Fixes in admin login for more secure login

paramecio2/modules/admin/app.py

@@ -239,6 +239,8 @@ def login():
                     
                         #user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update({'token_auth': token_auth})
                         
+                        user_admin.fields['token_auth'].protected=False
+                        
                         arr_update['token_auth']=token_auth
                         
                         # Send email
@@ -357,6 +359,8 @@ def auth_check():
     
     check_csrf()
     
+    you_cannot_login=0
+    
     if 'login_admin' in session:
         
         code=request.form.get('code', '')
@@ -365,23 +369,35 @@ def auth_check():
         
         user_admin.check_user=False
         
-        c=user_admin.set_conditions('WHERE id=%s AND token_auth=%s', [session['user_id'], code]).select_count()
+        arr_user=user_admin.set_conditions('WHERE id=%s', [session.get('user_id', 0)]).select_a_row_where()
         
-        if c==1:
+        if arr_user:
             
-            user_admin.safe_query()
+            if user_admin.fields['token_auth'].verify(code, arr_user['token_auth']):
             
-            user_admin.set_conditions('WHERE id=%s', [session['user_id']]).update({'token_auth': ''})
+                user_admin.safe_query()
+                
+                user_admin.set_conditions('WHERE id=%s', [session['user_id']]).update({'token_auth': ''})
+                
+                session['verify_auth']=True
+                error=0
+                
+            else:
             
-            session['verify_auth']=True
-            error=0
+                you_cannot_login=check_login_tries()
+                
+        else:
+            
+            you_cannot_login=check_login_tries()
     
-    return {'error': error}
+    return {'error': error, 'you_cannot_login': you_cannot_login}
 
+"""
 @admin_app.route('/admin/recovery_password/')
 def recovery_password():
     
     return ""
+"""
 
 def check_login_tries():
     

paramecio2/modules/admin/models/admin.py

@@ -84,7 +84,7 @@ class UserAdmin(UserModel):
 
         self.register(corefields.CharField('token_login'))
         
-        self.register(corefields.CharField('token_auth'))
+        self.register(PasswordField('token_auth'))
         
         self.register(PrivilegesField('privileges'))
         

paramecio2/modules/admin/templates/need_auth.phtml

@@ -50,7 +50,7 @@
                 }
                 else
                 {
-                    $('#code_submit').prop('disabled', true);
+                    $('#code_submit').prop('disabled', false);
                     
                     // Firefox have a horrible and stupid bug and you need attr for set de new csrf_token
                     
@@ -68,6 +68,12 @@
                         
                     }
                     
+                    if(data.you_cannot_login) {
+                        
+                        $('#code_error').html("${lang('common', 'error_tries_disabled', 'Error, excessive tries, wait some minutes for login again')}");
+                        
+                    }
+                    
                 }
             
             });