dev: add password and authentication validation

2023-12-01 13:16:03 +05:30 · 2023-12-01 13:16:03 +05:30 · f3d739ece3
commit f3d739ece3
parent fe733e6551
3 changed files with 21 additions and 18 deletions
--- a/apiserver/plane/app/serializers/user.py
+++ b/apiserver/plane/app/serializers/user.py
@ -169,8 +169,8 @@ class ChangePasswordSerializer(serializers.Serializer):
    Serializer for password change endpoint.
    """
    old_password = serializers.CharField(required=True)
-    new_password = serializers.CharField(required=True)
-    confirm_password = serializers.CharField(required=True)
+    new_password = serializers.CharField(required=True, min_length=8)
+    confirm_password = serializers.CharField(required=True, min_length=8)

    def validate(self, data):
        if data.get("old_password") == data.get("new_password"):
@ -187,9 +187,7 @@ class ChangePasswordSerializer(serializers.Serializer):


 class ResetPasswordSerializer(serializers.Serializer):
-    model = User
-
    """
    Serializer for password change endpoint.
    """
-    new_password = serializers.CharField(required=True)
+    new_password = serializers.CharField(required=True, min_length=8)
--- a/apiserver/plane/app/views/auth_extended.py
+++ b/apiserver/plane/app/views/auth_extended.py
@ -105,17 +105,21 @@ class ForgotPasswordEndpoint(BaseAPIView):
    def post(self, request):
        email = request.data.get("email")

-        if User.objects.filter(email=email).exists():
-            user = User.objects.get(email=email)
-            uidb64 = urlsafe_base64_encode(smart_bytes(user.id))
-            token = PasswordResetTokenGenerator().make_token(user)
+        try:
+            validate_email(email)
+        except ValidationError:
+            return Response({"error": "Please enter a valid email"}, status=status.HTTP_400_BAD_REQUEST)

+        # Get the user
+        user = User.objects.filter(email=email).first()
+        if user:
+            # Get the reset token for user
+            uidb64, token = get_tokens_for_user(user=user)
            current_site = request.META.get("HTTP_ORIGIN")
-
+            # send the forgot password email
            forgot_password.delay(
                user.first_name, user.email, uidb64, token, current_site
            )
-
            return Response(
                {"message": "Check your email to reset your password"},
                status=status.HTTP_200_OK,
@ -130,14 +134,18 @@ class ResetPasswordEndpoint(BaseAPIView):

    def post(self, request, uidb64, token):
        try:
+            # Decode the id from the uidb64
            id = smart_str(urlsafe_base64_decode(uidb64))
            user = User.objects.get(id=id)
+
+            # check if the token is valid for the user
            if not PasswordResetTokenGenerator().check_token(user, token):
                return Response(
                    {"error": "Token is invalid"},
                    status=status.HTTP_401_UNAUTHORIZED,
                )

+            # Reset the password
            serializer = ResetPasswordSerializer(data=request.data)
            if serializer.is_valid():
                # set_password also hashes the password that the user will get
@ -145,9 +153,9 @@ class ResetPasswordEndpoint(BaseAPIView):
                user.is_password_autoset = False
                user.save()

+                # Log the user in
                # Generate access token for the user
                access_token, refresh_token = get_tokens_for_user(user)
-
                data = {
                    "access_token": access_token,
                    "refresh_token": refresh_token,
@ -166,7 +174,6 @@ class ResetPasswordEndpoint(BaseAPIView):
 class ChangePasswordEndpoint(BaseAPIView):
    def post(self, request):
        serializer = ChangePasswordSerializer(data=request.data)
-
        user = User.objects.get(pk=request.user.id)
        if serializer.is_valid():
            if not user.check_password(serializer.data.get("old_password")):
@ -218,16 +225,15 @@ class EmailCheckEndpoint(BaseAPIView):
    ]

    def post(self, request):
-        # get the email
-
        # Check the instance registration
        instance = Instance.objects.first()
-        if instance is None:
+        if instance is None or not instance.is_setup_done:
            return Response(
                {"error": "Instance is not configured"},
                status=status.HTTP_400_BAD_REQUEST,
            )

+        # Get the configurations
        instance_configuration = InstanceConfiguration.objects.values("key", "value")

        email = request.data.get("email", False)
@ -267,7 +273,7 @@ class EmailCheckEndpoint(BaseAPIView):
                    status=status.HTTP_400_BAD_REQUEST,
                )

-
+            # Create the user with default values
            user = User.objects.create(
                email=email,
                username=uuid.uuid4().hex,
--- a/apiserver/plane/app/views/authentication.py
+++ b/apiserver/plane/app/views/authentication.py
@ -16,7 +16,6 @@ from rest_framework.response import Response
 from rest_framework.permissions import AllowAny
 from rest_framework import status
 from rest_framework_simplejwt.tokens import RefreshToken
-
 from sentry_sdk import capture_message

 # Module imports