Add password recovery code for session

slapos/runner/__init__.py

@@ -5,7 +5,7 @@ import logging.handlers
 import os
 import sys
 import subprocess
-import hashlib
+from datetime import timedelta
 
 class Parser(OptionParser):
   """
@@ -118,7 +118,8 @@ def serve(config):
     workspace = workdir,
     instance_profile='instance.cfg',
     software_profile='software.cfg',
-    SECRET_KEY=os.urandom(24),
+    SECRET_KEY="123456",
+    PERMANENT_SESSION_LIFETIME=timedelta(days=31),
   )
   if not os.path.exists(workdir):
     os.mkdir(workdir)

slapos/runner/static/css/styles.css

@@ -43,7 +43,7 @@ textarea {
 }
 
 body {
-	background: #2281C1;/*url("../images/1307251316-background-stripes.gif") repeat #9C9C9C;*/
+	background: #1E73BD;/*#1862C4 url("../images/1307251316-background-stripes.gif") repeat #9C9C9C;*/
 	font-family: 'Helvetica Neue',Tahoma,Helvetica,Arial,sans-serif;
 	color: #000000;
 	font-size: 13px;
@@ -711,4 +711,6 @@ padding:10px; font-size:14px; color:#03406A}
 .login-button{width:140px; margin:0 auto;}
 .login-element{float:left; min-width:120px;}
 .login-label{padding:5px; font-size:16px;}
-.login-input{width:220px;}
\ No newline at end of file
+.login-input{width:220px;}
+.information{display:block; float:left; height:16px; margin-top:10px; margin-left:10px; font-weight:bold}
+.account{margin-left:60px;}
\ No newline at end of file

slapos/runner/static/js/scripts/account.js

@@ -6,6 +6,10 @@ $(document).ready( function() {
   		$("#error").Popup("Invalid user name. Please check it!", {type:'alert', duration:3000});
 			return false;
 		}
+    else if ($("input#username").val().length <6){
+      $("#error").Popup("Username must have at least 6 characters", {type:'alert', duration:3000});
+      return false;
+    }
 		if($("input#name").val() === ""){
 			$("#error").Popup("Please enter your name and surname!", {type:'alert', duration:3000});
   		return false;
@@ -18,6 +22,10 @@ $(document).ready( function() {
       $("#error").Popup("Please enter your new password!", {type:'alert', duration:3000});
       return false;
     }
+    if ($("input#password").val() !== "" && $("input#password").val().length <6){
+      $("#error").Popup("The password must have at least 6 characters", {type:'alert', duration:3000});
+      return false;
+    }
     if($("input#password").val() !== ""){
       if($("input#password").val() === "" || !$("input#password").val().match(/^[\w\d\._-]+$/)){
       	$("#error").Popup("Please enter your new password!", {type:'alert', duration:3000});
@@ -29,13 +37,17 @@ $(document).ready( function() {
       }
       haspwd = true;
     }
+    if(!$("input#rcode").val().match(/^[\w\d]+$/)){
+    	$("#error").Popup("Please enter your password recovery code.", {type:'alert', duration:3000});
+			return false;
+		}
     if(send) return false;
     send = true;
     $.ajax({
   		type: "POST",
 			url: $SCRIPT_ROOT + '/updateAccount',
 			data: {name: $("input#name").val(), username:$("input#username").val(), email:$("input#email").val(),
-				password:((haspwd) ? $("input#password").val():"")},
+				password:((haspwd) ? $("input#password").val():""), rcode:$("input#rcode").val()},
 			success: function(data){
         if(data.code ==1){
           location.href = $SCRIPT_ROOT+"/"

slapos/runner/templates/account.html

@@ -6,7 +6,7 @@
 {% endblock %}
 {% block body %}
 <h2 class='title'>Your personal informations</h2><br/>
-<form>
+<form class="account">
   <div class='form'>
     <label for="name">Your name: </label>
     <input type='text' name='name' id='name' value='{{name}}'/>
@@ -24,15 +24,23 @@
     <input type='password' name='cpassword' id='cpassword' value=''/>
     <div class='clear'></div>
     <br/>
+    <label for="rcode">Password Recover code:</label>
+    <input type='password' name='rcode' id='rcode' value=''/>
+    <span class="information"><a href="#" id="information" rel="tooltip">help?</a></span>
+    <div class='clear'></div>
+    <br/>
     <label></label>
-    <input type="submit" name="update" id ="update" value="Update" class="button"/>
+    <input type="submit" name="update" id ="update" value="Update Account" class="button"/>
     <div class='clear'></div>
     <br/><br/><br/>
   </div>
-  <div id="file_info" class="file_info">{% if username %}leave passwords blank to preserve your current password...{%else%}
-    Before starting, please fill your personal informations... {%endif%}
-  </div>
-  <br/>
   <input type="hidden" name="hasAccount" id="hasAccount" value="{{name}}"/>
 </form>
+{% if username %}<div id="file_info" class="file_info">leave passwords blank to preserve your current password...
+  </div><br/>{%endif%}
+<div id="tooltip-information" style="display:none; float:left">
+  <p style="font-size:12px;">
+  Please find this information in your slaprunner<br/> instance parameters.
+  </p>
+</div>
 {% endblock %}

slapos/runner/templates/cloneRepository.html

@@ -18,11 +18,11 @@
   <div class="tabDetails">
     <div id="tab1" class="tabContents">
       <div id="repository" style="margin-left:40px;">
-      <label for='name'>Project name*: </label>
+      <label for='name'>Project name: </label>
       <input type="text" name="name" id="name" size='20' value="Enter the project name..." />
-      <label for='repo'>&nbsp;url*: &nbsp;&nbsp;</label>
+      <label for='repo'>&nbsp;url: &nbsp;&nbsp;</label>
       <input type="text" name="repo" id="repo" size='25' value="Enter the url of your repository..." /><br/>
-      <label for='user'>Your name: &nbsp;&nbsp;&nbsp;&nbsp;</label>
+      <label for='user'>Your name: &nbsp;&nbsp;&nbsp;</label>
       <input type="text" name="user" id="user" size='20' value="{{name}}" />
       <label for='email'>Email: </label>
       <input type="text" name="email" id="email" size='25' value="{% if not email %}Enter your email adress...{% else %}{{email}}{%endif%}" />

slapos/runner/templates/layout.html

@@ -97,7 +97,7 @@
             </div>
             {% if request.path != '/login' %}
             <div id="footer">
-                SlapOs web runner &copy; Vifib SARL 2011 - All right reserved - Creative Commons Shared Alike Non Commercial
+                SlapOS web runner &copy; Vifib SARL 2011 - All right reserved - Creative Commons Shared Alike Non Commercial
             </div>
             {%endif%}
         </div>

slapos/runner/utils.py

@@ -54,8 +54,7 @@ def checkLogin(config, login, pwd):
     list=[username, password, email, complete_name]
   """
   user = getSession(config)
-  salt = "runner81" #to be changed
-  current_pwd = hashlib.md5( salt + pwd ).hexdigest()
+  current_pwd = hashlib.md5( pwd ).hexdigest()
   if user and current_pwd == user[1] and login == user[0]:
     return user
   return False
@@ -73,17 +72,12 @@ def getSession(config):
   Returns:
     a list of user informations or False if fail to read data.
   """
-  user_path = os.path.join(config['runner_workdir'], '.users')
+  user_path = os.path.join(config['etc_dir'], '.users')
   user = ""
   if os.path.exists(user_path):
     user = open(user_path, 'r').read().split(';')
   if type(user) == type(""):
-    #Error: try to restore data from backup
-    if os.path.exists(user_path+'.back'):
-      os.rename(user_path+'.back', user_path)
-      user = open(user_path, 'r').read().split(';')
-    else:
-      return False
+    return False
   return user
 
 def saveSession(config, session, account):
@@ -98,12 +92,11 @@ def saveSession(config, session, account):
   Returns:
     True if all goes well or str (error message) if fail
   """
-  user = os.path.join(config['runner_workdir'], '.users')
+  user = os.path.join(config['etc_dir'], '.users')
   backup = False
   try:
     if account[1]:
-      salt = "runner81" #to be changed
-      account[1] = hashlib.md5(salt + account[1]).hexdigest()
+      account[1] = hashlib.md5(account[1]).hexdigest()
     else:
       account[1] = session['account'][1]
     if 'account' in session:

slapos/runner/views.py

@@ -18,7 +18,7 @@ def before_request():
     account = getSession(app.config)
     if account:
       if request.path != '/login' and request.path != '/doLogin' and \
-          not checkSession(app.config, session, account):
+          not 'account' in session:
         return redirect(url_for('login'))
       session['title'] = getProjectTitle(app.config)
     else:
@@ -485,6 +485,10 @@ def updateAccount():
   account.append(request.form['password'].strip())
   account.append(request.form['email'].strip())
   account.append(request.form['name'].strip())
+  code = request.form['rcode'].strip()
+  recovery_code = open(os.path.join(app.config['etc_dir'], ".rcode"), "r").read()
+  if code != recovery_code:
+    return jsonify(code=0, result="Your password recovery code is not valid!")
   result = saveSession(app.config, session, account)
   if type(result) == type(""):
     return jsonify(code=0, result=result)