Se arreglado un peque;o Fallo que al usar el hash se podria usar de nuevoy eso daba un fallo seguridad

This commit is contained in:
adevopg
2024-11-18 09:44:02 +01:00
parent c3c424277b
commit 5e1937d245
6 changed files with 28 additions and 9 deletions
Binary file not shown.
Binary file not shown.
+13 -1
View File
@@ -103,21 +103,33 @@ class ClaimedReward(models.Model):
def __str__(self):
return f"{self.username} - {self.recruit_reward.reward_name} - {self.claimed_at}"
from django.db import models
from django.utils import timezone
from django.db import models
from django.utils import timezone
class AccountActivation(models.Model):
username = models.CharField(max_length=17)
email = models.EmailField()
old_email = models.EmailField(null=True, blank=True)
password = models.CharField(max_length=64) # Hash de la contraseña
password = models.CharField(max_length=64)
salt = models.BinaryField(max_length=32)
verifier = models.BinaryField(max_length=32)
recruiter_id = models.IntegerField(null=True, blank=True)
hash = models.CharField(max_length=32, unique=True)
old_email_hash = models.CharField(max_length=32, null=True, blank=True)
is_used = models.BooleanField(default=False) # Indica si el old_email_hash ha sido usado
is_new_email_used = models.BooleanField(default=False) # Indica si el hash del nuevo correo ha sido usado
created_at = models.DateTimeField(default=timezone.now)
def is_expired(self):
return timezone.now() > self.created_at + timezone.timedelta(hours=1)
def __str__(self):
return f"Activation for {self.username}"
class SecurityToken(models.Model):
user = models.ForeignKey(User, on_delete=models.CASCADE)
+12 -5
View File
@@ -1056,11 +1056,15 @@ def change_email_view(request):
def confirm_old_email_view(request):
hash = request.GET.get('hash')
activation = AccountActivation.objects.filter(old_email_hash=hash).first()
activation = AccountActivation.objects.filter(old_email_hash=hash, is_used=False).first()
if not activation:
if not activation or activation.is_expired():
return HttpResponse('Enlace no válido o expirado.', status=400)
# Marcar solo el old_email_hash como usado
activation.is_used = True
activation.save()
# Enviar correo al nuevo correo para confirmar el cambio
activation_link = f"{settings.URL_PRINCIPAL}/es/confirm-new-email?hash={activation.hash}"
context_new_email = {
@@ -1080,11 +1084,15 @@ def confirm_old_email_view(request):
def confirm_new_email_view(request):
hash = request.GET.get('hash')
activation = AccountActivation.objects.filter(hash=hash).first()
activation = AccountActivation.objects.filter(hash=hash, is_new_email_used=False).first()
if not activation:
if not activation or activation.is_expired():
return HttpResponse('Enlace no válido o expirado.', status=400)
# Marcar solo el new_email_hash como usado
activation.is_new_email_used = True
activation.save()
# Actualizar el correo en la base de datos
with connections['acore_auth'].cursor() as cursor:
cursor.execute("""
@@ -1109,7 +1117,6 @@ def confirm_new_email_view(request):
return HttpResponse('El cambio de correo ha sido confirmado y completado con éxito.')
def promo_code_view(request):
return render(request, 'account/promo_code.html')
Binary file not shown.
+2 -2
View File
@@ -43,7 +43,7 @@ INSTALLED_APPS = [
# Configuración para AC SOAP
AC_SOAP_URL = "http://127.0.0.1:2079"
AC_SOAP_USER = " "
AC_SOAP_USER = "AC_SOAP"
AC_SOAP_PASSWORD = "Ladyamy89"
AC_SOAP_URN = "urn:AC"
@@ -102,7 +102,7 @@ MIDDLEWARE = [
ROOT_URLCONF = 'novawow.urls'
URL_PRINCIPAL = ''
URL_PRINCIPAL = 'http://localhost:8009'
# Nombre del servidor
NOMBRE_SERVIDOR = "Nova WoW"