From 7e5e197c95e50f3a371ec1a57741ddd8a4beb11a Mon Sep 17 00:00:00 2001 From: Paolo Carinci <> Date: Sat, 27 Jul 2024 14:22:20 +0200 Subject: [PATCH] Better fix for mismatching passwords on signup --- nativeauthenticator/handlers.py | 22 ++++++++++------------ nativeauthenticator/nativeauthenticator.py | 7 ++----- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/nativeauthenticator/handlers.py b/nativeauthenticator/handlers.py index 7092cdc..7ee822f 100644 --- a/nativeauthenticator/handlers.py +++ b/nativeauthenticator/handlers.py @@ -164,13 +164,18 @@ async def post(self): else: self.authenticator.log.error("Failed reCaptcha") + # Collect various information for precise (error) messages. + password = self.get_body_argument("signup_password", strip=False) + confirmation = self.get_body_argument( + "signup_password_confirmation", strip=False + ) + confirmation_matches = password == confirmation + user_is_admin = user_info["username"] in self.authenticator.admin_users + if assume_user_is_human: user_info = { "username": self.get_body_argument("username", strip=False), "password": self.get_body_argument("signup_password", strip=False), - "password_confirmation": self.get_body_argument( - "signup_password_confirmation", strip=False - ), "email": self.get_body_argument("email", "", strip=False), "has_2fa": bool(self.get_body_argument("2fa", "", strip=False)), } @@ -178,19 +183,12 @@ async def post(self): user_info["username"] ) - user = self.authenticator.create_user(**user_info) + if not username_already_taken and confirmation_matches: + user = self.authenticator.create_user(**user_info) else: username_already_taken = False user = None - # Collect various information for precise (error) messages. - password = self.get_body_argument("signup_password", strip=False) - confirmation = self.get_body_argument( - "signup_password_confirmation", strip=False - ) - confirmation_matches = password == confirmation - user_is_admin = user_info["username"] in self.authenticator.admin_users - # Call helper function from above for precise alert-level and message. alert, message = self.get_result_message( user, diff --git a/nativeauthenticator/nativeauthenticator.py b/nativeauthenticator/nativeauthenticator.py index d254e43..084f28f 100644 --- a/nativeauthenticator/nativeauthenticator.py +++ b/nativeauthenticator/nativeauthenticator.py @@ -291,15 +291,12 @@ def get_authed_users(self): def user_exists(self, username): return self.get_user(username) is not None - def create_user(self, username, password, password_confirmation, **kwargs): + def create_user(self, username, password, **kwargs): username = self.normalize_username(username) if self.user_exists(username) or not self.validate_username(username): return - if not password == password_confirmation: - return - if not self.is_password_strong(password): return @@ -432,7 +429,7 @@ def add_data_from_firstuse(self): with dbm.open(self.firstuse_db_path, "c", 0o600) as db: for user in db.keys(): password = db[user].decode() - new_user = self.create_user(user.decode(), password, password) + new_user = self.create_user(user.decode(), password) if not new_user: error = ( f"User {user} was not created. Check password "