From 343718cd2a1c2f1990a89b4919fda9c340d0f85a Mon Sep 17 00:00:00 2001
From: pablohashescobar <nikhilschacko@gmail.com>
Date: Wed, 8 Feb 2023 00:45:56 +0530
Subject: [PATCH] fix: update empty passwords to hashed string and add hashing
 for magic sign in

---
 apiserver/back_migration.py                 | 32 +++++++++++++++++----
 apiserver/plane/api/views/authentication.py | 15 ++++------
 2 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/apiserver/back_migration.py b/apiserver/back_migration.py
index 57ded0ba4..3703ef5f7 100644
--- a/apiserver/back_migration.py
+++ b/apiserver/back_migration.py
@@ -1,11 +1,13 @@
 # All the python scripts that are used for back migrations
+import uuid
 from plane.db.models import ProjectIdentifier
-from plane.db.models import Issue, IssueComment
+from plane.db.models import Issue, IssueComment, User
+from django.contrib.auth.hashers import make_password
+
 
 # Update description and description html values for old descriptions
 def update_description():
     try:
-
         issues = Issue.objects.all()
         updated_issues = []
 
@@ -25,7 +27,6 @@ def update_description():
 
 def update_comments():
     try:
-
         issue_comments = IssueComment.objects.all()
         updated_issue_comments = []
 
@@ -44,9 +45,11 @@ def update_comments():
 
 def update_project_identifiers():
     try:
-        project_identifiers = ProjectIdentifier.objects.filter(workspace_id=None).select_related("project", "project__workspace")
+        project_identifiers = ProjectIdentifier.objects.filter(
+            workspace_id=None
+        ).select_related("project", "project__workspace")
         updated_identifiers = []
-    
+
         for identifier in project_identifiers:
             identifier.workspace_id = identifier.project.workspace_id
             updated_identifiers.append(identifier)
@@ -58,3 +61,22 @@ def update_project_identifiers():
     except Exception as e:
         print(e)
         print("Failed")
+
+
+def update_user_empty_password():
+    try:
+        users = User.objects.filter(password="")
+        updated_users = []
+        print(users)
+
+        for user in users:
+            user.password = make_password(uuid.uuid4().hex)
+            user.is_password_autoset = True
+            updated_users.append(user)
+
+        User.objects.bulk_update(updated_users, ["password"], batch_size=50)
+        print("Success")
+
+    except Exception as e:
+        print(e)
+        print("Failed")
diff --git a/apiserver/plane/api/views/authentication.py b/apiserver/plane/api/views/authentication.py
index c77bdd160..ac218837d 100644
--- a/apiserver/plane/api/views/authentication.py
+++ b/apiserver/plane/api/views/authentication.py
@@ -9,6 +9,7 @@ from django.utils import timezone
 from django.core.exceptions import ValidationError
 from django.core.validators import validate_email
 from django.conf import settings
+from django.contrib.auth.hashers import make_password
 
 # Third party imports
 from rest_framework.response import Response
@@ -35,12 +36,10 @@ def get_tokens_for_user(user):
 
 
 class SignUpEndpoint(BaseAPIView):
-
     permission_classes = (AllowAny,)
 
     def post(self, request):
         try:
-
             email = request.data.get("email", False)
             password = request.data.get("password", False)
 
@@ -216,14 +215,12 @@ class SignOutEndpoint(BaseAPIView):
 
 
 class MagicSignInGenerateEndpoint(BaseAPIView):
-
     permission_classes = [
         AllowAny,
     ]
 
     def post(self, request):
         try:
-
             email = request.data.get("email", False)
 
             if not email:
@@ -269,7 +266,6 @@ class MagicSignInGenerateEndpoint(BaseAPIView):
                 ri.set(key, json.dumps(value), ex=expiry)
 
             else:
-
                 value = {"current_attempt": 0, "email": email, "token": token}
                 expiry = 600
 
@@ -293,14 +289,12 @@ class MagicSignInGenerateEndpoint(BaseAPIView):
 
 
 class MagicSignInEndpoint(BaseAPIView):
-
     permission_classes = [
         AllowAny,
     ]
 
     def post(self, request):
         try:
-
             user_token = request.data.get("token", "").strip().lower()
             key = request.data.get("key", False)
 
@@ -313,19 +307,20 @@ class MagicSignInEndpoint(BaseAPIView):
             ri = redis_instance()
 
             if ri.exists(key):
-
                 data = json.loads(ri.get(key))
 
                 token = data["token"]
                 email = data["email"]
 
                 if str(token) == str(user_token):
-
                     if User.objects.filter(email=email).exists():
                         user = User.objects.get(email=email)
                     else:
                         user = User.objects.create(
-                            email=email, username=uuid.uuid4().hex
+                            email=email,
+                            username=uuid.uuid4().hex,
+                            password=make_password(uuid.uuid4().hex),
+                            is_password_autoset=True,
                         )
 
                     user.last_active = timezone.now()