dav_auth: small refactorings and improvements under the hood

dav_auth/views.py

@@ -8,6 +8,7 @@ from django.contrib.auth import views as auth_views, get_user_model
 from django.contrib.auth.password_validation import validate_password
 from django.http import HttpResponseRedirect
 from django.shortcuts import resolve_url
+from django.template.loader import render_to_string
 from django.urls import reverse_lazy, reverse
 from django.utils.safestring import mark_safe
 from django.utils.translation import gettext as _
@@ -23,6 +24,7 @@ logger = logging.getLogger(__name__)
 class LoginView(auth_views.LoginView):
     form_class = forms.LoginForm
     template_name = 'dav_auth/forms/login.html'
+    weak_password_warning_template_name = 'dav_auth/includes/weak_password_warning.html'
 
     def get_redirect_url(self):
         url = super().get_redirect_url()
@@ -36,14 +38,8 @@ class LoginView(auth_views.LoginView):
         try:
             validate_password(form.cleaned_data['password'])
         except ValidationError as e:
-            logger.warning('Weak password (%d): %s', self.request.user.pk, e)
-            message = '<br />\n<p>\n'
-            message += 'Dein Passwort entspricht nicht mehr den aktuellen Passwortrichtlinien.<br />\n'
-            message += 'Bitte hilf uns die Daten deiner Teilnehmer zu schützen und ändere dein Passwort.<br />\n'
-            message += '</p>\n'
-            message += '<p>\n'
-            message += '<a href="%(href)s">Passwort ändern</a>\n' % {'href': reverse('dav_auth:set_password')}
-            message += '</p>\n<br />\n'
+            logger.warning('Detected weak password for user id %d: %s', self.request.user.pk, e)
+            message = render_to_string(self.weak_password_warning_template_name)
             messages.warning(self.request, mark_safe(message))
         return r
 
@@ -72,7 +68,7 @@ class SetPasswordView(auth_views.PasswordChangeView):
     def form_valid(self, form):
         r = super().form_valid(form)
         messages.success(self.request, _('Passwort gespeichert.'))
-        logger.info('Changed Password for user \'%s\'', self.request.user)
+        logger.info('Changed password for user \'%s\'', self.request.user)
         if form.cleaned_data.get('send_password_mail', False):
             email = emails.PasswordSetEmail(self.request.user, form.cleaned_data['new_password'])
             email.send()
@@ -83,25 +79,35 @@ class CreateAndSendPasswordView(generic.FormView):
     form_class = forms.CreateAndSendPasswordForm
     template_name = 'dav_auth/forms/recreate_password.html'
     success_url = reverse_lazy('dav_auth:login')
-    password_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789#$%&@^~.,:;/_-*+!?'
-    password_length = 32
+    password_length = app_config.settings.auto_password_length
+    password_chars = app_config.settings.auto_password_characters
+
+    def _create_new_password(self, length=None, characters=None):
+        if length is None:
+            length = self.password_length
+        if characters is None:
+            characters = self.password_chars
+        return ''.join(secrets.choice(characters) for i in range(length))
 
     def form_valid(self, form):
         username = form.cleaned_data.get('username')
         user_model = get_user_model()
+
+        # Generate a new password (even if the user does not exist, to avoid revealing that fact).
+        random_password = self._create_new_password()
+
         try:
             user = user_model.objects.get(username=username)
-            random_password = ''.join(secrets.choice(self.password_chars) for i in range(self.password_length))
             user.set_password(random_password)
             user.save()
             email = emails.PasswordSetEmail(user, random_password)
             email.send()
-            messages.success(self.request, _('Neues Passwort versendet.'))
-            logger.info('Password recreated for user \'%s\'', username)
+            logger.info('Recreated password for user \'%s\'', username)
         except user_model.DoesNotExist:
-            logger.warning('Password recreated for unknown user \'%s\'', username)
-            # Pretend we sent an email, so we do not reveal that the user doesn't exist.
-            messages.success(self.request, _('Neues Passwort versendet.'))
+            logger.warning('Recreated password for unknown user \'%s\'', username)
+
+        # Show message, that we sent an email, even we did not, so we do not reveal that the user doesn't exist.
+        messages.success(self.request, _('Neues Passwort versendet.'))
 
         return super().form_valid(form)