use hashids in jwt

This commit is contained in:
Patrick Jentsch 2022-07-18 17:37:05 +02:00
parent 1f3ca9664d
commit 7acb3b40c2

View File

@ -1,4 +1,4 @@
from app import db, login, mail, socketio from app import db, hashids, login, mail, socketio
from app.converters.vrt import normalize_vrt_file from app.converters.vrt import normalize_vrt_file
from app.email import create_message from app.email import create_message
from datetime import datetime, timedelta from datetime import datetime, timedelta
@ -327,7 +327,7 @@ class User(HashidMixin, UserMixin, db.Model):
return False return False
if payload.get('purpose') != 'confirm_user': if payload.get('purpose') != 'confirm_user':
return False return False
if payload.get('sub') != self.id: if payload.get('sub') != self.hashid:
return False return False
self.confirmed = True self.confirmed = True
db.session.add(self) db.session.add(self)
@ -344,7 +344,7 @@ class User(HashidMixin, UserMixin, db.Model):
'iat': utc_now, 'iat': utc_now,
'iss': current_app.config['SERVER_NAME'], 'iss': current_app.config['SERVER_NAME'],
'purpose': 'confirm_user', 'purpose': 'confirm_user',
'sub': self.id 'sub': self.hashid
} }
return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256') return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
@ -355,7 +355,7 @@ class User(HashidMixin, UserMixin, db.Model):
'iat': utc_now, 'iat': utc_now,
'iss': current_app.config['SERVER_NAME'], 'iss': current_app.config['SERVER_NAME'],
'purpose': 'reset_password', 'purpose': 'reset_password',
'sub': self.id 'sub': self.hashid
} }
return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256') return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
@ -452,9 +452,10 @@ class User(HashidMixin, UserMixin, db.Model):
return False return False
if payload.get('purpose') != 'reset_password': if payload.get('purpose') != 'reset_password':
return False return False
user_id = payload.get('sub') user_hashid = payload.get('sub')
if user_id is None: if user_hashid is None:
return False return False
user_id = hashids.decode(user_hashid)
user = User.query.get(user_id) user = User.query.get(user_id)
if user is None: if user is None:
return False return False