Move login code over to User object.

This commit is contained in:
voussoir 2022-11-06 22:51:53 -08:00
parent e8e4a3dbc0
commit de2bf6a81a
No known key found for this signature in database
GPG key ID: 5F7554F8C26DACCB
3 changed files with 20 additions and 25 deletions

View file

@ -1947,6 +1947,16 @@ class User(ObjectBase):
def _uncache(self): def _uncache(self):
self.photodb.caches[User].remove(self.id) self.photodb.caches[User].remove(self.id)
@decorators.required_feature('user.login')
def check_password(self, password):
if not isinstance(password, bytes):
password = password.encode('utf-8')
success = bcrypt.checkpw(password, self.password_hash)
if not success:
raise exceptions.WrongLogin()
return success
@decorators.required_feature('user.edit') @decorators.required_feature('user.edit')
@worms.atomic @worms.atomic
def delete(self, *, disown_authored_things) -> None: def delete(self, *, disown_authored_things) -> None:

View file

@ -1117,25 +1117,6 @@ class PDBUserMixin:
def get_users_by_sql(self, query, bindings=None) -> typing.Iterable[objects.User]: def get_users_by_sql(self, query, bindings=None) -> typing.Iterable[objects.User]:
return self.get_objects_by_sql(objects.User, query, bindings) return self.get_objects_by_sql(objects.User, query, bindings)
@decorators.required_feature('user.login')
def login(self, username=None, id=None, *, password) -> objects.User:
'''
Return the User object for the user if the credentials are correct.
'''
try:
user = self.get_user(username=username, id=id)
except exceptions.NoSuchUser:
raise exceptions.WrongLogin()
if not isinstance(password, bytes):
password = password.encode('utf-8')
success = bcrypt.checkpw(password, user.password_hash)
if not success:
raise exceptions.WrongLogin()
return user
@decorators.required_feature('user.new') @decorators.required_feature('user.new')
@worms.atomic @worms.atomic
def new_user(self, username, password, *, display_name=None) -> objects.User: def new_user(self, username, password, *, display_name=None) -> objects.User:

View file

@ -77,18 +77,22 @@ def post_login():
username = request.form['username'] username = request.form['username']
password = request.form['password'] password = request.form['password']
try: try:
# Consideration: Should the server hash the password to discourage user = common.P_user(username, 'json')
# information (user exists) leak via response time? except (etiquette.exceptions.NoSuchUser):
# Currently I think not, because they can check if the account exc = etiquette.exceptions.WrongLogin()
# page 404s anyway. response = exc.jsonify()
user = common.P.login(username=username, password=password) return flasktools.json_response(response, status=404)
except (etiquette.exceptions.NoSuchUser, etiquette.exceptions.WrongLogin):
try:
user.check_password(password)
except (etiquette.exceptions.WrongLogin):
exc = etiquette.exceptions.WrongLogin() exc = etiquette.exceptions.WrongLogin()
response = exc.jsonify() response = exc.jsonify()
return flasktools.json_response(response, status=422) return flasktools.json_response(response, status=422)
except etiquette.exceptions.FeatureDisabled as exc: except etiquette.exceptions.FeatureDisabled as exc:
response = exc.jsonify() response = exc.jsonify()
return flasktools.json_response(response, status=400) return flasktools.json_response(response, status=400)
session = sessions.Session(request, user) session = sessions.Session(request, user)
session_manager.add(session) session_manager.add(session)
return flasktools.json_response({}) return flasktools.json_response({})