34 reduce auth restrictions (#474)

* Disallow email-address team names & allow login with team name or email address * Don't show password reset form if server isn't configured * Add a message to contact admins instead of submit password reset form * Add utils.check_email_format()
2025-12-20 07:14:24 +01:00 · 2017-11-21 22:20:31 -05:00
parent e10c8b103b
commit 7348515e6c
8 changed files with 100 additions and 10 deletions
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -86,7 +86,7 @@ def reset_password(data=None):
        except BadTimeSignature:
            return render_template('reset_password.html', errors=['Your link has expired'])
        except:
-            return render_template('reset_password.html', errors=['Your link appears broken, please try again.'])
+            return render_template('reset_password.html', errors=['Your link appears broken, please try again'])
        team = Teams.query.filter_by(name=name).first_or_404()
        team.password = bcrypt_sha256.encrypt(request.form['password'].strip())
        db.session.commit()
@@ -101,8 +101,20 @@ def reset_password(data=None):
    if request.method == 'POST':
        email = request.form['email'].strip()
        team = Teams.query.filter_by(email=email).first()
+
+        errors = []
+
+        if utils.can_send_mail() is False:
+            return render_template(
+                'reset_password.html',
+                errors=['Email could not be sent due to server misconfiguration']
+            )
+
        if not team:
-            return render_template('reset_password.html', errors=['If that account exists you will receive an email, please check your inbox'])
+            return render_template(
+                'reset_password.html',
+                errors=['If that account exists you will receive an email, please check your inbox']
+            )
        s = TimedSerializer(app.config['SECRET_KEY'])
        token = s.dumps(team.name)
        text = """
@@ -114,7 +126,10 @@ Did you initiate a password reset?

        utils.sendmail(email, text)

-        return render_template('reset_password.html', errors=['If that account exists you will receive an email, please check your inbox'])
+        return render_template(
+            'reset_password.html',
+            errors=['If that account exists you will receive an email, please check your inbox']
+        )
    return render_template('reset_password.html')


@@ -134,12 +149,15 @@ def register():
        emails = Teams.query.add_columns('email', 'id').filter_by(email=email).first()
        pass_short = len(password) == 0
        pass_long = len(password) > 128
-        valid_email = re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", request.form['email'])
+        valid_email = utils.check_email_format(request.form['email'])
+        team_name_email_check = utils.check_email_format(name)

        if not valid_email:
-            errors.append("That email doesn't look right")
+            errors.append("Please enter a valid email address")
        if names:
            errors.append('That team name is already taken')
+        if team_name_email_check is True:
+            errors.append('Your team name cannot be an email address')
        if emails:
            errors.append('That email has already been used')
        if pass_short:
@@ -196,7 +214,13 @@ def login():
    if request.method == 'POST':
        errors = []
        name = request.form['name']
-        team = Teams.query.filter_by(name=name).first()
+
+        # Check if the user submitted an email address or a team name
+        if utils.check_email_format(name) is True:
+            team = Teams.query.filter_by(email=name).first()
+        else:
+            team = Teams.query.filter_by(name=name).first()
+
        if team:
            if team and bcrypt_sha256.verify(request.form['password'], team.password):
                try: