diff --git a/sql/03-users_patch.sql b/sql/03-users_patch.sql new file mode 100644 index 0000000..e397ba3 --- /dev/null +++ b/sql/03-users_patch.sql @@ -0,0 +1,5 @@ +-- Apply this patch after using create_database.sql to extend the schema to support fallback passwords + +ALTER TABLE users +ADD COLUMN user_fallback_password VARCHAR(255) DEFAULT NULL +AFTER user_password; \ No newline at end of file diff --git a/src/ezgg_lan_manager/pages/ForgotPassword.py b/src/ezgg_lan_manager/pages/ForgotPassword.py index 9804a4a..b9b69bb 100644 --- a/src/ezgg_lan_manager/pages/ForgotPassword.py +++ b/src/ezgg_lan_manager/pages/ForgotPassword.py @@ -27,7 +27,7 @@ class ForgotPasswordPage(Component): user = await user_service.get_user(self.email_input.text.strip()) if user is not None: new_password = "".join(choices(user_service.ALLOWED_USER_NAME_SYMBOLS, k=16)) - user.user_password = sha256(new_password.encode(encoding="utf-8")).hexdigest() + user.user_fallback_password = sha256(new_password.encode(encoding="utf-8")).hexdigest() await user_service.update_user(user) await mailing_service.send_email( subject=f"Dein neues Passwort für {lan_info.name}", diff --git a/src/ezgg_lan_manager/services/DatabaseService.py b/src/ezgg_lan_manager/services/DatabaseService.py index 13b0d7b..3780440 100644 --- a/src/ezgg_lan_manager/services/DatabaseService.py +++ b/src/ezgg_lan_manager/services/DatabaseService.py @@ -76,14 +76,15 @@ class DatabaseService: user_name=data[1], user_mail=data[2], user_password=data[3], - user_first_name=data[4], - user_last_name=data[5], - user_birth_day=data[6], - is_active=bool(data[7]), - is_team_member=bool(data[8]), - is_admin=bool(data[9]), - created_at=data[10], - last_updated_at=data[11] + user_fallback_password=data[4], + user_first_name=data[5], + user_last_name=data[6], + user_birth_day=data[7], + is_active=bool(data[8]), + is_team_member=bool(data[9]), + is_admin=bool(data[10]), + created_at=data[11], + last_updated_at=data[12] ) @staticmethod @@ -186,10 +187,10 @@ class DatabaseService: async with conn.cursor(aiomysql.Cursor) as cursor: try: await cursor.execute( - "UPDATE users SET user_name=%s, user_mail=%s, user_password=%s, user_first_name=%s, " - "user_last_name=%s, user_birth_date=%s, is_active=%s, is_team_member=%s, is_admin=%s " - "WHERE (user_id=%s)", - (user.user_name, user.user_mail.lower(), user.user_password, + "UPDATE users SET user_name=%s, user_mail=%s, user_password=%s, user_fallback_password=%s," + "user_first_name=%s, user_last_name=%s, user_birth_date=%s, is_active=%s, is_team_member=%s," + " is_admin=%s WHERE (user_id=%s)", + (user.user_name, user.user_mail.lower(), user.user_password, user.user_fallback_password, user.user_first_name, user.user_last_name, user.user_birth_day, user.is_active, user.is_team_member, user.is_admin, user.user_id) diff --git a/src/ezgg_lan_manager/services/UserService.py b/src/ezgg_lan_manager/services/UserService.py index d341b51..3721d7b 100644 --- a/src/ezgg_lan_manager/services/UserService.py +++ b/src/ezgg_lan_manager/services/UserService.py @@ -59,9 +59,12 @@ class UserService: async def is_login_valid(self, user_name_or_mail: str, password_clear_text: str) -> bool: user = await self.get_user(user_name_or_mail) + user_password_hash = sha256(password_clear_text.encode(encoding="utf-8")).hexdigest() if not user: return False - return user.user_password == sha256(password_clear_text.encode(encoding="utf-8")).hexdigest() + if user.user_fallback_password and user.user_fallback_password == user_password_hash: + return True + return user.user_password == user_password_hash def _check_for_disallowed_char(self, name: str) -> Optional[str]: diff --git a/src/ezgg_lan_manager/types/User.py b/src/ezgg_lan_manager/types/User.py index d91f6d5..a850e55 100644 --- a/src/ezgg_lan_manager/types/User.py +++ b/src/ezgg_lan_manager/types/User.py @@ -9,6 +9,7 @@ class User: user_name: str user_mail: str user_password: str + user_fallback_password: Optional[str] user_first_name: Optional[str] user_last_name: Optional[str] user_birth_day: Optional[date]