From 8a68ac0d5b85f896dd59042c207bc63c3d026f7d Mon Sep 17 00:00:00 2001
From: 0livd <github@destras.fr>
Date: Fri, 15 Dec 2017 17:10:28 +0100
Subject: Use token based auth in invitation e-mails (#280)

* Use token based auth in invitation e-mails

Invitation e-mails no longer contain the clear
text project password

* Skip invite page after project creation

- Replace ``The project identifier is demo, remember it!``
by ``Invite other people to join this project!``
(linking to the invite page)
- Encourage users to share the project password via other
communication means in the reminder email
---
 ihatemoney/models.py | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

(limited to 'ihatemoney/models.py')

diff --git a/ihatemoney/models.py b/ihatemoney/models.py
index c801b74..9e11054 100644
--- a/ihatemoney/models.py
+++ b/ihatemoney/models.py
@@ -5,8 +5,8 @@ from flask_sqlalchemy import SQLAlchemy, BaseQuery
 from flask import g, current_app
 
 from sqlalchemy import orm
-from itsdangerous import (TimedJSONWebSignatureSerializer
-                          as Serializer, BadSignature, SignatureExpired)
+from itsdangerous import (TimedJSONWebSignatureSerializer, URLSafeSerializer,
+                          BadSignature, SignatureExpired)
 
 db = SQLAlchemy()
 
@@ -201,22 +201,32 @@ class Project(db.Model):
         db.session.delete(self)
         db.session.commit()
 
-    def generate_token(self, expiration):
+    def generate_token(self, expiration=0):
         """Generate a timed and serialized JsonWebToken
 
         :param expiration: Token expiration time (in seconds)
         """
-        serializer = Serializer(current_app.config['SECRET_KEY'], expiration)
-        return serializer.dumps({'project_id': self.id}).decode('utf-8')
+        if expiration:
+            serializer = TimedJSONWebSignatureSerializer(
+                current_app.config['SECRET_KEY'],
+                expiration)
+            token = serializer.dumps({'project_id': self.id}).decode('utf-8')
+        else:
+            serializer = URLSafeSerializer(current_app.config['SECRET_KEY'])
+            token = serializer.dumps({'project_id': self.id})
+        return token
 
     @staticmethod
-    def verify_token(token):
+    def verify_token(token, token_type="timed_token"):
         """Return the project id associated to the provided token,
         None if the provided token is expired or not valid.
 
         :param token: Serialized TimedJsonWebToken
         """
-        serializer = Serializer(current_app.config['SECRET_KEY'])
+        if token_type == "timed_token":
+            serializer = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
+        else:
+            serializer = URLSafeSerializer(current_app.config['SECRET_KEY'])
         try:
             data = serializer.loads(token)
         except SignatureExpired:
-- 
cgit v1.1