delete state in session and cookies

velis74 · Oct 13, 2023 · d352f34 · d352f34
1 parent 1a15cab
commit d352f34
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 9 deletions.
diff --git a/django_project_base/account/rest/profile.py b/django_project_base/account/rest/profile.py
@@ -1,4 +1,5 @@
 import datetime
+from random import randrange
 
 import django
 import swapper
@@ -10,7 +11,6 @@
 from django.db.models import ForeignKey, Model, QuerySet
 from django.template.loader import render_to_string
 from django.utils import timezone
-from django.utils.crypto import get_random_string
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, extend_schema_view, OpenApiParameter, OpenApiResponse
 from dynamicforms import fields
@@ -424,11 +424,10 @@ def update_current_profile(self, request: Request, **kwargs) -> Response:
         serializer.is_valid(raise_exception=True)
         serializer.save()
         email_changed = new_email and user.email != new_email
-        email_changed_cookie = "verify-email"
         response = Response(serializer.data)
         if email_changed:
-            code = get_random_string(length=6)
-            response.set_cookie(email_changed_cookie, user.pk, samesite="Lax")
+            code = randrange(100001, 999999)
+            response.set_cookie("verify-email", user.pk, samesite="Lax")
             request.session[f"email-changed-{code}-{user.pk}"] = new_email
             # TODO: Use system email
             # TODO: SEND THIS AS SYSTEM MSG WHEN PR IS MERGED
@@ -460,11 +459,15 @@ def confirm_new_email(self, request: Request, **kwargs) -> Response:
         user = request.user
         if not request.data.get("code"):
             raise ValidationError(dict(code=[_("Code required")]))
-        new_email = request.session.get(f"email-changed-{request.data['code']}-{user.pk}")
+        key = f"email-changed-{request.data['code']}-{user.pk}"
+        new_email = request.session.get(key)
         if email := new_email:
             user.email = email
             user.save(update_fields=["email"])
-            return Response()
+            request.session.pop(key, None)
+            response = Response()
+            response.delete_cookie("verify-email")
+            return response
         raise ValidationError(dict(code=[_("Invalid code")]))
 
     @extend_schema(

diff --git a/vue/components/user-session/user-profile.vue b/vue/components/user-session/user-profile.vue
@@ -36,9 +36,9 @@ const showProjectList = computed(() => (props.projectListComponent && userSessio
 const changePasswordErrors = reactive({} as { [key: string]: any[] });
 
 async function verifyEmailChanged(userData: UserDataJSON) {
-  if (userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME].toString() === cookies.get(
-    'verify-email',
-  ).toString() && userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME]) {
+  const verifyMailCookie = cookies.get('verify-email');
+  if (_.size(verifyMailCookie) && userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME] &&
+      userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME].toString() === verifyMailCookie.toString()) {
     const enterEmailConfirmationCode = await dfModal.message('Update email', () => [
       h(
         'h4',