Forbid password resets after 15 minutes.

2022-09-26 09:40:48 -04:00 · 2022-09-26 09:40:48 -04:00 · 7800c24f99
parent ae1a743855
commit 7800c24f99
2 changed files with 16 additions and 10 deletions
--- a/undercover/db.py
+++ b/undercover/db.py
@ -1,7 +1,8 @@
-from uuid import uuid4, UUID
 import os
 from dataclasses import dataclass
+from datetime import datetime, timedelta
 from typing import Optional
+from uuid import uuid4, UUID

 import bcrypt
 import psycopg
@ -134,17 +135,21 @@ def initiate_password_reset(email: str) -> Optional[UUID]:
        return reset_id


+RESET_TIME = timedelta(minutes=-1 * 15)
+
+
 def complete_reset(reset_id: str, new_password: str):
    with connect() as con:
        cur = con.cursor()
        cur.execute("SELECT reset_time, user_id FROM resets WHERE id = %s", (reset_id,))
        row = cur.fetchone()
-        if row:
-            reset_time, user_id = row
-            if reset_time:  # TODO: And reset_time is not too far in the past
-                cur.execute("DELETE FROM resets WHERE id = %s", (reset_id,))
-                password_hash = __gen_pw_hash(new_password)
-                cur.execute("UPDATE users SET password = %s WHERE id = %s", (password_hash, user_id))
-                con.commit()
-                return True
+        if not row or not row[0]:
+            return False
+        reset_time, user_id = row
+        if reset_time > (datetime.utcnow() + RESET_TIME):
+            cur.execute("DELETE FROM resets WHERE id = %s", (reset_id,))
+            password_hash = __gen_pw_hash(new_password)
+            cur.execute("UPDATE users SET password = %s WHERE id = %s", (password_hash, user_id))
+            con.commit()
+            return True
        return False
--- a/undercover/routes.py
+++ b/undercover/routes.py
@ -166,7 +166,8 @@ def reset_password():
        elif existing_reset_id:
            # TODO: Eventually remove db entry whether or not link is clicked
            new_password = request.form['password']
-            db.complete_reset(existing_reset_id, new_password)
+            if not db.complete_reset(existing_reset_id, new_password):
+                return render_index(error="Password reset failed. Your reset link may have expired.", status=500)
            # TODO: Log in?

        return redirect('/')