diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index 9804bb9c0..7dffebe94 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -280,8 +280,9 @@ JWT_AUTH = {
'JWT_EXPIRATION_DELTA': datetime.timedelta(days=7),
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=30),
'JWT_AUTH_HEADER_PREFIX': 'JWT',
+ 'JWT_GET_USER_SECRET_KEY': lambda user: user.secret_key
}
-
+OLD_PASSWORD_FIELD_ENABLED = True
ACCOUNT_ADAPTER = 'funkwhale_api.users.adapters.FunkwhaleAccountAdapter'
CORS_ORIGIN_ALLOW_ALL = True
# CORS_ORIGIN_WHITELIST = (
diff --git a/api/funkwhale_api/users/migrations/0003_auto_20171226_1357.py b/api/funkwhale_api/users/migrations/0003_auto_20171226_1357.py
new file mode 100644
index 000000000..fd75795d3
--- /dev/null
+++ b/api/funkwhale_api/users/migrations/0003_auto_20171226_1357.py
@@ -0,0 +1,24 @@
+# Generated by Django 2.0 on 2017-12-26 13:57
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('users', '0002_auto_20171214_2205'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='user',
+ name='secret_key',
+ field=models.UUIDField(default=uuid.uuid4, null=True),
+ ),
+ migrations.AlterField(
+ model_name='user',
+ name='last_name',
+ field=models.CharField(blank=True, max_length=150, verbose_name='last name'),
+ ),
+ ]
diff --git a/api/funkwhale_api/users/models.py b/api/funkwhale_api/users/models.py
index c8d0b534c..3a0baf11a 100644
--- a/api/funkwhale_api/users/models.py
+++ b/api/funkwhale_api/users/models.py
@@ -1,6 +1,8 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals, absolute_import
+import uuid
+
from django.contrib.auth.models import AbstractUser
from django.urls import reverse
from django.db import models
@@ -15,6 +17,8 @@ class User(AbstractUser):
# around the globe.
name = models.CharField(_("Name of User"), blank=True, max_length=255)
+ # updated on logout or password change, to invalidate JWT
+ secret_key = models.UUIDField(default=uuid.uuid4, null=True)
# permissions that are used for API access and that worth serializing
relevant_permissions = {
# internal_codename : {external_codename}
@@ -31,3 +35,11 @@ class User(AbstractUser):
def get_absolute_url(self):
return reverse('users:detail', kwargs={'username': self.username})
+
+ def update_secret_key(self):
+ self.secret_key = uuid.uuid4()
+ return self.secret_key
+
+ def set_password(self, raw_password):
+ super().set_password(raw_password)
+ self.update_secret_key()
diff --git a/api/funkwhale_api/users/rest_auth_urls.py b/api/funkwhale_api/users/rest_auth_urls.py
index 9770e69e4..31f5384aa 100644
--- a/api/funkwhale_api/users/rest_auth_urls.py
+++ b/api/funkwhale_api/users/rest_auth_urls.py
@@ -2,11 +2,15 @@ from django.views.generic import TemplateView
from django.conf.urls import url
from rest_auth.registration.views import VerifyEmailView
+from rest_auth.views import PasswordChangeView
+
from .views import RegisterView
+
urlpatterns = [
url(r'^$', RegisterView.as_view(), name='rest_register'),
url(r'^verify-email/$', VerifyEmailView.as_view(), name='rest_verify_email'),
+ url(r'^change-password/$', PasswordChangeView.as_view(), name='change_password'),
# This url is used by django-allauth and empty TemplateView is
# defined just to allow reverse() call inside app, for example when email
diff --git a/api/tests/users/test_jwt.py b/api/tests/users/test_jwt.py
new file mode 100644
index 000000000..d264494e5
--- /dev/null
+++ b/api/tests/users/test_jwt.py
@@ -0,0 +1,27 @@
+import pytest
+import uuid
+
+from jwt.exceptions import DecodeError
+from rest_framework_jwt.settings import api_settings
+
+from funkwhale_api.users.models import User
+
+def test_can_invalidate_token_when_changing_user_secret_key(factories):
+ user = factories['users.User']()
+ u1 = user.secret_key
+ jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
+ jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
+ payload = jwt_payload_handler(user)
+ payload = jwt_encode_handler(payload)
+
+ # this should work
+ api_settings.JWT_DECODE_HANDLER(payload)
+
+ # now we update the secret key
+ user.update_secret_key()
+ user.save()
+ assert user.secret_key != u1
+
+ # token should be invalid
+ with pytest.raises(DecodeError):
+ api_settings.JWT_DECODE_HANDLER(payload)
diff --git a/api/tests/users/test_views.py b/api/tests/users/test_views.py
index 5dbb24ac6..1eb8ef222 100644
--- a/api/tests/users/test_views.py
+++ b/api/tests/users/test_views.py
@@ -97,3 +97,22 @@ def test_can_refresh_token_via_api(client, factories):
assert '"token":' in response.content.decode('utf-8')
# a different token should be returned
assert token in response.content.decode('utf-8')
+
+
+def test_changing_password_updates_secret_key(logged_in_client):
+ user = logged_in_client.user
+ password = user.password
+ secret_key = user.secret_key
+ payload = {
+ 'old_password': 'test',
+ 'new_password1': 'new',
+ 'new_password2': 'new',
+ }
+ url = reverse('change_password')
+
+ response = logged_in_client.post(url, payload)
+
+ user.refresh_from_db()
+
+ assert user.secret_key != secret_key
+ assert user.password != password
diff --git a/front/src/components/auth/Profile.vue b/front/src/components/auth/Profile.vue
index 607fa8ff2..54af5a11c 100644
--- a/front/src/components/auth/Profile.vue
+++ b/front/src/components/auth/Profile.vue
@@ -17,6 +17,10 @@
Staff member
+
+ Settings...
+
+
diff --git a/front/src/components/auth/Settings.vue b/front/src/components/auth/Settings.vue
new file mode 100644
index 000000000..d93373a14
--- /dev/null
+++ b/front/src/components/auth/Settings.vue
@@ -0,0 +1,84 @@
+
+
+
+
+
+
+
+
diff --git a/front/src/main.js b/front/src/main.js
index 0c9230e8e..f7a6b65f4 100644
--- a/front/src/main.js
+++ b/front/src/main.js
@@ -31,6 +31,7 @@ Vue.http.interceptors.push(function (request, next) {
next(function (response) {
// redirect to login form when we get unauthorized response from server
if (response.status === 401) {
+ store.commit('auth/authenticated', false)
logger.default.warn('Received 401 response from API, redirecting to login form')
router.push({name: 'login', query: {next: router.currentRoute.fullPath}})
}
diff --git a/front/src/router/index.js b/front/src/router/index.js
index c7c46a275..f4efc723f 100644
--- a/front/src/router/index.js
+++ b/front/src/router/index.js
@@ -4,6 +4,7 @@ import PageNotFound from '@/components/PageNotFound'
import Home from '@/components/Home'
import Login from '@/components/auth/Login'
import Profile from '@/components/auth/Profile'
+import Settings from '@/components/auth/Settings'
import Logout from '@/components/auth/Logout'
import Library from '@/components/library/Library'
import LibraryHome from '@/components/library/Home'
@@ -39,6 +40,11 @@ export default new Router({
name: 'logout',
component: Logout
},
+ {
+ path: '/settings',
+ name: 'settings',
+ component: Settings
+ },
{
path: '/@:username',
name: 'profile',
diff --git a/front/src/store/auth.js b/front/src/store/auth.js
index 815b0f708..d8bd197f3 100644
--- a/front/src/store/auth.js
+++ b/front/src/store/auth.js
@@ -29,13 +29,24 @@ export default {
},
authenticated: (state, value) => {
state.authenticated = value
+ if (value === false) {
+ state.username = null
+ state.token = null
+ state.tokenData = null
+ state.profile = null
+ state.availablePermissions = {}
+ }
},
username: (state, value) => {
state.username = value
},
token: (state, value) => {
state.token = value
- state.tokenData = jwtDecode(value)
+ if (value) {
+ state.tokenData = jwtDecode(value)
+ } else {
+ state.tokenData = {}
+ }
},
permission: (state, {key, status}) => {
state.availablePermissions[key] = status
@@ -60,7 +71,6 @@ export default {
},
logout ({commit}) {
commit('authenticated', false)
- commit('profile', null)
logger.default.info('Log out, goodbye!')
router.push({name: 'index'})
},