Browse Source

Do not bother with passwords in the encrypted payload

Getty Ritter 4 years ago
parent
commit
224d60a801
3 changed files with 9 additions and 11 deletions
  1. 1 1
      lc/request.py
  2. 8 9
      lc/web.py
  3. 0 1
      tests/routes.py

+ 1 - 1
lc/request.py

@@ -35,7 +35,7 @@ class User(Request):
         return cls(name=form["username"], password=form["password"],)
 
     def to_token(self) -> str:
-        return c.serializer.dumps({"name": self.name, "password": self.password,})
+        return c.serializer.dumps({"name": self.name})
 
 
 @dataclass_json

+ 8 - 9
lc/web.py

@@ -34,17 +34,15 @@ class Endpoint:
         # if that exists and we can deserialize it, then make sure
         # it contains a valid user password, too
         if token and (payload := c.serializer.loads(token)):
-            if "name" not in payload or "password" not in payload:
+            if "name" not in payload:
                 return
 
             try:
                 u = m.User.by_slug(payload["name"])
+                self.user = u
             except e.LCException:
                 return
 
-            if u.authenticate(payload["password"]):
-                self.user = u
-
     def api_ok(self, redirect: str, data: dict = {"status": "ok"}) -> ApiOK:
         if flask.request.content_type == "application/x-www-form-urlencoded":
             raise e.LCRedirect(redirect)
@@ -122,11 +120,12 @@ class Endpoint:
         try:
             return self.html(*args, **kwargs)
         except e.LCException as exn:
-            page = render("main", v.Page(
-                title="error",
-                content=f"shit's fucked yo: {exn}",
-                user=self.user,
-            ))
+            page = render(
+                "main",
+                v.Page(
+                    title="error", content=f"shit's fucked yo: {exn}", user=self.user,
+                ),
+            )
             return (page, exn.http_code())
         except e.LCRedirect as exn:
             return flask.redirect(exn.to_path())

+ 0 - 1
tests/routes.py

@@ -30,7 +30,6 @@ class TestRoutes:
         assert result.status == "200 OK"
         decoded_token = c.serializer.loads(result.json["token"])
         assert decoded_token["name"] == username
-        assert decoded_token["password"] == password
 
     def test_failed_api_login(self):
         username = "gdritter"