csd4ni3l/grass_touching_captcha
1
0
Fork 0
mirror of https://github.com/csd4ni3l/grass_touching_captcha.git synced 2026-01-01 12:33:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

add more checks to password changing

Browse Source
This commit is contained in:
csd4ni3l
2025-08-15 17:11:26 +02:00
parent 24e76fa14c
commit 7d7bf75351
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
main.py
View File

@@ -373,17 +373,29 @@ def change_username():
@flask_login.login_required @flask_login.login_required
def change_password(): def change_password():
username = flask_login.current_user.id username = flask_login.current_user.id
new_password, confirm_password = request.form["new_password"], request.form["confirm_password"] current_password, new_password, confirm_password = request.form["current_password"], request.form["new_password"], request.form["confirm_password"]
if not secrets.compare_digest(new_password, confirm_password): if not secrets.compare_digest(new_password, confirm_password):
return Response("Passwords do not match.") return Response("Passwords do not match.", 400)
cur = get_db().cursor() cur = get_db().cursor()
salt = bcrypt.gensalt() cur.execute("SELECT password, password_salt FROM Users WHERE username = ?", (username,))
hashed_password = bcrypt.hashpw(new_password.encode(), salt)
cur.execute("UPDATE Users SET password = ?, password_salt = ? WHERE username = ?", (hashed_password, salt, username)) row = cur.fetchone()
if not row:
return Response("DB is not healthy", 500)
hashed_password, salt = row
if not secrets.compare_digest(bcrypt.hashpw(current_password.encode(), salt.encode()), hashed_password.encode()):
return Response("Unathorized.", 401)
new_salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(new_password.encode(), new_salt)
cur.execute("UPDATE Users SET password = ?, password_salt = ? WHERE username = ?", (hashed_password, new_salt, username))
get_db().commit() get_db().commit()
cur.close() cur.close()