Updates WebDAV auth hash in password validation

tracim/tracim/lib/auth/internal.py

@@ -1,12 +1,12 @@
 # -*- coding: utf-8 -*-
+from typing import Dict
+
 from sqlalchemy import and_
 from tg.configuration.auth import TGAuthMetadata
 
 from tracim.lib.auth.base import Auth
 from tracim.model import DBSession, User
 
-# TODO : temporary fix to update DB, to remove
-import transaction
 
 class InternalAuth(Auth):
 
@@ -29,24 +29,35 @@ class InternalApplicationAuthMetadata(TGAuthMetadata):
     def __init__(self, sa_auth):
         self.sa_auth = sa_auth
 
-    def authenticate(self, environ, identity, allow_auth_token: bool=False):
-        user = self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(
-            self.sa_auth.user_class.is_active == True,
-            self.sa_auth.user_class.email == identity['login']
-        )).first()
-
-        if user and user.validate_password(identity['password']):
-            if not user.webdav_left_digest_response_hash:
-                user.webdav_left_digest_response_hash = '%s:/:%s' % (identity['login'], identity['password'])
-                DBSession.flush()
-                # TODO : temporary fix to update DB, to remove
-                transaction.commit()
-            return identity['login']
-
-        if user and allow_auth_token:
-            user.ensure_auth_token()
-            if user.auth_token == identity['password']:
-                return identity['login']
+    def authenticate(
+            self,
+            environ: Dict[str, str],
+            identity: Dict[str, str],
+            allow_auth_token: bool = False,
+    ) -> str:
+        """
+        Authenticates using given credentials.
+
+        Checks password first then auth token if allowed.
+        :param environ:
+        :param identity: The given credentials to authenticate.
+        :param allow_auth_token: The indicator of auth token use.
+        :return: The given login or an empty string if auth failed.
+        """
+        result = ''
+        user = self.sa_auth.dbsession \
+            .query(self.sa_auth.user_class) \
+            .filter(self.sa_auth.user_class.is_active.is_(True)) \
+            .filter(self.sa_auth.user_class.email == identity['login']) \
+            .first()
+        if user:
+            if user.validate_password(identity['password']):
+                result = identity['login']
+            if allow_auth_token:
+                user.ensure_auth_token()
+                if user.auth_token == identity['password']:
+                    result = identity['login']
+        return result
 
     def get_user(self, identity, userid):
         return self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(

tracim/tracim/model/auth.py

@@ -238,11 +238,14 @@ class User(DeclarativeBase):
         :rtype: bool
 
         """
-        if not self.password:
-            return False
-        hash = sha256()
-        hash.update((password + self.password[:64]).encode('utf-8'))
-        return self.password[64:] == hash.hexdigest()
+        result = False
+        if self.password:
+            hash = sha256()
+            hash.update((password + self.password[:64]).encode('utf-8'))
+            result = self.password[64:] == hash.hexdigest()
+            if result and not self.webdav_left_digest_response_hash:
+                self.update_webdav_digest_auth(password)
+        return result
 
     def get_display_name(self, remove_email_part=False):
         """