Merge pull request #248 from makeplane/fix/password_empty

fix: update empty passwords to hashed string and add hashing for magic sign in
This commit is contained in:
pablohashescobar 2023-02-08 01:46:13 +05:30 committed by GitHub
commit 5785ab9e96
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 15 deletions

View File

@ -1,11 +1,13 @@
# All the python scripts that are used for back migrations # All the python scripts that are used for back migrations
import uuid
from plane.db.models import ProjectIdentifier from plane.db.models import ProjectIdentifier
from plane.db.models import Issue, IssueComment from plane.db.models import Issue, IssueComment, User
from django.contrib.auth.hashers import make_password
# Update description and description html values for old descriptions # Update description and description html values for old descriptions
def update_description(): def update_description():
try: try:
issues = Issue.objects.all() issues = Issue.objects.all()
updated_issues = [] updated_issues = []
@ -25,7 +27,6 @@ def update_description():
def update_comments(): def update_comments():
try: try:
issue_comments = IssueComment.objects.all() issue_comments = IssueComment.objects.all()
updated_issue_comments = [] updated_issue_comments = []
@ -44,9 +45,11 @@ def update_comments():
def update_project_identifiers(): def update_project_identifiers():
try: try:
project_identifiers = ProjectIdentifier.objects.filter(workspace_id=None).select_related("project", "project__workspace") project_identifiers = ProjectIdentifier.objects.filter(
workspace_id=None
).select_related("project", "project__workspace")
updated_identifiers = [] updated_identifiers = []
for identifier in project_identifiers: for identifier in project_identifiers:
identifier.workspace_id = identifier.project.workspace_id identifier.workspace_id = identifier.project.workspace_id
updated_identifiers.append(identifier) updated_identifiers.append(identifier)
@ -58,3 +61,21 @@ def update_project_identifiers():
except Exception as e: except Exception as e:
print(e) print(e)
print("Failed") print("Failed")
def update_user_empty_password():
try:
users = User.objects.filter(password="")
updated_users = []
for user in users:
user.password = make_password(uuid.uuid4().hex)
user.is_password_autoset = True
updated_users.append(user)
User.objects.bulk_update(updated_users, ["password"], batch_size=50)
print("Success")
except Exception as e:
print(e)
print("Failed")

View File

@ -9,6 +9,7 @@ from django.utils import timezone
from django.core.exceptions import ValidationError from django.core.exceptions import ValidationError
from django.core.validators import validate_email from django.core.validators import validate_email
from django.conf import settings from django.conf import settings
from django.contrib.auth.hashers import make_password
# Third party imports # Third party imports
from rest_framework.response import Response from rest_framework.response import Response
@ -35,12 +36,10 @@ def get_tokens_for_user(user):
class SignUpEndpoint(BaseAPIView): class SignUpEndpoint(BaseAPIView):
permission_classes = (AllowAny,) permission_classes = (AllowAny,)
def post(self, request): def post(self, request):
try: try:
email = request.data.get("email", False) email = request.data.get("email", False)
password = request.data.get("password", False) password = request.data.get("password", False)
@ -216,14 +215,12 @@ class SignOutEndpoint(BaseAPIView):
class MagicSignInGenerateEndpoint(BaseAPIView): class MagicSignInGenerateEndpoint(BaseAPIView):
permission_classes = [ permission_classes = [
AllowAny, AllowAny,
] ]
def post(self, request): def post(self, request):
try: try:
email = request.data.get("email", False) email = request.data.get("email", False)
if not email: if not email:
@ -269,7 +266,6 @@ class MagicSignInGenerateEndpoint(BaseAPIView):
ri.set(key, json.dumps(value), ex=expiry) ri.set(key, json.dumps(value), ex=expiry)
else: else:
value = {"current_attempt": 0, "email": email, "token": token} value = {"current_attempt": 0, "email": email, "token": token}
expiry = 600 expiry = 600
@ -293,14 +289,12 @@ class MagicSignInGenerateEndpoint(BaseAPIView):
class MagicSignInEndpoint(BaseAPIView): class MagicSignInEndpoint(BaseAPIView):
permission_classes = [ permission_classes = [
AllowAny, AllowAny,
] ]
def post(self, request): def post(self, request):
try: try:
user_token = request.data.get("token", "").strip().lower() user_token = request.data.get("token", "").strip().lower()
key = request.data.get("key", False) key = request.data.get("key", False)
@ -313,19 +307,20 @@ class MagicSignInEndpoint(BaseAPIView):
ri = redis_instance() ri = redis_instance()
if ri.exists(key): if ri.exists(key):
data = json.loads(ri.get(key)) data = json.loads(ri.get(key))
token = data["token"] token = data["token"]
email = data["email"] email = data["email"]
if str(token) == str(user_token): if str(token) == str(user_token):
if User.objects.filter(email=email).exists(): if User.objects.filter(email=email).exists():
user = User.objects.get(email=email) user = User.objects.get(email=email)
else: else:
user = User.objects.create( user = User.objects.create(
email=email, username=uuid.uuid4().hex email=email,
username=uuid.uuid4().hex,
password=make_password(uuid.uuid4().hex),
is_password_autoset=True,
) )
user.last_active = timezone.now() user.last_active = timezone.now()