2024-08-20 17:03:52 -0500 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2024-08-20 17:03:52 -0500 |
commit | 212ba692337f8e4ba052291a3bda240db9744ff2 (patch) | |
tree | 3300f0e3105c62af1940e3e651272d09f49c2f2a /gn_auth/auth/authorisation | |
parent | 41d5835414082fc6e21f2d668ffd07a34afcf6ec (diff) | |
download | gn-auth-212ba692337f8e4ba052291a3bda240db9744ff2.tar.gz |
Handle the "GET" part of the change-password request
- Delete any expired tokens
- Display the UI if token is valid, else redirect with error notification.
Diffstat (limited to 'gn_auth/auth/authorisation')
-rw-r--r-- | gn_auth/auth/authorisation/users/views.py | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/gn_auth/auth/authorisation/users/views.py b/gn_auth/auth/authorisation/users/views.py index 3323f4d..839111e 100644 --- a/gn_auth/auth/authorisation/users/views.py +++ b/gn_auth/auth/authorisation/users/views.py @@ -453,4 +453,29 @@ def forgot_password(): @users.route("/change-password/<forgot_password_token>", methods=["GET", "POST"]) def change_password(forgot_password_token): """Enable user to perform password change.""" - return "Would change password..." + login_page = redirect(url_for("oauth2.auth.authorise", + client_id=request.args["client_id"], + redirect_uri=request.args["redirect_uri"], + response_type=request.args["response_type"])) + with (db.connection(current_app.config["AUTH_DB"]) as conn, + db.cursor(conn) as cursor): + cursor.execute("DELETE FROM forgot_password_tokens WHERE expires<=?", + (int(datetime.now().timestamp()),)) + cursor.execute( + "SELECT fpt.*, u.email FROM forgot_password_tokens AS fpt " + "INNER JOIN users AS u ON fpt.user_id=u.user_id WHERE token=?", + (forgot_password_token,)) + if request.method == "GET": + token = cursor.fetchone() + if bool(token): + return render_template( + "users/change-password.html", + email=token["email"], + client_id=request.args["client_id"], + redirect_uri=request.args["redirect_uri"], + response_type=request.args["response_type"], + forgot_password_token=forgot_password_token) + flash("Invalid Token: We cannot change your password!", + "alert-danger") + return login_page + return "Do actual password change..." |