registration: Expire password requests after 30 minutes

Need to amend email to make this clear
2023-01-03 18:00:41 -05:00 · 2023-01-03 18:00:41 -05:00 · e49e329f68
commit e49e329f68
parent 60953074e7
3 changed files with 43 additions and 3 deletions
--- a/goathacks/models.py
+++ b/goathacks/models.py
@ -1,6 +1,6 @@
 from flask import flash, redirect, url_for
 from flask_login import UserMixin
-from sqlalchemy import Boolean, Column, DateTime, ForeignKey, Integer, String
+from sqlalchemy import Boolean, Column, Date, DateTime, ForeignKey, Integer, String
 from . import db
 from . import login

@ -55,3 +55,4 @@ def unauth():
 class PwResetRequest(db.Model):
    id = Column(String, primary_key=True)
    user_id = Column(Integer, ForeignKey('user.id'), nullable=False)
+    expires = Column(DateTime, nullable=False)
--- a/goathacks/registration/init.py
+++ b/goathacks/registration/init.py
@ -1,4 +1,4 @@
-from datetime import datetime
+from datetime import datetime, timedelta
 from flask import Blueprint, abort, config, current_app, flash, redirect, render_template, request, url_for
 import flask_login
 from flask_login import current_user
@ -112,7 +112,8 @@ def reset():
        else:
            r = PwResetRequest(
                    id=str(ulid.ulid()),
-                    user_id=user.id
+                    user_id=user.id,
+                    expires=datetime.now() + timedelta(minutes=30)
                    )
            db.session.add(r)
            db.session.commit()
@ -136,6 +137,12 @@ def do_reset(id):
        flash("Invalid request")
        return redirect(url_for("registration.login"))

+    if req.expires < datetime.now():
+        db.session.delete(req)
+        db.session.commit()
+        flash("Invalid request")
+        return redirect(url_for("registration.login"))
+
    if request.method == "POST":
        password = request.form.get("password")
        password_c = request.form.get("password_confirm")
--- a/migrations/versions/261c004968a4_.py
+++ b/migrations/versions/261c004968a4_.py
@ -0,0 +1,32 @@
+"""empty message
+
+Revision ID: 261c004968a4
+Revises: 8a0c9c00f04c
+Create Date: 2023-01-03 17:58:35.801660
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '261c004968a4'
+down_revision = '8a0c9c00f04c'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('pw_reset_request', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('expires', sa.DateTime(), nullable=False))
+
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('pw_reset_request', schema=None) as batch_op:
+        batch_op.drop_column('expires')
+
+    # ### end Alembic commands ###