feat(account): enhance user update and verification logic

- Updated UserProfileSerializer to handle password updates securely by hashing new passwords. - Modified UserVerifyView to improve user creation and account takeover logic, ensuring unusable passwords are set for new and converted guest accounts.
8 months ago · 904acf415f
2 changed files with 17 additions and 2 deletions
--- a/apps/account/serializers/user.py
+++ b/apps/account/serializers/user.py
@ -32,10 +32,18 @@ class UserProfileSerializer(serializers.ModelSerializer):
    #     return value

    def update(self, instance, validated_data):
+        # Pop the password from the data to handle it separately
+        password = validated_data.pop('password', None)
+
+        # Use the default update logic for all other fields
        for attr, value in validated_data.items():
            if value is not None:
                setattr(instance, attr, value)

+        # If a new password was provided, hash and set it correctly
+        if password:
+            instance.set_password(password)
+
        instance.save()
        return instance

--- a/apps/account/views/user.py
+++ b/apps/account/views/user.py
@ -202,7 +202,7 @@ class UserVerifyView(CreateAPIView):
        device_id = kwargs.get('device_id') 
        user = User.objects.filter(email=email).first()
        if user:                
-            if kwargs['password']:
+            if kwargs.get('password'):
                user.is_active = True
                user.deletion_date = None
                if device_id:
@ -217,10 +217,17 @@ class UserVerifyView(CreateAPIView):
                user = None
                
            if not user:
+                # Create the user from the verified data
                user = User.objects.create(**kwargs)
+                # Set a non-functional password to prevent authentication errors
+                user.set_unusable_password()
+                user.save()
            else:
+                # Taking over a guest account
                user.email = email
-                user.fullname = kwargs['fullname']    
+                user.fullname = kwargs.get('fullname')
+                # Also set unusable password for converted guest accounts
+                user.set_unusable_password()
            
            if device_id:
                user.device_id = device_id