o h1 @slddlmZmZddlmZddlmZddlmZm Z ddl m Z ddl m Z mZddlmZddlmZmZmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddl m!Z!ddl"m#Z#dedede$de%fddZ&dedeeeee ffddZ'dedede%fddZ(dede$fddZ)dee fddZ*  d?dede$d e%d!e%de%f d"d#Z+ d@de$d!e%de%fd$d%Z,dedeefd&d'Z-d(efd)d*Z.dedede%fd+d,Z/  - dAded.ed/e%d0e%de%f d1d2Z0ded(ede%fd3d4Z1ded(ede%fd5d6Z2ded(ede%fd7d8Z3dede$d/e%fd9d:Z4ded(ede%fd;d<Z5ded.edeefd=d>Z6d-S)B)OptionalTuple)messages)AbstractBaseUser) HttpRequest HttpResponse)reverse) app_settingssignals) get_adapter)emit_email_changedsync_email_addresssync_user_email_address)send_unknown_account_mail) EmailAddressLogin)ImmediateHttpResponse) ratelimit)get_frontend_url) respond_429)build_absolute_urirequestuseremailreturncCs>z tj||}Wn tjyYdSw|jst||SdS)NFT)robjects get_for_user DoesNotExistverified verify_email)rrr email_addressr!h/var/www/html/pos/venv/lib/python3.10/site-packages/allauth/account/internal/flows/email_verification.pyverify_email_indirectlys r#cCs$||}|s dSt||}||fS)N)NN)confirmlogin_on_verification)r verificationr responser!r!r"verify_email_and_resume%s  r(r cCs|j }tjj|jdj|jd}|jdds)t| |t j dd|j idS|j tj d||rBtjjt||j|dtjjt||d tjrhtjj|jdj|jdD]}|q[t|||t| |t jd d|j id S) z8 Marks the email address as confirmed on the db user_id)pkF)commitz.account/messages/email_confirmation_failed.txtr) conditional)senderrrr )r.rr z$account/messages/email_confirmed.txtT)r+rrfilterr*excludefirst set_verifiedr add_messagerERRORrset_as_primaryr CHANGE_EMAILsaver email_addedsendremail_confirmedremover SUCCESS)rr addedfrom_email_addressinstancer!r!r"r/sV   rcCs2t|d|jd}|std|jgd}t||}|S)zConstructs the email confirmation (activation) url. Note that if you have architected your system such that email confirmations are sent outside of the request context `request` can be `None` here. account_confirm_email)key)args)rrArr)remailconfirmationurlr!r!r"get_email_verification_url^s  rEcCsfddlm}m}|||j}tjstjr'|jj s'|r'|j jr'|j jj |j kr/|r-| dS|S)aSimply logging in the user may become a security issue. If you do not take proper care (e.g. don't purge used email confirmations), a malicious person that got hold of the link will be able to login over and over again and the user is unable to do anything about it. Even restoring their own mailbox security will not help, as the links will still work. For password reset this is different, this mechanism works only as long as the attacker has access to the mailbox. If they no longer has access they cannot issue a password request and intercept it. Furthermore, all places where the links are listed (log files, but even Google Analytics) all of a sudden need to be secured. Purging the email confirmation once confirmed changes the behavior -- users will not be able to repeatedly confirm (in case they forgot that they already clicked the mail). All in all, we only login on verification when the user that is in the process of signing up is present in the session to avoid all of the above. This may not 100% work in case the user closes the browser (and the session gets lost), but at least we're secure. r)EmailVerificationStageLoginStageControllerN)allauth.account.stagesrFrGenterrAr LOGIN_ON_EMAIL_CONFIRMATION"EMAIL_VERIFICATION_BY_CODE_ENABLEDris_authenticatedloginr+r*abortexit)rr rFrGstager!r!r"r%ls" r%Fdry_runraise_exceptionc Cs"ttj|tjd|||ddS)N confirm_emailT)configactionrArQrR limit_get)boolrconsumer RATE_LIMITSlower)rrrQrRr!r!r"%consume_email_verification_rate_limitsr[cCs(t|||d}|stjrtt||S)aL For email verification by link, it is not an issue if the user runs into rate limits. The reason is that the link is session independent. Therefore, if the user hits rate limits, we can just silently skip sending additional verification emails, as the previous emails that were already sent still contain valid links. This is different from email verification by code. Here, the session contains a specific code, meaning, silently skipping new verification emails is not an option, and we must hard fail (429) instead. The latter was missing, fixed. )rR)r[r rKrr)rrrRrl_okr!r!r"$handle_verification_email_rate_limits    r]cCs,tjj|jddd}|st|}|S)Nr)z-primaryz -verified)rrr/r+order_byr1r)raddressr!r!r"get_address_for_usersr`rMcCsR|jsJ|jr$z tj|j|jWStjy#t|j|jYSwt|jSN)rrrrrrr r`)rMr!r!r"get_address_for_logins  rbcCst|}|sdSt||S)z/ Used in the email-required-decorator. F)r`"send_verification_email_to_address)rrr_r!r!r" send_verification_email_for_users rdNr_signupskip_enumeration_mailscCstjr|sddlm}|j||jr|jnd|jd}|jSt ||j}|s'dS|js@|r-n|r7t |jnt ||jd}ntjrOt j |||d|}n|j||d}t||j|d|rktjj|j|||ddS) zB Resend email verification for an existing email address. r)EmailVerificationProcessN)rrrFre)r.r confirmationreT)r rK9allauth.account.internal.flows.email_verification_by_coderginitiater*rrdid_sendr]r send_account_already_exists_mailrsend_confirmation_mailsend_confirmation#add_email_verification_sent_messager email_confirmation_sentr9 __class__)rr_reprocessrfrgr9rir!r!r"rcsF   rccCs"|js t||}|St||}|S)a$ At this point, it has already been confirmed that email verification is needed. Email verification mails are sent: a) Explicitly: when a user signs up b) Implicitly: when a user attempts to log in using an unverified email while EMAIL_VERIFICATION is mandatory. )r%send_verification_email_at_fake_login%send_verification_email_at_real_login)rrMsentr!r!r" send_verification_email_at_logins   rwcCsN|jsJt|}|s dS|jrdSt|||j}|sdSt|||jdS)NFrh)rrbrr should_send_confirmation_mailrerc)rrMr_r9r!r!r"ru*s rucCs0|jrJ|js dStd|jd}t||ddS)z! Enumeration prevention. FN)rrTrh)rrrrc)rrMr_r!r!r"rt7s rtc Cs"t|tjd|| |ddS)Nz,account/messages/email_confirmation_sent.txt)rrMre)r r3rINFO)rrrer!r!r"rpDs  rpcCsp|jr tjr |jtjjkrdSztj|j |j}|j s't ||jdds*WdSWdSWdStj y7YdSw)z Returns whether or not the email verification is *hard* rate limited. Hard, meaning, it would be blocking login (verification by code, not link). FT)rQ) rr rKemail_verificationEmailVerificationMethod MANDATORYrrrrrr[r)rrMr r!r!r"is_verification_rate_limitedMs*r}cCs |jst||}|r|SdSra)rr rS)rr_ confirmedr!r!r"mark_email_address_as_verifiedds r)FF)F)FNF)7typingrrdjango.contribrdjango.contrib.auth.base_userr django.httprr django.urlsrallauth.accountr r allauth.account.adapterr +allauth.account.internal.flows.manage_emailr r r%allauth.account.internal.flows.signuprallauth.account.modelsrrallauth.core.exceptionsrallauth.core.internalrallauth.core.internal.httpkitrallauth.core.ratelimitr allauth.utilsrstrrWr#r(rrEr%r[r]r`rbrdrcrwrurtrpr}rr!r!r!r"s              /-     6