Fixes in admin login for more secure login

2023-07-22 23:31:00 +02:00 · 2023-07-22 23:31:00 +02:00 · de51f0356f
commit de51f0356f
parent a2bd05536f
3 changed files with 31 additions and 9 deletions
--- a/paramecio2/modules/admin/app.py
+++ b/paramecio2/modules/admin/app.py
@ -239,6 +239,8 @@ def login():
                        #user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update({'token_auth': token_auth})
                        user_admin.fields['token_auth'].protected=False
                        arr_update['token_auth']=token_auth
                        # Send email
@ -357,6 +359,8 @@ def auth_check():
    check_csrf()
    you_cannot_login=0
    if 'login_admin' in session:
        code=request.form.get('code', '')
@ -365,23 +369,35 @@ def auth_check():
        user_admin.check_user=False
-        c=user_admin.set_conditions('WHERE id=%s AND token_auth=%s', [session['user_id'], code]).select_count()
+        arr_user=user_admin.set_conditions('WHERE id=%s', [session.get('user_id', 0)]).select_a_row_where()
-        if c==1:
+        if arr_user:
-            user_admin.safe_query()
+            if user_admin.fields['token_auth'].verify(code, arr_user['token_auth']):
-            user_admin.set_conditions('WHERE id=%s', [session['user_id']]).update({'token_auth': ''})
+                user_admin.safe_query()
-            session['verify_auth']=True
+                user_admin.set_conditions('WHERE id=%s', [session['user_id']]).update({'token_auth': ''})
            error=0
-    return {'error': error}
+                session['verify_auth']=True
                error=0
            else:
                you_cannot_login=check_login_tries()
        else:
            you_cannot_login=check_login_tries()
    return {'error': error, 'you_cannot_login': you_cannot_login}
 """
@admin_app.route('/admin/recovery_password/')
 def recovery_password():
    return ""
 """
 def check_login_tries():
--- a/paramecio2/modules/admin/models/admin.py
+++ b/paramecio2/modules/admin/models/admin.py
@ -84,7 +84,7 @@ class UserAdmin(UserModel):
        self.register(corefields.CharField('token_login'))
-        self.register(corefields.CharField('token_auth'))
+        self.register(PasswordField('token_auth'))
        self.register(PrivilegesField('privileges'))
--- a/paramecio2/modules/admin/templates/need_auth.phtml
+++ b/paramecio2/modules/admin/templates/need_auth.phtml
@ -50,7 +50,7 @@
                }
                else
                {
-                    $('#code_submit').prop('disabled', true);
+                    $('#code_submit').prop('disabled', false);
                    // Firefox have a horrible and stupid bug and you need attr for set de new csrf_token
@ -68,6 +68,12 @@
                    }
                    if(data.you_cannot_login) {
                        $('#code_error').html("${lang('common', 'error_tries_disabled', 'Error, excessive tries, wait some minutes for login again')}");
                    }
                }
            });