search

theLaborInVain / kdm-manager-api

The API used by https://kdm-manager.com and related Kingdom Death: Monster utilities.
Other
3 stars 0 forks source link

Password reset failure #59

Open toconnell opened 2 years ago

toconnell commented 2 years ago

User OID: 666 Method: POST URL: http://api.kdm-manager.com/login JSON: {'username': 'XXXXXXXXXX@gmail.com', 'password': 'XXXXXXXXXXXX'}

Traceback (most recent call last):
File "/home/toconnell/kdm-manager-api/venv/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request
 rv = self.dispatch_request()
File "/home/toconnell/kdm-manager-api/venv/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request
 return self.view_functions[rule.endpoint](**req.view_args)
File "/home/toconnell/kdm-manager-api/app/utils/crossdomain.py", line 56, in wrapped_function
 resp = flask.make_response(func(*args, **kwargs))
File "/home/toconnell/kdm-manager-api/app/routes.py", line 318, in get_token
 flask.request.json.get("password", None)
File "/home/toconnell/kdm-manager-api/app/models/users.py", line 85, in authenticate
 U = User(_id=user["_id"])
File "/home/toconnell/kdm-manager-api/app/models/users.py", line 427, in __init__
 self.check_subscriber_expiration()
File "/home/toconnell/kdm-manager-api/app/models/users.py", line 1289, in check_subscriber_expiration
 self.set_subscriber_level(0)
File "/home/toconnell/kdm-manager-api/app/models/__init__.py", line 65, in wrapped
 if not flask.request.User.is_admin():
File "/home/toconnell/kdm-manager-api/venv/lib/python3.6/site-packages/werkzeug/local.py", line 347, in __getattr__
 return getattr(self._get_current_object(), name)
AttributeError: 'Request' object has no attribute 'User'
toconnell commented 2 years ago

Obviously, we're checking the user object on the request before we initialize it because we're trying to find out if the user is an API administrator. Gotta figure out why and see if we can do this different.

toconnell commented 2 years ago

Interestingly, this actually works perfectly in the v4 webapp.

toconnell commented 2 years ago

Cleaned this up and made it a little less failure-prone:


toconnell@mona:~/kdm-manager-api$ git diff app/models/__init__.py
diff --git a/app/models/__init__.py b/app/models/__init__.py
index 470bdb6..c159aef 100644
--- a/app/models/__init__.py
+++ b/app/models/__init__.py
@@ -60,10 +60,13 @@ def admin_only(func):
         """ checks admin status. runs the func """
         logger = utils.get_logger()

-        if flask.request:
+        if flask.has_request_context():
             if API.config['ENVIRONMENT'].get('is_production', False):
-                if not flask.request.User.is_admin():
-                    err = 'Only API admins may export users!'
+                if (
+                    hasattr(flask.request, 'User') and not
+                    flask.request.User.is_admin()
+                ):
+                    err = 'Only API admins may access this endpoint!'
                     raise utils.InvalidUsage(err, 401)
             else:
                 warn = 'API is non-prod. Skipping admin check for %s()'
toconnell commented 1 year ago

As predicted, this hasn't really gone away. This one just came through:

User OID: 666 Method: POST URL: http://api.kdm-manager.com/reset_password/request_code JSON: {'username': 'xxxxxxxxxxxxxxx@gmail.com'}

Traceback (most recent call last):
File "/home/toconnell/kdm-manager-api/venv/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request
 rv = self.dispatch_request()
File "/home/toconnell/kdm-manager-api/venv/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request
 return self.view_functions[rule.endpoint](**req.view_args)
File "/home/toconnell/kdm-manager-api/app/utils/crossdomain.py", line 57, in wrapped_function
 resp = flask.make_response(func(*args, **kwargs))
File "/home/toconnell/kdm-manager-api/app/routes.py", line 346, in reset_password
 return users.initiate_password_reset()
File "/home/toconnell/kdm-manager-api/app/models/users.py", line 208, in initiate_password_reset
 U = User(_id=user["_id"])
File "/home/toconnell/kdm-manager-api/app/models/users.py", line 451, in __init__
 flask.request.User.user['login'] == self.user.get('login', None)
TypeError: 'NoneType' object is not subscriptable
toconnell commented 8 months ago

These are still showing up from time to time, even after the big October refactor:

User OID: 666 Method: POST URL: http://api.kdm-manager.com/login JSON: {'username': 'xxxxxx@gmail.com', 'password': 'xxxxxxxx'}

Traceback (most recent call last):
File "/home/toconnell/kdm-manager-api/venv/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
 rv = self.dispatch_request()
File "/home/toconnell/kdm-manager-api/venv/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
 return self.view_functions[rule.endpoint](**req.view_args)
File "/home/toconnell/kdm-manager-api/app/utils/crossdomain.py", line 57, in wrapped_function
 resp = flask.make_response(func(*args, **kwargs))
File "/home/toconnell/kdm-manager-api/app/routes.py", line 332, in get_token
 user_object = users.authenticate(
File "/home/toconnell/kdm-manager-api/app/models/users/__init__.py", line 88, in authenticate
 user_object = User(_id=user["_id"])
File "/home/toconnell/kdm-manager-api/app/models/users/_user.py", line 91, in __init__
 flask.request.User.user['login'] == self.user.get('login', None)
TypeError: 'NoneType' object is not subscriptable