We Keep Coding

How can I keep token from turning to None?

I am trying to follow along with a couple online tutorials for creating a reset password feature in my app. Both these tutorials use itsdangerous TimedJSONWebSignatureSerializer, which has since been deprecated, so I'm working with an older version of itsdangerous. Probably not best practice, I know.
The issue that I'm running into is that when I'm in the reset_token function and use verify_token(), its supposed to return the variable "email" to me, which I then save in "user". The reset_token function runs through the first time to bring up the html page and on this first run through, user = the email address, as it should. However, then when I hit "submit" on my reset password page, the code runs through a second time and then user = None, which therefore makes my query not work.
How do I make "email" not turn to None on the second run through of my code?
from flask import Flask, request, render_template, session, redirect, url_for
import mysql.connector
from flask_mail import Mail, Message
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
def get_token(user, expires_sec=600):
serial = Serializer(app.config['SECRET_KEY'], expires_in=expires_sec)
return serial.dumps({'user_id': user}).decode('utf-8')
def verify_token(token):
serial = Serializer(app.config['SECRET_KEY'])
try:
email = serial.loads(token)['user_id']
except:
return None
return email
def send_mail(email):
token = get_token(email)
msg = Message('Password Reset Request', recipients=[email], sender='censoring this :)')
msg.body = f'''
To reset your password, please follow the link below.
{url_for('reset_token', token=token, _external=True)}
If you did not request a password reset, please ignore this message.
'''
mail.send(msg)
#app.route('/password_reset', methods=['post', 'get'])
def password_reset():
error = None
success = None
def check(s):
email_format = r'\b[A-Za-z0-9._%+-]+#[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
if re.match(email_format, s):
return True
else:
return False
if request.method == 'POST':
email = request.form.get('email')
if not check(email):
error = "*Invalid email"
else:
query = "SELECT * FROM users WHERE email = %s"
cursor.execute(query, (email,))
cursor.fetchall()
count_rows = cursor.rowcount
if count_rows < 1:
error = "*We do not have that email address on file."
else:
send_mail(email)
success = "*Reset request sent. Please check your email."
return render_template('password_reset.html', error=error, msg=success)
#app.route('/password_reset/<token>', methods=['get', 'post'])
def reset_token(token):
error = None
success = None
user = verify_token(token)
print(user)
if user is None:
error = "That token is either invalid or expired. Please try again."
return redirect(url_for('password_reset'))
if request.method == 'POST':
password = request.form.get('password')
password_2 = request.form.get('password_2')
if len(password) < 6:
error = "*Your password must have at least 6 characters."
elif password != password_2:
error = "*Passwords do not match."
else:
query = "UPDATE users SET password=%s WHERE email=%s"
cursor.execute(query, (password, user))
mydb.commit()
success = "Your password has been created!"
return render_template('change_password.html')

Unexpected indentation when return in python

when I try to return but I got an error in 2nd return signup_result & return login_result
https://github.com/microsoft/pyright/blob/main/docs/configuration.md#reportUndefinedVariable
"return" can be used only within a functionPylance
here is utils.py
class CognitoResponse(object):
def __init__(self, access_token, refresh_token, cognito_user_id=None):
self.access_token = access_token
self.refresh_token = refresh_token
self.cognito_user_id = cognito_user_id
def cognito_signup(username: str, password: str):
return signup_result
# In order to get the ID and authenticate, use AWS Cognito
client = boto3.client('cognito-idp', region_name=os.environ.get('COGNITO_REGION_NAME'))
try:
response = client.sign_up(
ClientId=os.environ.get('COGNITO_USER_CLIENT_ID'),
Username=username,
Password=password
)
except Exception as e: # Generally, will trigger upon non-unique email
raise HTTPException(status_code=400, detail=f"{e}")
user_sub = response['UserSub']
# This will confirm user registration as an admin without a confirmation code
client.admin_confirm_sign_up(
UserPoolId=os.environ.get('USER_POOL_ID'),
Username=username,
)
# Now authenticate the user and return the tokens
auth_response = client.initiate_auth(
ClientId=os.environ.get('COGNITO_USER_CLIENT_ID'),
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': username,
'PASSWORD': password
}
)
access_token = auth_response['AuthenticationResult']['AccessToken']
refresh_token = auth_response['AuthenticationResult']['RefreshToken']
signup_result = utils.CognitoResponse(
access_token=access_token,
refresh_token=refresh_token,
cognito_user_id=user_sub
)
return signup_result
def cognito_login(username: str, password: str):
return login_result
client = boto3.client('cognito-idp', region_name=os.environ.get('COGNITO_REGION_NAME'))
# Authenticate the user and return the tokens
try:
auth_response = client.initiate_auth(
ClientId=os.environ.get('COGNITO_USER_CLIENT_ID'),
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': username,
'PASSWORD': password
}
)
except Exception as e: # Generally, will trigger upon wrong email/password
raise HTTPException(status_code=400, detail=f"{e}")
access_token = auth_response['AuthenticationResult']['AccessToken']
refresh_token = auth_response['AuthenticationResult']['RefreshToken']
login_result = utils.CognitoResponse(
access_token=access_token,
refresh_token=refresh_token
)
return login_result
I also try to tab 2 times to avoid indentation error in return signup_result & return login_result but still got the same error Unexpected indentationPylance

def cognito_login(username: str, password: str):
return login_result
client = boto3.client('cognito-idp', region_name=os.environ.get('COGNITO_REGION_NAME'))
# Authenticate the user and return the tokens
try:
auth_response = client.initiate_auth(
ClientId=os.environ.get('COGNITO_USER_CLIENT_ID'),
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': username,
'PASSWORD': password
}
)
# lots more code...
The cognito_login() function contains only one line of code return login_result because that is the only code that is indented underneath the function.
The rest of the following code is not indented underneath the function, therefore it is not part of the function.
Indentation is very important in Python.
Your code should likely be formatted as follows:
def cognito_login(username: str, password: str):
#return login_result remove this as the next lines of code need to run
client = boto3.client('cognito-idp', region_name=os.environ.get('COGNITO_REGION_NAME'))
# Authenticate the user and return the tokens
try:
auth_response = client.initiate_auth(
ClientId=os.environ.get('COGNITO_USER_CLIENT_ID'),
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': username,
'PASSWORD': password
}
)
# lots more code...

Why am I getting "Invalid salt" in django?

I have written a code for registration and login in django. While doing login, I am getting the error "Invalid salt"
Following is the code:
#api_view(['POST'])
def login(request):
email = request.data.get('email')
mobile_number = request.data.get('mobile_number')
pin = request.data.get('pin')
res = dict()
print(dict, "dictonaryyyyyy")
if email != None:
email_result = Users.objects.filter(email= email).first()
print(email_result.pin, "emaillll")
if email_result != None:
if bcrypt.checkpw(pin.encode("utf-8"), email_result.pin.encode('utf-8')):
# if bcrypt.checkpw(pin, )
print("........")
payload_data = dict()
payload_data['email'] = email_result.email
token = generate_token(payload_data)
print(token, "token.........")
res['messages'] = "Authentication Successful"
res['status'] = 200,
res['token'] = token
return Response(res, status = status.HTTP_200_OK)
...
...
How to get rid of this error?

It got solved, the hashed password was being saved as a binary instead of string at the time of registrattion.
To convert it into a string, the pin is required to be decoded at the time of creating the object.
pin = pin.decode('utf-8'),

Why do I get a Key error when calling flask session?

I have a problem with users trying to register on my application (which is a Flask app deployed on Pythonanywhere with MongoDB Atlas).
Basically when they register they receive an email with a token that they need to click on to confirm. When they click on that link they should enter the application, but instead they receive an error.
When I check the error log, this is what I see (under "/auth/register") when it calls:
existing_user = User.get_by_email(session["email"])
return super(SecureCookieSession, self).__getitem__(key)
Exception KeyError: 'email' was thrown out.
It seems that somehow the session["email"] does not work?
This is my code:
#app.route('/confirm/<token>')
def confirm_email(token):
try:
email = ts.loads(token, salt="email-confirm-key", max_age=7200)
except:
return render_template("token_expired.html")
user = Database.find_one(collection="users", query={"email": email})
return redirect(url_for("register_user"))
#app.route("/auth/register", methods=["GET", "POST"])
def register_user():
existing_user = User.get_by_email(session["email"])
if existing_user is None:
email = session["email"].lower() # our website is making a request to our app
username = session["username"]
companyname = session["companyname"].lower()
password = session["password"].encode("utf-8")
hashed_password = bcrypt.hashpw(password, bcrypt.gensalt())
User.register(email, username, companyname, hashed_password)
session["companyname"] = companyname
excisting_company = Database.find_one(collection="companies", query={"email": session["email"]})
if excisting_company is None:
new_company = NewCompany(session["companyname"], session["email"])
new_company.company_save_to_mongo()
else:
return "A company has already been registered under your email address"
else:
return render_template("email_already_exists.html")
return redirect(url_for("user_results"))
#classmethod
def get_by_email(cls, email):
find_email = Database.find_one(collection="users", query={"email": email})
if find_email is not None:
return cls(email=find_email["email"], username=find_email["username"],
companyname=find_email["companyname"], hashed_password=find_email["password"],
date=find_email["date"], _id=find_email["_id"])
I cant seem to figure out why, as when I register myself it works just fine.
Your help would be greatly appreciated here, many thanks in advance.
UPDATE:
Here is where I set the session["email"]:
#app.route("/email_confirmation", methods=["GET", "POST"])
def confirmation():
email = request.form["email"].lower()
companyname = request.form["companyname"].lower()
password = request.form["password"]
username = request.form["username"]
session["password"] = password
session["email"] = email
session["companyname"] = companyname
session["username"] = username
existing_user = User.get_by_email(email)
if existing_user is None:
msg = Message("Confirm your email", sender=("hello#weliketalent.com"),
recipients=[email])
token = ts.dumps(email, salt="email-confirm-key")
confirm_url = url_for("confirm_email", token=token, _external=True)
msg.html = render_template("email/activate.html", confirm_url=confirm_url)
mail.send(msg)

The error is telling you that there is no "email" value in session object.
I don't see you setting this value anywhere in your code. How is it supposed to get there? Somebody needs to set it somewhere before this code runs.
In addition to that, you should design your code not to crash in such cases, as this could be a security vulnerability. You can use if "email" not in session for test.

Python bottle cookies issue on GAE

Am new to the bottle framework but we want to use it for a project which we are working on. This is the code causing the error. This is my full code in my file.
I can add the imported modules also if need arises
`
import model
import sessionDAO
import userDAO
import bottle
import re
import cgi
import logging
#bottle.route('/')
def index_page():
cookie = bottle.request.get_cookie('session',path='/')
username = sessions.get_username(cookie)
return bottle.template('blog_template', dict(username=username))
#bottle.get('/signup')
def signup():
return bottle.template('signup',dict(username="", password="",
password_error="",
email="", username_error="", email_error="",
verify_error =""))
#bottle.get('/login')
def login():
return bottle.template('login', dict(username='',password='', login_error=''))
#bottle.get('/welcome')
def welcome():
cookie = bottle.request.get_cookie('session',path='/')
username = sessions.get_username(cookie)
if username is None:
print "welcome cant verify/identify user, sending you to the signup page"
bottle.redirect('/signup')
return bottle.template('welcome',dict(username=username))
#bottle.get('/internal_error')
#bottle.view('error_template')
def internal_error():
return dict(error='System encountered a DB error ')
#bottle.get('/logout')
def logout():
cookie = bottle.request.get_cookie('session',path='/')
sessions.end_session(cookie)
bottle.response.set_cookie('session','', path='/')
bottle.redirect('/signup')
#bottle.post('/login')
def process_login():
username = bottle.request.forms.get('username')
password = bottle.request.forms.get('password')
print "user submitted ", username, "pass ", password
user_record = users.validate_login(username,password)
if user_record:
session_id = sessions.start_session(user_record.id)
if session_id is None:
print "internal error"
bottle.redirect('/internal_error')
cookie = session_id
bottle.response.set_cookie('session',cookie, path='/')
bottle.redirect('/welcome')
else:
return bottle.template('login', dict(username=cgi.escape(username),password="",login_error="Invalid Login"))
#bottle.post('/signup')
def register():
username = bottle.request.forms.get('username')
password = bottle.request.forms.get('password')
email = bottle.request.forms.get('email')
verify = bottle.request.forms.get('verify')
errors = {'username':username,'email':email}
if validate_signup(username,password,verify,email,errors):
if not users.add_user(username,password,email):
errors['username_error'] = "User already Exist"
return bottle.template('signup',errors)
session_id = sessions.start_session(username)
print session_id
bottle.response.set_cookie('session', session_id, path='/')
bottle.redirect('/welcome')
else:
print "User did not validate"
return bottle.template('signup',errors)
def validate_signup(username,password,verify,email,errors):
USER_RE = re.compile(r"^[a-zA-Z0-9_-]{3,20}$")
PASS_RE = re.compile(r"^.{6,20}$")
EMAIL_RE = re.compile(r"^[\S]+#[\S]+\.[\S]+$")
errors['username_error'] = ""
errors['password_error'] = ""
errors['verify_error'] = ""
errors['email_error'] = ""
if not USER_RE.match(str(username)):
errors['username_error'] = "Invalid username, try letters and numbers only"
return False
if not PASS_RE.match(str(password)):
errors['password_error'] = "Invalid password"
return False
if password != str(verify):
errors['verify_error'] = 'Password must match'
return False
if email != "":
if not EMAIL_RE.match(str(email)):
errors['email_error'] = 'Invalid email address'
return False
return True
#bottle.error(500)
def error500(error):
logging.debug(str(error))
print str(error)
bottle.redirect('/signup')
# return bottle.template('error_template',dict(error=str(error)))
user_data = model.User
session_data = model.Session
users = userDAO.UserDAO(user_data)
sessions = sessionDAO.SessionDAO(session_data)
app = bottle.app()
`
the set cookie is not working even if I remove the path args..