From e49e329f688b82f0f010c5a4d5411a72d7173427 Mon Sep 17 00:00:00 2001
From: Cara Salter <cara@devcara.com>
Date: Tue, 3 Jan 2023 18:00:41 -0500
Subject: [PATCH] registration: Expire password requests after 30 minutes

Need to amend email to make this clear
---
 goathacks/models.py                  |  3 ++-
 goathacks/registration/__init__.py   | 11 ++++++++--
 migrations/versions/261c004968a4_.py | 32 ++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 migrations/versions/261c004968a4_.py

diff --git a/goathacks/models.py b/goathacks/models.py
index 2eb9b50..03d206d 100644
--- a/goathacks/models.py
+++ b/goathacks/models.py
@@ -1,6 +1,6 @@
 from flask import flash, redirect, url_for
 from flask_login import UserMixin
-from sqlalchemy import Boolean, Column, DateTime, ForeignKey, Integer, String
+from sqlalchemy import Boolean, Column, Date, DateTime, ForeignKey, Integer, String
 from . import db
 from . import login
 
@@ -55,3 +55,4 @@ def unauth():
 class PwResetRequest(db.Model):
     id = Column(String, primary_key=True)
     user_id = Column(Integer, ForeignKey('user.id'), nullable=False)
+    expires = Column(DateTime, nullable=False)
diff --git a/goathacks/registration/__init__.py b/goathacks/registration/__init__.py
index c48a04e..63b7888 100644
--- a/goathacks/registration/__init__.py
+++ b/goathacks/registration/__init__.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+from datetime import datetime, timedelta
 from flask import Blueprint, abort, config, current_app, flash, redirect, render_template, request, url_for
 import flask_login
 from flask_login import current_user
@@ -112,7 +112,8 @@ def reset():
         else:
             r = PwResetRequest(
                     id=str(ulid.ulid()),
-                    user_id=user.id
+                    user_id=user.id,
+                    expires=datetime.now() + timedelta(minutes=30)
                     )
             db.session.add(r)
             db.session.commit()
@@ -136,6 +137,12 @@ def do_reset(id):
         flash("Invalid request")
         return redirect(url_for("registration.login"))
 
+    if req.expires < datetime.now():
+        db.session.delete(req)
+        db.session.commit()
+        flash("Invalid request")
+        return redirect(url_for("registration.login"))
+
     if request.method == "POST":
         password = request.form.get("password")
         password_c = request.form.get("password_confirm")
diff --git a/migrations/versions/261c004968a4_.py b/migrations/versions/261c004968a4_.py
new file mode 100644
index 0000000..bfddb2b
--- /dev/null
+++ b/migrations/versions/261c004968a4_.py
@@ -0,0 +1,32 @@
+"""empty message
+
+Revision ID: 261c004968a4
+Revises: 8a0c9c00f04c
+Create Date: 2023-01-03 17:58:35.801660
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '261c004968a4'
+down_revision = '8a0c9c00f04c'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('pw_reset_request', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('expires', sa.DateTime(), nullable=False))
+
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('pw_reset_request', schema=None) as batch_op:
+        batch_op.drop_column('expires')
+
+    # ### end Alembic commands ###