Merge branch 'main' into cole-dev

Author: costowell

.dockerignore

@@ -0,0 +1 @@
+.docker

Dockerfile

@@ -1,12 +1,10 @@
 FROM docker.io/python:3.13-slim
 MAINTAINER Computer Science House <webmaster@csh.rit.edu>
 
-RUN mkdir /opt/selfservice
+WORKDIR /opt/selfservice
 
 COPY requirements.txt /opt/selfservice
 
-WORKDIR /opt/selfservice
-
 RUN apt-get -yq update && \
     apt-get -yq install libsasl2-dev libldap2-dev libldap-common libssl-dev git gcc g++ make && \
     pip install -r requirements.txt && \

README.md

@@ -33,7 +33,7 @@
 
 1. Run migrations:
    1. ```shell script
-      flask db migrate
+      flask db upgrade
       ```
 
 1. Run the application:

docker-compose.yaml

@@ -1,7 +1,21 @@
 version: '2'
 services:
+    self-service:
+      build:
+        context: .
+      develop:
+        watch:
+          - action: sync+restart
+            path: ./selfservice
+            target: /opt/selfservice/selfservice
+      env_file:
+        - .env
+      ports:
+        - "8080:8080"
+
+
     postgres:
-        image: docker.io/postgres:9.6
+        image: docker.io/postgres:17
         container_name: selfservice-postgres
         restart: always
         volumes:
@@ -10,16 +24,14 @@ services:
             POSTGRES_PASSWORD: supersecretpassword
             POSTGRES_USER: selfservice
         ports:
-            - 127.0.0.1:5433:5432
+            - "127.0.0.1:5433:5432"
     phppgadmin:
         image: docker.io/dockage/phppgadmin:latest
         container_name: selfservice-pgadmin
-        links:
-            - postgres
         environment:
             DATABASE_HOST: postgres
             DATABASE_PORT_NUMBER: 5432
         restart: always
         ports:
-            - 127.0.0.1:8081:8080
-            - 127.0.0.1:8444:8443
+            - "127.0.0.1:8081:8080"
+            - "127.0.0.1:8444:8443"

migrations/versions/92c9d8ea5b74_change_created_to_expires.py

@@ -0,0 +1,38 @@
+"""change created to expires
+
+Revision ID: 92c9d8ea5b74
+Revises: fdb69cd98e19
+Create Date: 2026-03-15 20:16:42.829689
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '92c9d8ea5b74'
+down_revision = 'fdb69cd98e19'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('session', schema=None) as batch_op:
+        batch_op.alter_column('created', new_column_name='expires')
+
+    with op.batch_alter_table('token', schema=None) as batch_op:
+        batch_op.alter_column('created', new_column_name='expires')
+
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('token', schema=None) as batch_op:
+        batch_op.alter_column('expires', new_column_name='created')
+
+    with op.batch_alter_table('session', schema=None) as batch_op:
+        batch_op.alter_column('expires', new_column_name='created')
+
+    # ### end Alembic commands ###

selfservice/__init__.py

@@ -72,12 +72,12 @@
 ipa = Client(ldap_uri, version="2.215")
 
 # Configure rate limiting
-if not app.config["DEBUG"]:
-    limiter = Limiter(
-        get_remote_address, app=app, default_limits=["50 per day", "10 per hour"]
-    )
-else:
-    limiter = Limiter(get_remote_address, app=app, default_limits=[])
+# if not app.config["DEBUG"]:
+#     limiter = Limiter(
+#         get_remote_address, app=app, default_limits=["50 per day", "10 per hour"]
+#     )
+# else:
+#    limiter = Limiter(get_remote_address, app=app, default_limits=[])
 
 # Initialize QR Code Generator
 qr = QRcode(app)
@@ -115,7 +115,7 @@ def index():
 
 
 @app.route("/health")
-@limiter.exempt
+# @limiter.exempt
 def health():
     """
     Shows an ok status if the application is up and running

selfservice/blueprints/recovery.py

@@ -3,13 +3,14 @@
 """
 
 import phonenumbers
+import datetime
 import uuid
 import logging
 
 from flask import Blueprint, render_template, request, redirect, flash
 from flask import session as flask_session
 
-from selfservice.utilities.general import is_expired, email_recovery, phone_recovery
+from selfservice.utilities.general import email_recovery, phone_recovery
 from selfservice.utilities.reset import (
     generate_token,
     passwd_reset,
@@ -91,7 +92,7 @@ def verify_identity(recovery_id):
     methods = verif_methods(session.username)
 
     # Make sure it isn't expired.
-    if is_expired(session.created, 10):
+    if session.is_expired():
         flash("Sorry, your session has expired.")
         return redirect("/recovery")
 
@@ -133,7 +134,7 @@ def method_selection(recovery_id, method):
     methods = verif_methods(session.username)
 
     # Make sure it isn't expired.
-    if is_expired(session.created, 10):
+    if session.is_expired():
         flash("Sorry, your session has expired.")
         return redirect("/recovery")
 
@@ -230,24 +231,23 @@ def reset_password():
 
     token_data = ResetToken.query.filter_by(token=token).first()
 
-    # Redirect if the token provided isn't valid.
-    if (
-        not token
-        or not token_data
-        or is_expired(token_data.created, 30)
-        or token_data.used
-    ):
-        flash(
-            "Oops! Invalid or expired reset token. Each token is only "
-            + "valid for 30 minutes after it is issued."
-        )
+    if not token or not token_data:
+        flash("Oops! No reset token provided. Please try again.")
+        return redirect("/recovery")
+
+    if token_data.used:
+        flash("This recovery token has already been used.")
+        return redirect("/recovery")
+
+    if token_data.is_expired():
+        flash("Oops! Your recovery token expired.")
         return redirect("/recovery")
 
         # Display the reset page.
     if request.method == "GET":
         return render_template("reset.html", token=token_data.token, version=version)
 
-        # Lets actually do the reset.
+        # Actually do the reset.
     if request.form["password"] == request.form["verify"]:
         if len(request.form["password"]) >= 12:
             passwd_reset(
@@ -287,39 +287,47 @@ def admin():
         session_id = str(uuid.uuid4())
 
         # Create the object in the database.
-        session_data = RecoverySession(id=session_id, username=request.form["username"])
+        session_data = RecoverySession(
+            id=session_id,
+            username=request.form["username"],
+            expires=datetime.datetime.now()
+            + datetime.timedelta(hours=int(request.form["expireTime"])),
+        )
         db.session.add(session_data)
         db.session.commit()
 
         token = generate_token(session_data)
 
     members = get_members()
     uid = str(flask_session["userinfo"].get("preferred_username", ""))
+
+    last_sessions_query = (
+        RecoverySession.query.join(ResetToken, RecoverySession.id == ResetToken.session)
+        .with_entities(
+            RecoverySession.username,
+            RecoverySession.expires.label("session_expires"),
+            ResetToken.id.label("token_id"),
+            ResetToken.expires.label("token_expires"),
+            ResetToken.used,
+        )
+        .order_by(ResetToken.expires.desc())
+        .limit(20)
+        .all()
+    )
+
     last_sessions = [
         {
             "username": s.username,
-            "session_created": s.session_created,
             "session_expired": (
-                (is_expired(s.session_created, 10) and not s.token_created)
-                or is_expired(s.token_created, 30)
+                s.session_expires < datetime.datetime.now()
+                or s.token_expires < datetime.datetime.now()
             ),
-            "token_created": s.token_created,
+            "token_exists": s.token_id is not None,
+            "token_expires": s.token_expires,
             "used": s.used,
         }
-        for s in RecoverySession.query.outerjoin(
-            ResetToken, RecoverySession.id == ResetToken.session
-        )
-        .with_entities(
-            RecoverySession.username,
-            RecoverySession.created.label("session_created"),
-            ResetToken.created.label("token_created"),
-            ResetToken.used,
-        )
-        .order_by(RecoverySession.created.desc())
-        .limit(20)
-        .all()
+        for s in last_sessions_query
     ]
-
     return render_template(
         "admin.html",
         version=version,

selfservice/models.py

@@ -2,6 +2,9 @@
 SQLAlchemy Database Models
 """
 
+import datetime
+from datetime import timedelta
+
 from sqlalchemy import (
     Column,
     Integer,
@@ -24,11 +27,19 @@ class ResetToken(db.Model):
     __tablename__ = "token"
     id = Column(Integer, primary_key=True)
     username = Column(String(64), nullable=False)
-    created = Column(DateTime, default=func.timezone("UTC", now()))
+    expires = Column(
+        DateTime,
+        default=func.timezone("UTC", now() + timedelta(minutes=10)),
+        nullable=False,
+    )
     token = Column(String(36))
     session = Column(String(36), ForeignKey("session.id"))
     used = Column(Boolean)
 
+    def is_expired(self) -> bool:
+        """Returns whether the Token is expired"""
+        return self.expires < datetime.datetime.now()
+
 
 class RecoverySession(db.Model):
     """
@@ -40,7 +51,15 @@ class RecoverySession(db.Model):
     __tablename__ = "session"
     id = Column(String(36), primary_key=True)
     username = Column(String(64), nullable=False)
-    created = Column(DateTime, default=func.timezone("UTC", now()))
+    expires = Column(
+        DateTime,
+        default=func.timezone("UTC", now() + timedelta(minutes=30)),
+        nullable=False,
+    )
+
+    def is_expired(self) -> bool:
+        """Returns whether the RecoverySession is expired"""
+        return self.expires < datetime.datetime.now()
 
 
 class PhoneVerification(db.Model):
@@ -56,7 +75,7 @@ class PhoneVerification(db.Model):
 
 class AppSpecificPassword(db.Model):
     """
-    Allows users to authenticate to applications that don't support two factor
+    Allows users to authenticate to applications that don't support two-factor
     auth. Currently: this is only mail
     """