feat: register new user with team-specific token
revamp entire `SetPassword` page
This commit is contained in:
188
cutt/security.py
188
cutt/security.py
@@ -6,7 +6,7 @@ from pydantic import BaseModel, ValidationError
|
||||
import jwt
|
||||
from jwt.exceptions import ExpiredSignatureError, InvalidTokenError
|
||||
from sqlmodel import Session, select
|
||||
from cutt.db import TokenDB, engine, Player
|
||||
from cutt.db import PlayerTeamLink, Team, TokenDB, engine, Player
|
||||
from fastapi.security import (
|
||||
OAuth2PasswordBearer,
|
||||
OAuth2PasswordRequestForm,
|
||||
@@ -16,6 +16,8 @@ from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||
from passlib.context import CryptContext
|
||||
from sqlalchemy.exc import OperationalError
|
||||
|
||||
P = Player
|
||||
|
||||
|
||||
class Config(BaseSettings):
|
||||
secret_key: str = ""
|
||||
@@ -208,72 +210,94 @@ async def logout(response: Response):
|
||||
return {"message": "Successfully logged out"}
|
||||
|
||||
|
||||
def generate_one_time_token(username):
|
||||
def set_password_token(username: str):
|
||||
user = get_user(username)
|
||||
if user:
|
||||
expire = timedelta(days=7)
|
||||
expire = timedelta(days=30)
|
||||
token = create_access_token(
|
||||
data={"sub": username, "name": user.display_name},
|
||||
data={
|
||||
"sub": "set password",
|
||||
"username": username,
|
||||
"name": user.display_name,
|
||||
},
|
||||
expires_delta=expire,
|
||||
)
|
||||
return token
|
||||
|
||||
|
||||
def register_token(team_id: int):
|
||||
with Session(engine) as session:
|
||||
team = session.exec(select(Team).where(Team.id == team_id)).one()
|
||||
if team:
|
||||
expire = timedelta(days=30)
|
||||
token = create_access_token(
|
||||
data={"sub": "register", "team_id": team_id, "name": team.name},
|
||||
expires_delta=expire,
|
||||
)
|
||||
return token
|
||||
|
||||
|
||||
def verify_one_time_token(token: str):
|
||||
credentials_exception = HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="could not validate token",
|
||||
)
|
||||
with Session(engine) as session:
|
||||
token_in_db = session.exec(
|
||||
select(TokenDB).where(TokenDB.token == token).where(TokenDB.used == False)
|
||||
).one_or_none()
|
||||
if token_in_db:
|
||||
try:
|
||||
payload = jwt.decode(token, config.secret_key, algorithms=["HS256"])
|
||||
return payload
|
||||
except ExpiredSignatureError:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="access token expired",
|
||||
)
|
||||
except (InvalidTokenError, ValidationError):
|
||||
raise credentials_exception
|
||||
elif session.exec(
|
||||
select(TokenDB).where(TokenDB.token == token).where(TokenDB.used == True)
|
||||
).one_or_none():
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="token already used",
|
||||
)
|
||||
else:
|
||||
raise credentials_exception
|
||||
|
||||
|
||||
def invalidate_one_time_token(token: str):
|
||||
with Session(engine) as session:
|
||||
token_in_db = session.exec(select(TokenDB).where(TokenDB.token == token)).one()
|
||||
token_in_db.used = True
|
||||
session.add(token_in_db)
|
||||
session.commit()
|
||||
|
||||
|
||||
class FirstPassword(BaseModel):
|
||||
token: str
|
||||
password: str
|
||||
|
||||
|
||||
async def set_first_password(req: FirstPassword):
|
||||
credentials_exception = HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Could not validate token",
|
||||
)
|
||||
payload = verify_one_time_token(req.token)
|
||||
action: str = payload.get("sub")
|
||||
if action != "set password":
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="wrong type of token.",
|
||||
)
|
||||
username: str = payload.get("username")
|
||||
with Session(engine) as session:
|
||||
token_in_db = session.exec(
|
||||
select(TokenDB)
|
||||
.where(TokenDB.token == req.token)
|
||||
.where(TokenDB.used == False)
|
||||
).one_or_none()
|
||||
if token_in_db:
|
||||
credentials_exception = HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Could not validate token",
|
||||
)
|
||||
try:
|
||||
payload = jwt.decode(req.token, config.secret_key, algorithms=["HS256"])
|
||||
username: str = payload.get("sub")
|
||||
if username is None:
|
||||
raise credentials_exception
|
||||
except ExpiredSignatureError:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Access token expired",
|
||||
)
|
||||
except (InvalidTokenError, ValidationError):
|
||||
raise credentials_exception
|
||||
|
||||
user = get_user(username)
|
||||
if user:
|
||||
user.hashed_password = get_password_hash(req.password)
|
||||
session.add(user)
|
||||
token_in_db.used = True
|
||||
session.add(token_in_db)
|
||||
session.commit()
|
||||
return Response(
|
||||
"Password set successfully", status_code=status.HTTP_200_OK
|
||||
)
|
||||
elif session.exec(
|
||||
select(TokenDB)
|
||||
.where(TokenDB.token == req.token)
|
||||
.where(TokenDB.used == True)
|
||||
).one_or_none():
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Token already used",
|
||||
)
|
||||
else:
|
||||
raise credentials_exception
|
||||
user = get_user(username)
|
||||
if user:
|
||||
user.hashed_password = get_password_hash(req.password)
|
||||
session.add(user)
|
||||
session.commit()
|
||||
invalidate_one_time_token(req.token)
|
||||
return Response("password set successfully", status_code=status.HTTP_200_OK)
|
||||
|
||||
|
||||
class ChangedPassword(BaseModel):
|
||||
@@ -295,17 +319,73 @@ async def change_password(
|
||||
session.add(user)
|
||||
session.commit()
|
||||
return PlainTextResponse(
|
||||
"Password changed successfully",
|
||||
"password changed successfully",
|
||||
status_code=status.HTTP_200_OK,
|
||||
media_type="text/plain",
|
||||
)
|
||||
else:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_400_BAD_REQUEST,
|
||||
detail="Wrong password",
|
||||
detail="wrong password",
|
||||
)
|
||||
|
||||
|
||||
class RegisterRequest(BaseModel):
|
||||
token: str
|
||||
team_id: int
|
||||
display_name: str
|
||||
username: str
|
||||
password: str
|
||||
email: str | None
|
||||
number: str | None
|
||||
|
||||
|
||||
async def register(req: RegisterRequest):
|
||||
payload = verify_one_time_token(req.token)
|
||||
action: str = payload.get("sub")
|
||||
if action != "register":
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="wrong type of token.",
|
||||
)
|
||||
team_id: int = payload.get("team_id")
|
||||
if team_id != req.team_id:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="wrong team",
|
||||
)
|
||||
with Session(engine) as session:
|
||||
if session.exec(select(P).where(P.username == req.username)).one_or_none():
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_400_BAD_REQUEST,
|
||||
detail="username exists",
|
||||
)
|
||||
stmt = (
|
||||
select(P)
|
||||
.join(PlayerTeamLink)
|
||||
.join(Team)
|
||||
.where(Team.id == team_id, P.display_name == req.display_name)
|
||||
)
|
||||
if session.exec(stmt).one_or_none():
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_400_BAD_REQUEST,
|
||||
detail="the name is already taken on this team",
|
||||
)
|
||||
team = session.exec(select(Team).where(Team.id == team_id)).one()
|
||||
new_player = Player(
|
||||
username=req.username,
|
||||
display_name=req.display_name,
|
||||
email=req.email if req.email else None,
|
||||
number=req.number,
|
||||
disabled=False,
|
||||
teams=[team],
|
||||
)
|
||||
session.add(new_player)
|
||||
session.commit()
|
||||
invalidate_one_time_token(req.token)
|
||||
return PlainTextResponse(f"added {new_player.display_name}")
|
||||
|
||||
|
||||
async def read_player_me(
|
||||
current_user: Annotated[Player, Depends(get_current_active_user)],
|
||||
):
|
||||
|
||||
Reference in New Issue
Block a user