From d352f341245311444103415eefc171b0800b84b1 Mon Sep 17 00:00:00 2001 From: KlemenSpruk Date: Fri, 13 Oct 2023 07:53:59 +0200 Subject: [PATCH] delete state in session and cookies --- django_project_base/account/rest/profile.py | 15 +++++++++------ vue/components/user-session/user-profile.vue | 6 +++--- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/django_project_base/account/rest/profile.py b/django_project_base/account/rest/profile.py index a830622e..47696565 100644 --- a/django_project_base/account/rest/profile.py +++ b/django_project_base/account/rest/profile.py @@ -1,4 +1,5 @@ import datetime +from random import randrange import django import swapper @@ -10,7 +11,6 @@ from django.db.models import ForeignKey, Model, QuerySet from django.template.loader import render_to_string from django.utils import timezone -from django.utils.crypto import get_random_string from django.utils.translation import gettext_lazy as _ from drf_spectacular.utils import extend_schema, extend_schema_view, OpenApiParameter, OpenApiResponse from dynamicforms import fields @@ -424,11 +424,10 @@ def update_current_profile(self, request: Request, **kwargs) -> Response: serializer.is_valid(raise_exception=True) serializer.save() email_changed = new_email and user.email != new_email - email_changed_cookie = "verify-email" response = Response(serializer.data) if email_changed: - code = get_random_string(length=6) - response.set_cookie(email_changed_cookie, user.pk, samesite="Lax") + code = randrange(100001, 999999) + response.set_cookie("verify-email", user.pk, samesite="Lax") request.session[f"email-changed-{code}-{user.pk}"] = new_email # TODO: Use system email # TODO: SEND THIS AS SYSTEM MSG WHEN PR IS MERGED @@ -460,11 +459,15 @@ def confirm_new_email(self, request: Request, **kwargs) -> Response: user = request.user if not request.data.get("code"): raise ValidationError(dict(code=[_("Code required")])) - new_email = request.session.get(f"email-changed-{request.data['code']}-{user.pk}") + key = f"email-changed-{request.data['code']}-{user.pk}" + new_email = request.session.get(key) if email := new_email: user.email = email user.save(update_fields=["email"]) - return Response() + request.session.pop(key, None) + response = Response() + response.delete_cookie("verify-email") + return response raise ValidationError(dict(code=[_("Invalid code")])) @extend_schema( diff --git a/vue/components/user-session/user-profile.vue b/vue/components/user-session/user-profile.vue index c1564fec..74ae5363 100644 --- a/vue/components/user-session/user-profile.vue +++ b/vue/components/user-session/user-profile.vue @@ -36,9 +36,9 @@ const showProjectList = computed(() => (props.projectListComponent && userSessio const changePasswordErrors = reactive({} as { [key: string]: any[] }); async function verifyEmailChanged(userData: UserDataJSON) { - if (userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME].toString() === cookies.get( - 'verify-email', - ).toString() && userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME]) { + const verifyMailCookie = cookies.get('verify-email'); + if (_.size(verifyMailCookie) && userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME] && + userData[PROFILE_TABLE_PRIMARY_KEY_PROPERTY_NAME].toString() === verifyMailCookie.toString()) { const enterEmailConfirmationCode = await dfModal.message('Update email', () => [ h( 'h4',