mirror of
https://github.com/rommapp/romm.git
synced 2026-02-18 23:42:07 +01:00
Merge pull request #2715 from rommapp/invite-token-invalidation
Invalidate invite token before creating user
This commit is contained in:
@@ -158,8 +158,6 @@ def create_user_from_invite(
|
||||
UserSchema: Newly created user
|
||||
"""
|
||||
|
||||
jti, role = auth_handler.verify_invite_link_token(token)
|
||||
|
||||
try:
|
||||
validate_username(username)
|
||||
validate_password(password)
|
||||
@@ -186,6 +184,7 @@ def create_user_from_invite(
|
||||
detail=msg,
|
||||
)
|
||||
|
||||
role = auth_handler.consume_invite_link_token(token)
|
||||
user = User(
|
||||
username=username.lower(),
|
||||
hashed_password=auth_handler.get_password_hash(password),
|
||||
@@ -195,8 +194,6 @@ def create_user_from_invite(
|
||||
|
||||
created_user = db_user_handler.add_user(user)
|
||||
|
||||
auth_handler.invalidate_invite_link_token(jti)
|
||||
|
||||
return UserSchema.model_validate(created_user)
|
||||
|
||||
|
||||
|
||||
@@ -203,13 +203,15 @@ class AuthHandler:
|
||||
)
|
||||
return token
|
||||
|
||||
def verify_invite_link_token(self, token: str) -> tuple[str, str]:
|
||||
def consume_invite_link_token(self, token: str) -> str:
|
||||
"""
|
||||
Verify the invite link token.
|
||||
Verify and consume the invite link token, which invalidates the token to prevent reuse.
|
||||
|
||||
Args:
|
||||
token (str): The token to verify.
|
||||
|
||||
Returns:
|
||||
str: The JTI (JWT ID) of the token.
|
||||
str: The role associated with the token.
|
||||
"""
|
||||
try:
|
||||
payload = jwt.decode(
|
||||
@@ -231,16 +233,12 @@ class AuthHandler:
|
||||
status_code=status.HTTP_400_BAD_REQUEST,
|
||||
detail="Invite token has already been used or is invalid.",
|
||||
)
|
||||
return jti, role
|
||||
|
||||
def invalidate_invite_link_token(self, jti: str) -> None:
|
||||
"""
|
||||
Invalidate the invite link token.
|
||||
Args:
|
||||
jti (str): The JTI (JWT ID) of the token to invalidate.
|
||||
"""
|
||||
# Invalidate the token as soon as it's read
|
||||
redis_client.delete(f"invite-jti:{jti}")
|
||||
|
||||
return role
|
||||
|
||||
|
||||
class OAuthHandler:
|
||||
def __init__(self) -> None:
|
||||
|
||||
Reference in New Issue
Block a user