Move login code over to User object.
This commit is contained in:
parent
e8e4a3dbc0
commit
de2bf6a81a
3 changed files with 20 additions and 25 deletions
|
@ -1947,6 +1947,16 @@ class User(ObjectBase):
|
|||
def _uncache(self):
|
||||
self.photodb.caches[User].remove(self.id)
|
||||
|
||||
@decorators.required_feature('user.login')
|
||||
def check_password(self, password):
|
||||
if not isinstance(password, bytes):
|
||||
password = password.encode('utf-8')
|
||||
|
||||
success = bcrypt.checkpw(password, self.password_hash)
|
||||
if not success:
|
||||
raise exceptions.WrongLogin()
|
||||
return success
|
||||
|
||||
@decorators.required_feature('user.edit')
|
||||
@worms.atomic
|
||||
def delete(self, *, disown_authored_things) -> None:
|
||||
|
|
|
@ -1117,25 +1117,6 @@ class PDBUserMixin:
|
|||
def get_users_by_sql(self, query, bindings=None) -> typing.Iterable[objects.User]:
|
||||
return self.get_objects_by_sql(objects.User, query, bindings)
|
||||
|
||||
@decorators.required_feature('user.login')
|
||||
def login(self, username=None, id=None, *, password) -> objects.User:
|
||||
'''
|
||||
Return the User object for the user if the credentials are correct.
|
||||
'''
|
||||
try:
|
||||
user = self.get_user(username=username, id=id)
|
||||
except exceptions.NoSuchUser:
|
||||
raise exceptions.WrongLogin()
|
||||
|
||||
if not isinstance(password, bytes):
|
||||
password = password.encode('utf-8')
|
||||
|
||||
success = bcrypt.checkpw(password, user.password_hash)
|
||||
if not success:
|
||||
raise exceptions.WrongLogin()
|
||||
|
||||
return user
|
||||
|
||||
@decorators.required_feature('user.new')
|
||||
@worms.atomic
|
||||
def new_user(self, username, password, *, display_name=None) -> objects.User:
|
||||
|
|
|
@ -77,18 +77,22 @@ def post_login():
|
|||
username = request.form['username']
|
||||
password = request.form['password']
|
||||
try:
|
||||
# Consideration: Should the server hash the password to discourage
|
||||
# information (user exists) leak via response time?
|
||||
# Currently I think not, because they can check if the account
|
||||
# page 404s anyway.
|
||||
user = common.P.login(username=username, password=password)
|
||||
except (etiquette.exceptions.NoSuchUser, etiquette.exceptions.WrongLogin):
|
||||
user = common.P_user(username, 'json')
|
||||
except (etiquette.exceptions.NoSuchUser):
|
||||
exc = etiquette.exceptions.WrongLogin()
|
||||
response = exc.jsonify()
|
||||
return flasktools.json_response(response, status=404)
|
||||
|
||||
try:
|
||||
user.check_password(password)
|
||||
except (etiquette.exceptions.WrongLogin):
|
||||
exc = etiquette.exceptions.WrongLogin()
|
||||
response = exc.jsonify()
|
||||
return flasktools.json_response(response, status=422)
|
||||
except etiquette.exceptions.FeatureDisabled as exc:
|
||||
response = exc.jsonify()
|
||||
return flasktools.json_response(response, status=400)
|
||||
|
||||
session = sessions.Session(request, user)
|
||||
session_manager.add(session)
|
||||
return flasktools.json_response({})
|
||||
|
|
Loading…
Reference in a new issue