From 32d3843922437df4f4818c4152f6ffeb552e0c25 Mon Sep 17 00:00:00 2001 From: paolocarinci <99129760+paolocarinci@users.noreply.github.com> Date: Sat, 27 Jul 2024 13:32:11 +0200 Subject: [PATCH 1/4] Fix user was added on sign-up even if password didn't match confirmation --- nativeauthenticator/handlers.py | 2 ++ nativeauthenticator/nativeauthenticator.py | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/nativeauthenticator/handlers.py b/nativeauthenticator/handlers.py index b6a9dde..7c2ab90 100644 --- a/nativeauthenticator/handlers.py +++ b/nativeauthenticator/handlers.py @@ -168,12 +168,14 @@ async def post(self): user_info = { "username": self.get_body_argument("username", strip=False), "password": self.get_body_argument("signup_password", strip=False), + "password_confirmation": self.get_body_argument("signup_password_confirmation", strip=False), "email": self.get_body_argument("email", "", strip=False), "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)), } username_already_taken = self.authenticator.user_exists( user_info["username"] ) + user = self.authenticator.create_user(**user_info) else: username_already_taken = False diff --git a/nativeauthenticator/nativeauthenticator.py b/nativeauthenticator/nativeauthenticator.py index 084f28f..d254e43 100644 --- a/nativeauthenticator/nativeauthenticator.py +++ b/nativeauthenticator/nativeauthenticator.py @@ -291,12 +291,15 @@ def get_authed_users(self): def user_exists(self, username): return self.get_user(username) is not None - def create_user(self, username, password, **kwargs): + def create_user(self, username, password, password_confirmation, **kwargs): username = self.normalize_username(username) if self.user_exists(username) or not self.validate_username(username): return + if not password == password_confirmation: + return + if not self.is_password_strong(password): return @@ -429,7 +432,7 @@ def add_data_from_firstuse(self): with dbm.open(self.firstuse_db_path, "c", 0o600) as db: for user in db.keys(): password = db[user].decode() - new_user = self.create_user(user.decode(), password) + new_user = self.create_user(user.decode(), password, password) if not new_user: error = ( f"User {user} was not created. Check password " From 2760f198d06164078bccd478049fa8f233d7b328 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sat, 27 Jul 2024 11:35:08 +0000 Subject: [PATCH 2/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- nativeauthenticator/handlers.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nativeauthenticator/handlers.py b/nativeauthenticator/handlers.py index 7c2ab90..7092cdc 100644 --- a/nativeauthenticator/handlers.py +++ b/nativeauthenticator/handlers.py @@ -168,7 +168,9 @@ async def post(self): user_info = { "username": self.get_body_argument("username", strip=False), "password": self.get_body_argument("signup_password", strip=False), - "password_confirmation": self.get_body_argument("signup_password_confirmation", strip=False), + "password_confirmation": self.get_body_argument( + "signup_password_confirmation", strip=False + ), "email": self.get_body_argument("email", "", strip=False), "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)), } From 7e5e197c95e50f3a371ec1a57741ddd8a4beb11a Mon Sep 17 00:00:00 2001 From: Paolo Carinci <> Date: Sat, 27 Jul 2024 14:22:20 +0200 Subject: [PATCH 3/4] Better fix for mismatching passwords on signup --- nativeauthenticator/handlers.py | 22 ++++++++++------------ nativeauthenticator/nativeauthenticator.py | 7 ++----- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/nativeauthenticator/handlers.py b/nativeauthenticator/handlers.py index 7092cdc..7ee822f 100644 --- a/nativeauthenticator/handlers.py +++ b/nativeauthenticator/handlers.py @@ -164,13 +164,18 @@ async def post(self): else: self.authenticator.log.error("Failed reCaptcha") + # Collect various information for precise (error) messages. + password = self.get_body_argument("signup_password", strip=False) + confirmation = self.get_body_argument( + "signup_password_confirmation", strip=False + ) + confirmation_matches = password == confirmation + user_is_admin = user_info["username"] in self.authenticator.admin_users + if assume_user_is_human: user_info = { "username": self.get_body_argument("username", strip=False), "password": self.get_body_argument("signup_password", strip=False), - "password_confirmation": self.get_body_argument( - "signup_password_confirmation", strip=False - ), "email": self.get_body_argument("email", "", strip=False), "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)), } @@ -178,19 +183,12 @@ async def post(self): user_info["username"] ) - user = self.authenticator.create_user(**user_info) + if not username_already_taken and confirmation_matches: + user = self.authenticator.create_user(**user_info) else: username_already_taken = False user = None - # Collect various information for precise (error) messages. - password = self.get_body_argument("signup_password", strip=False) - confirmation = self.get_body_argument( - "signup_password_confirmation", strip=False - ) - confirmation_matches = password == confirmation - user_is_admin = user_info["username"] in self.authenticator.admin_users - # Call helper function from above for precise alert-level and message. alert, message = self.get_result_message( user, diff --git a/nativeauthenticator/nativeauthenticator.py b/nativeauthenticator/nativeauthenticator.py index d254e43..084f28f 100644 --- a/nativeauthenticator/nativeauthenticator.py +++ b/nativeauthenticator/nativeauthenticator.py @@ -291,15 +291,12 @@ def get_authed_users(self): def user_exists(self, username): return self.get_user(username) is not None - def create_user(self, username, password, password_confirmation, **kwargs): + def create_user(self, username, password, **kwargs): username = self.normalize_username(username) if self.user_exists(username) or not self.validate_username(username): return - if not password == password_confirmation: - return - if not self.is_password_strong(password): return @@ -432,7 +429,7 @@ def add_data_from_firstuse(self): with dbm.open(self.firstuse_db_path, "c", 0o600) as db: for user in db.keys(): password = db[user].decode() - new_user = self.create_user(user.decode(), password, password) + new_user = self.create_user(user.decode(), password) if not new_user: error = ( f"User {user} was not created. Check password " From c4d38f5c738aae96393f56d6a219ca8518d419d3 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 17 Sep 2024 12:01:27 +0200 Subject: [PATCH 4/4] Ensure variables are initialized before use --- nativeauthenticator/handlers.py | 34 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/nativeauthenticator/handlers.py b/nativeauthenticator/handlers.py index 7ee822f..7678022 100644 --- a/nativeauthenticator/handlers.py +++ b/nativeauthenticator/handlers.py @@ -164,30 +164,28 @@ async def post(self): else: self.authenticator.log.error("Failed reCaptcha") - # Collect various information for precise (error) messages. + # initialize user_info + user_info = { + "username": self.get_body_argument("username", strip=False), + "password": self.get_body_argument("signup_password", strip=False), + "email": self.get_body_argument("email", "", strip=False), + "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)), + } + username = user_info["username"] + + # summarize info password = self.get_body_argument("signup_password", strip=False) confirmation = self.get_body_argument( "signup_password_confirmation", strip=False ) confirmation_matches = password == confirmation - user_is_admin = user_info["username"] in self.authenticator.admin_users - - if assume_user_is_human: - user_info = { - "username": self.get_body_argument("username", strip=False), - "password": self.get_body_argument("signup_password", strip=False), - "email": self.get_body_argument("email", "", strip=False), - "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)), - } - username_already_taken = self.authenticator.user_exists( - user_info["username"] - ) + user_is_admin = username in self.authenticator.admin_users + username_already_taken = self.authenticator.user_exists(username) - if not username_already_taken and confirmation_matches: - user = self.authenticator.create_user(**user_info) - else: - username_already_taken = False - user = None + # if everything seems ok, create a user + user = None + if assume_user_is_human and not username_already_taken and confirmation_matches: + user = self.authenticator.create_user(**user_info) # Call helper function from above for precise alert-level and message. alert, message = self.get_result_message(