feat: Reset password email and 'Forgot password' solution #1566
Conversation
The f-string was wrong
…st where multiple processes/workers are available Problem: '2013. Lost connection to MySQL server during query' error when there are two processes (workers) available. The problem is automatically solved by SQLAlchemy, but when you visit a view which got the @has_access decorator flask_appbuilder.security.manager.load_user is used which uses flask_appbuilder.security.sqla.manager. def get_user_by_id and that transaction can not be rolled back. This raises the OperationalError 2013, 'Lost connection to MySQL server during query': Can be reproduced by: resetting the webserver... the 2nd or 3th time you refresh the browser the error will raise
Problem: '2013. Lost connection to MySQL server during query' error when there are multiple processes (workers) available. The problem is automatically solved by SQLAlchemy, but when you visit a view which got the @has_access decorator flask_appbuilder.security.manager.load_user is used which uses flask_appbuilder.security.sqla.manager. def get_user_by_id and that transaction can not be rolled back. This raises the OperationalError 2013, 'Lost connection to MySQL server during query': Can be reproduced by: resetting the webserver... the 2nd or 3th time you refresh the browser the error will raise
fix: [multiple workers] causing a fatal error
Extended with UserResetPassword for sending a unique hash to the Email of the user
Extended with ForgotMyPasswordForm for sending an unique hash to the Email of the user
Template for sending the Email with the reset_hash to the user
|
Left a couple of tips here: https://github.com/dpgaspar/Flask-AppBuilder/pull/1579/files see if it works for you. Also |
Thanks I will try that later.
Can you share the settings of flake8? Thanks |
Take a look at: So it should just work running |
I had installed black and flake8 manually... Then I saw the requirements*.txt and installed those... but that didn't make a difference. I am sure it will work when I have flake8 configured with https://github.com/dpgaspar/Flask-AppBuilder/blob/master/.flake8 is what I needed... haha I would love to have a pre-commit option... I am going to search for it... If I need to change 3 files, it's going to start the tests 3 times and ofcourse 3 lovely emails 😄 |
|
hi, any updates on the progress ? |
Hello, I need to setup and find the right commando's to collect py files and commit them to a certain pull request. I guess it will easily take a few months before I am able to start looking into this, sorry. |
|
@runoutnow, are there any updates for this issue? :) |
Unfortunately not as I haven’t looked into it anymore. The code is working, I am using it for a year already. Today I’ve looked into it again, but the standard tests which I didn’t write are failing already. For me it’s also annoying that I am stuck with this feature as I now am no longer able to update flask_appbuilder normally anymore. In order to keep the “forgot password” feature I have to manually replace the files in the flask_appbuilder directory. Perhaps someone can assist me with writing the tests? |
|
Removed the db and started with Resulted into way less errors for What is the right order to make the tests succesful? =] |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Feel free to reopen it if it's still relevant to you. Thank you |
Description
The new function (at the moment only for Mysql!) can be turned on and off in config.py: EMAIL_PROT = True|False. Default is False so people who don't got an Email protocol available can keep changing their passwords.
Reset password-button
When EMAIL_PROT is turned on the "reset password-button" won't forward to the "change-password-form", instead it will create an unique hash and send an Email to the known Email-address with an unique url. After confirmation of this email the user has got 15 minutes to change the password. In those 15 minutes it is not possible to send another email with a link. After changing the password or when the 15 minutes have been passed the user is unable to visit the "change password-form".
The process can be restarted by clicking the "reset password-button" again. :-)
This way the user must have access to the known Emailaddress in order to change a password. So if a password has been stolen it can not be changed by the attacker... unless the emailaddress has also been hacked.
N.B.
If you have build the possibility to let a user change his/her Emailaddress, then the only way to make the new code effective is to send an Email with an “ack-change”-link to the new Emailaddress AND the old Emailaddress. So the attacker is not able to change the Emailaddress (and indirectly is still able to change the password then).
Forgot password
When EMAIL_PROT = True there will also appear a "Forgot my password" url in the login_db.html.
The user can then fill in the emailaddress which will receive a link to reset the password.
The "change password-form" can only be visited for 15 minutes and requires the unique hash in the url.
ADDITIONAL INFORMATION