Allow more advanced, custom password logic

Author: 3noch

flask_user/__init__.py

@@ -236,7 +236,7 @@ def hash_password(self, password):
         return passwords.hash_password(self, password)
 
     def get_password(self, user):
-        use_auth_class = True if self.db_adapter.UserAuthClass and hasattr(user, 'user_auth') else False
+        use_auth_class = self.db_adapter.UserAuthClass and hasattr(user, 'user_auth')
         # Handle v0.5 backward compatibility
         if self.db_adapter.UserProfileClass:
             hashed_password = user.password
@@ -245,7 +245,7 @@ def get_password(self, user):
         return hashed_password
 
     def update_password(self, user, hashed_password):
-        use_auth_class = True if self.db_adapter.UserAuthClass and hasattr(user, 'user_auth') else False
+        use_auth_class = self.db_adapter.UserAuthClass and hasattr(user, 'user_auth')
 
         if use_auth_class:
             user.user_auth.password = hashed_password
@@ -261,6 +261,9 @@ def verify_password(self, password, user):
         verified = False
         hashed_password = self.get_password(user)
 
+        if not hashed_password:
+            return False
+
         try:
             verified = passwords.verify_password(self, password, hashed_password)
         except ValueError:

flask_user/forms.py

@@ -82,6 +82,17 @@ class ChangePasswordForm(Form):
     next = HiddenField()
     submit = SubmitField(_('Change password'))
 
+    def __init__(self, formdata=None, obj=None, prefix='', data=None, meta=None, user=None, **kw):
+        self.user = user
+        return super(ChangePasswordForm, self).__init__(
+            formdata=formdata,
+            obj=obj,
+            prefix=prefix,
+            data=data,
+            meta=meta,
+            **kw
+        )
+
     def validate(self):
         # Use feature config to remove unused form fields
         user_manager =  current_app.user_manager
@@ -210,7 +221,7 @@ def validate(self):
             user, user_email = user_manager.find_user_by_email(self.email.data)
 
         # Handle successful authentication
-        if user and user.password and user_manager.verify_password(self.password.data, user):
+        if user and user_manager.verify_password(self.password.data, user):
             return True                         # Successful authentication
 
         # Handle unsuccessful authentication
@@ -308,6 +319,17 @@ class ResetPasswordForm(Form):
     next = HiddenField()
     submit = SubmitField(_('Change password'))
 
+    def __init__(self, formdata=None, obj=None, prefix='', data=None, meta=None, user=None, **kw):
+        self.user = user
+        return super(ResetPasswordForm, self).__init__(
+            formdata=formdata,
+            obj=obj,
+            prefix=prefix,
+            data=data,
+            meta=meta,
+            **kw
+        )
+
     def validate(self):
         # Use feature config to remove unused form fields
         user_manager =  current_app.user_manager

flask_user/views.py

@@ -80,7 +80,8 @@ def change_password():
     db_adapter = user_manager.db_adapter
 
     # Initialize form
-    form = user_manager.change_password_form(request.form)
+    form = user_manager.change_password_form(request.form, user=current_user)
+
     form.next.data = request.args.get('next', _endpoint_url(user_manager.after_change_password_endpoint))  # Place ?next query param in next form field
 
     # Process valid POST
@@ -580,7 +581,7 @@ def reset_password(token):
     user_email.confirmed_at = datetime.utcnow()
 
     # Initialize form
-    form = user_manager.reset_password_form(request.form)
+    form = user_manager.reset_password_form(request.form, user=user)
 
     # Process valid POST
     if request.method=='POST' and form.validate():
@@ -590,9 +591,7 @@ def reset_password(token):
 
         # Change password
         hashed_password = user_manager.hash_password(form.new_password.data)
-        user_auth = user.user_auth if db_adapter.UserAuthClass and hasattr(user, 'user_auth') else user
-        db_adapter.update_object(user_auth, password=hashed_password)
-        db_adapter.commit()
+        user_manager.update_password(user, hashed_password)
 
         # Send 'password_changed' email
         if user_manager.enable_email and user_manager.send_password_changed_email:
@@ -733,5 +732,3 @@ def _endpoint_url(endpoint):
     if endpoint:
         url = url_for(endpoint)
     return url
-
-