Forbid password resets after 15 minutes.

undercover/db.py

@@ -1,7 +1,8 @@
-from uuid import uuid4, UUID
 import os
 from dataclasses import dataclass
+from datetime import datetime, timedelta
 from typing import Optional
+from uuid import uuid4, UUID
 
 import bcrypt
 import psycopg
@@ -134,14 +135,18 @@ def initiate_password_reset(email: str) -> Optional[UUID]:
         return reset_id
 
 
+RESET_TIME = timedelta(minutes=-1 * 15)
+
+
 def complete_reset(reset_id: str, new_password: str):
     with connect() as con:
         cur = con.cursor()
         cur.execute("SELECT reset_time, user_id FROM resets WHERE id = %s", (reset_id,))
         row = cur.fetchone()
-        if row:
+        if not row or not row[0]:
+            return False
         reset_time, user_id = row
-            if reset_time:  # TODO: And reset_time is not too far in the past
+        if reset_time > (datetime.utcnow() + RESET_TIME):
             cur.execute("DELETE FROM resets WHERE id = %s", (reset_id,))
             password_hash = __gen_pw_hash(new_password)
             cur.execute("UPDATE users SET password = %s WHERE id = %s", (password_hash, user_id))

undercover/routes.py

@@ -166,7 +166,8 @@ def reset_password():
         elif existing_reset_id:
             # TODO: Eventually remove db entry whether or not link is clicked
             new_password = request.form['password']
-            db.complete_reset(existing_reset_id, new_password)
+            if not db.complete_reset(existing_reset_id, new_password):
+                return render_index(error="Password reset failed. Your reset link may have expired.", status=500)
             # TODO: Log in?
 
         return redirect('/')