Development

2026-06-10 22:57:55 -04:00 · 2026-06-10 22:57:55 -04:00 · a886a56982
commit a886a56982
parent edeb05acf7
4 changed files with 142 additions and 108 deletions
--- a/docker/routlin-dash/app/pages/accountcreate/action.py
+++ b/docker/routlin-dash/app/pages/accountcreate/action.py
@ -88,9 +88,8 @@ def form_create():

    salt   = bcrypt.gensalt()
    hashed = bcrypt.hashpw(password.encode('utf-8'), salt).decode('utf-8')
-    code   = f'{secrets.randbelow(1000000):06d}'
-    expires_ts = int(time.time()) + CODE_TTL_SECS
-    tz_offset  = _tz_to_offset_seconds(tz)
+    code      = f'{secrets.randbelow(1000000):06d}'
+    tz_offset = _tz_to_offset_seconds(tz)

    try:
        _send_verification_email(account['email_address'], code)
@ -101,10 +100,16 @@ def form_create():
    try:
        con = config_utils.open_accounts_db()
        con.execute(
-            '''INSERT OR REPLACE INTO pending_verifications
-               (email, hashed_password, tz_offset_seconds, code, expires_ts)
-               VALUES (?,?,?,?,?)''',
-            (account['email_address'].lower(), hashed, tz_offset, code, expires_ts)
+            '''INSERT INTO clients
+               (cookie_unique_token, email, hashed_password, tz_offset_seconds, verification_code, code_sent_ts)
+               VALUES (?,?,?,?,?,?)
+               ON CONFLICT(cookie_unique_token) DO UPDATE SET
+                   email=excluded.email,
+                   hashed_password=excluded.hashed_password,
+                   tz_offset_seconds=excluded.tz_offset_seconds,
+                   verification_code=excluded.verification_code,
+                   code_sent_ts=excluded.code_sent_ts''',
+            (session.sid, account['email_address'].lower(), hashed, tz_offset, code, int(time.time()))
        )
        con.commit()
        con.close()
@ -112,6 +117,4 @@ def form_create():
        flash(f'Could not store verification: {exc}', 'error')
        return redirect(f'/{_PAGE}')

-    session['pending_verify_email'] = account['email_address']
-
    return redirect('/accountverifyemail')
--- a/docker/routlin-dash/app/pages/accountverifyemail/action.py
+++ b/docker/routlin-dash/app/pages/accountverifyemail/action.py
@ -3,7 +3,6 @@ from flask import Blueprint, request, session, redirect, flash
 import time, secrets
 import auth
 import config_utils
-import settings

 _PAGE = Path(__file__).parent.name

@ -16,49 +15,50 @@ def email_verify():
    if session.get('access_level', 'nothing') != 'nothing':
        return redirect('/overview')

-    pending_email = session.get('pending_verify_email', '').lower()
-    if not pending_email:
-        flash('No pending account creation found. Please start over.', 'error')
-        return redirect('/accountcreate')
+    from pages.accountcreate.action import CODE_TTL_SECS

+    token = session.sid
    try:
-        con  = config_utils.open_accounts_db()
-        row  = con.execute(
-            'SELECT * FROM pending_verifications WHERE email=?', (pending_email,)
+        con    = config_utils.open_accounts_db()
+        client = con.execute(
+            'SELECT * FROM clients WHERE cookie_unique_token=?', (token,)
        ).fetchone()
        con.close()
    except Exception:
-        row = None
+        client = None

-    if not row:
+    if not client or not client['email']:
        flash('No pending account creation found. Please start over.', 'error')
        return redirect('/accountcreate')

-    if int(time.time()) > row['expires_ts']:
+    if int(time.time()) > client['code_sent_ts'] + CODE_TTL_SECS:
        try:
            con = config_utils.open_accounts_db()
-            con.execute('DELETE FROM pending_verifications WHERE email=?', (pending_email,))
+            con.execute(
+                '''UPDATE clients SET email=NULL, hashed_password=NULL,
+                   tz_offset_seconds=NULL, verification_code=NULL, code_sent_ts=NULL
+                   WHERE cookie_unique_token=?''',
+                (token,)
+            )
            con.commit()
            con.close()
        except Exception:
            pass
-        session.pop('pending_verify_email', None)
        flash('Verification code has expired. Please start over.', 'error')
        return redirect('/accountcreate')

    submitted = request.form.get('code', '').strip()
-    if submitted != row['code']:
+    if submitted != client['verification_code']:
        flash('Incorrect verification code.', 'error')
        return redirect(f'/{_PAGE}')

+    pending_email = client['email']
    account = config_utils.get_account_by_email(pending_email)
    if account is None:
-        session.pop('pending_verify_email', None)
        flash('Account no longer exists. Contact your manager.', 'error')
        return redirect('/accountcreate')

    if account.get('hashed_password'):
-        session.pop('pending_verify_email', None)
        flash('This account is already set up. Please log in.', 'error')
        return redirect('/accountlogin')

@ -67,18 +67,22 @@ def email_verify():
        con = config_utils.open_accounts_db()
        con.execute(
            'UPDATE accounts SET hashed_password=?, created_ts=?, created_by=? WHERE account_id=?',
-            (row['hashed_password'], now, 'self', account['account_id'])
+            (client['hashed_password'], now, 'self', account['account_id'])
+        )
+        con.execute(
+            '''UPDATE clients SET email=NULL, hashed_password=NULL,
+               tz_offset_seconds=NULL, verification_code=NULL, code_sent_ts=NULL
+               WHERE cookie_unique_token=?''',
+            (token,)
        )
-        con.execute('DELETE FROM pending_verifications WHERE email=?', (pending_email,))
        con.commit()
        con.close()
    except Exception as exc:
        flash(f'Could not complete account setup: {exc}', 'error')
        return redirect(f'/{_PAGE}')

-    session.pop('pending_verify_email', None)
    session['account_id']                = account['account_id']
-    session['tz_offset_seconds']         = int(row['tz_offset_seconds'])
+    session['tz_offset_seconds']         = int(client['tz_offset_seconds'])
    session['apply_changes_immediately'] = False
    session.permanent                    = True

@ -91,18 +95,27 @@ def email_resend():
    if session.get('access_level', 'nothing') != 'nothing':
        return redirect('/overview')

-    from pages.accountcreate.action import _send_verification_email, CODE_TTL_SECS
+    from pages.accountcreate.action import _send_verification_email

-    pending_email = session.get('pending_verify_email', '').lower()
-    if not pending_email:
+    token = session.sid
+    try:
+        con    = config_utils.open_accounts_db()
+        client = con.execute(
+            'SELECT * FROM clients WHERE cookie_unique_token=?', (token,)
+        ).fetchone()
+        con.close()
+    except Exception:
+        client = None
+
+    if not client or not client['email']:
        flash('No pending account creation found. Please start over.', 'error')
        return redirect('/accountcreate')

-    code       = f'{secrets.randbelow(1000000):06d}'
-    expires_ts = int(time.time()) + CODE_TTL_SECS
+    code         = f'{secrets.randbelow(1000000):06d}'
+    code_sent_ts = int(time.time())

    try:
-        _send_verification_email(pending_email, code)
+        _send_verification_email(client['email'], code)
    except Exception as exc:
        flash(f'Could not resend verification email: {exc}', 'error')
        return redirect(f'/{_PAGE}')
@ -110,8 +123,8 @@ def email_resend():
    try:
        con = config_utils.open_accounts_db()
        con.execute(
-            'UPDATE pending_verifications SET code=?, expires_ts=? WHERE email=?',
-            (code, expires_ts, pending_email)
+            'UPDATE clients SET verification_code=?, code_sent_ts=? WHERE cookie_unique_token=?',
+            (code, code_sent_ts, token)
        )
        con.commit()
        con.close()