Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update password input field in UI tests and profile page + edit back logic with profile page form submission

Browse source
This commit is contained in:
Théophile Diot 2024-01-05 09:33:35 +00:00
parent 748a56811f
commit d3ba9720cc
No known key found for this signature in database
GPG key ID: 248FEA4BAE400D06
3 changed files with 61 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

116
src/ui/main.py
View file

@ -158,7 +158,7 @@ if USER:
stop(1)
app.logger.info("The admin user was updated successfully")
else:
app.logger.error("The admin user wasn't created manually. You can't change it from the environment variables.")
app.logger.warning("The admin user wasn't created manually. You can't change it from the environment variables.")
elif getenv("ADMIN_USERNAME") and getenv("ADMIN_PASSWORD"):
if not getenv("FLASK_DEBUG", False):
if len(getenv("ADMIN_USERNAME", "admin")) > 256:
@ -543,91 +543,81 @@ def profile():
if not request.form:
flash("Missing form data.", "error")
return redirect(url_for("profile"))
elif "operation" not in request.form:
flash("Missing operation parameter.", "error")
return redirect(url_for("profile"))
error = False
if "curr_password" not in request.form or not current_user.check_password(request.form["curr_password"]):
flash(f"The current password is incorrect. ({request.form['operation']})", "error")
return redirect(url_for("profile"))
if "curr_password" in request.form:
if not current_user.check_password(request.form["curr_password"]):
flash("The current password is incorrect.", "error")
error = True
username = current_user.get_id()
password = request.form["curr_password"]
is_two_factor_enabled = current_user.is_two_factor_enabled
secret_token = current_user.secret_token
if request.form.get("admin_username") and len(request.form["admin_username"]) > 256:
flash("The admin username is too long. It must be less than 256 characters.", "error")
error = True
if request.form.get("admin_password"):
if not request.form.get("admin_password_check"):
flash("Missing admin_password_check parameter.", "error")
error = True
elif request.form["admin_password"] != request.form["admin_password_check"]:
flash("The passwords do not match.", "error")
error = True
elif not USER_PASSWORD_RX.match(request.form["admin_password"]):
flash("The admin password is not strong enough. It must contain at least 8 characters, including at least 1 uppercase letter, 1 lowercase letter, 1 number and 1 special character (#@?!$%^&*-).", "error")
error = True
elif request.form.get("admin_password_check"):
flash("Missing admin_password parameter.", "error")
error = True
if not error and not any(request.form.get(key) for key in ("admin_username", "admin_password")):
flash("Nothing to update.")
error = True
if error:
if request.form["operation"] == "username":
if "admin_username" not in request.form:
flash("Missing admin_username parameter. (username)", "error")
return redirect(url_for("profile"))
elif len(request.form["admin_username"]) > 256:
flash("The admin username is too long. It must be less than 256 characters. (username)", "error")
return redirect(url_for("profile"))
user = User(
request.form.get("admin_username") or current_user.get_id(),
request.form.get("admin_password") or request.form["curr_password"],
is_two_factor_enabled=current_user.is_two_factor_enabled,
secret_token=current_user.secret_token,
method=current_user.method,
)
username = request.form["admin_username"]
session.clear()
logout_user()
elif "totp_password" in request.form:
if "totp_token" not in request.form:
flash("Missing totp_token parameter.", "error")
elif request.form["operation"] == "password":
if "admin_password" not in request.form:
flash("Missing admin_password parameter. (password)", "error")
return redirect(url_for("profile"))
elif request.form.get("admin_password"):
if not request.form.get("admin_password_check"):
flash("Missing admin_password_check parameter. (password)", "error")
return redirect(url_for("profile"))
elif request.form["admin_password"] != request.form["admin_password_check"]:
flash("The passwords does not match. (password)", "error")
return redirect(url_for("profile"))
elif not USER_PASSWORD_RX.match(request.form["admin_password"]):
flash("The admin password is not strong enough. It must contain at least 8 characters, including at least 1 uppercase letter, 1 lowercase letter, 1 number and 1 special character (#@?!$%^&*-). (password)", "error")
return redirect(url_for("profile"))
elif request.form.get("admin_password_check"):
flash("Missing admin_password parameter. (password)", "error")
return redirect(url_for("profile"))
if not current_user.check_password(request.form.get("totp_password", "")):
flash("The current password is incorrect.", "error")
error = True
password = request.form["admin_password"]
if not current_user.check_otp(request.form["totp_token"], secret=app.config["CURRENT_TOTP_TOKEN"]):
flash("The token is invalid.", "error")
error = True
if error:
session.clear()
logout_user()
elif request.form["operation"] == "totp":
if "totp_token" not in request.form:
flash("Missing totp_token parameter. (totp)", "error")
return redirect(url_for("profile"))
elif not current_user.check_otp(request.form["totp_token"], secret=app.config["CURRENT_TOTP_TOKEN"]):
flash("The totp token is invalid. (totp)", "error")
return redirect(url_for("profile"))
session["totp_validated"] = not current_user.is_two_factor_enabled
user = User(
current_user.get_id(),
request.form["totp_password"],
is_two_factor_enabled=session["totp_validated"],
secret_token=None if current_user.is_two_factor_enabled else app.config["CURRENT_TOTP_TOKEN"],
method=current_user.method,
)
is_two_factor_enabled = session["totp_validated"]
secret_token = None if current_user.is_two_factor_enabled else app.config["CURRENT_TOTP_TOKEN"]
app.config["CURRENT_TOTP_TOKEN"] = None
else:
flash("Missing form data.", "error")
flash("Invalid operation parameter.", "error")
return redirect(url_for("profile"))
ret = db.update_ui_user(
user.get_id(),
user.password_hash,
user.is_two_factor_enabled,
user.secret_token if user.is_two_factor_enabled else None,
)
user = User(username, password, is_two_factor_enabled=is_two_factor_enabled, secret_token=secret_token, method=current_user.method)
ret = db.update_ui_user(username, user.password_hash, is_two_factor_enabled, secret_token, current_user.method if request.form["operation"] == "totp" else "ui")
if ret:
app.logger.error(f"Couldn't update the admin user in the database: {ret}")
flash(f"Couldn't update the admin user in the database: {ret}", "error")
return redirect(url_for("profile"))
return redirect(url_for("profile"))
flash(
f"The {request.form['operation']} has been successfully updated." if request.form["operation"] != "totp" else f"The two-factor authentication was successfully {'disabled' if current_user.is_two_factor_enabled else 'enabled'}.",
)
return redirect(url_for("profile" if request.form["operation"] == "totp" else "login"))
secret_token = ""
totp_qr_image = ""

9
src/ui/templates/profile.html vendored
View file

@ -203,6 +203,7 @@ url_for(request.endpoint)[1:].split("/")[-1].strip() %}
pattern="(.*?)"
maxlength="256"
value="{{ username }}"
required
/>
</div>
<!-- end username inpt-->
@ -370,6 +371,7 @@ url_for(request.endpoint)[1:].split("/")[-1].strip() %}
value=""
pattern="^(?=.*?\d)(?=.*?[ !\u0022#$%&'\(\)*+,.\/:;<=>?@\[\\\]^_`\u007B\u007C\u007D\u007E\u002D]).{8,}$"
minlength="8"
required
/>
<div
data-setting-password-container
@ -426,6 +428,7 @@ url_for(request.endpoint)[1:].split("/")[-1].strip() %}
value=""
pattern="^(?=.*?\d)(?=.*?[ !\u0022#$%&'\(\)*+,.\/:;<=>?@\[\\\]^_`\u007B\u007C\u007D\u007E\u002D]).{8,}$"
minlength="8"
required
/>
<div
data-setting-password-container
@ -602,11 +605,11 @@ url_for(request.endpoint)[1:].split("/")[-1].strip() %}
class="flex flex-col relative col-span-12 px-4 my-2 md:px-6 md:my-3 lg:px-6 lg:my-3 max-w-[400px] w-full"
>
<h5 class="input-title">Password</h5>
<label class="sr-only" for="totp_password">Password</label>
<label class="sr-only" for="curr_password">Password</label>
<input
type="password"
id="totp_password"
name="totp_password"
id="curr_password"
name="curr_password"
class="col-span-12 regular-input"
placeholder="enter password"
value=""

4
tests/ui/main.py
View file

@ -1576,7 +1576,7 @@ location /hello {
totp_input = safe_get_element(driver, By.ID, "totp_token")
totp_input.send_keys(totp.now())
password_input = safe_get_element(driver, By.ID, "totp_password")
password_input = safe_get_element(driver, By.XPATH, "//form[@data-plugin-item='totp']//input[@id='curr_password']")
if password_input.get_attribute("value") != "":
print("The new password check is not empty, exiting ...", flush=True)
@ -1660,7 +1660,7 @@ location /hello {
totp_input = safe_get_element(driver, By.ID, "totp_token")
totp_input.send_keys(totp.now())
password_input = safe_get_element(driver, By.ID, "totp_password")
password_input = safe_get_element(driver, By.XPATH, "//form[@data-plugin-item='totp']//input[@id='curr_password']")
password_input.send_keys("P@ssw0rd")
access_page(