fix: only the first password letter was used

canaille/core/admin.py

@@ -79,7 +79,7 @@ def password_init_html(user):
     reset_url = url_for(
         "core.auth.reset",
         user=user,
-        hash=build_hash(user.identifier, user.preferred_email, user.password[0]),
+        hash=build_hash(user.identifier, user.preferred_email, user.password),
         title=_("Password initialization on {website_name}").format(
             website_name=current_app.config.get("NAME", "Canaille")
         ),
@@ -105,7 +105,7 @@ def password_init_txt(user):
     reset_url = url_for(
         "core.auth.reset",
         user=user,
-        hash=build_hash(user.identifier, user.preferred_email, user.password[0]),
+        hash=build_hash(user.identifier, user.preferred_email, user.password),
         _external=True,
     )
 
@@ -124,7 +124,7 @@ def password_reset_html(user):
     reset_url = url_for(
         "core.auth.reset",
         user=user,
-        hash=build_hash(user.identifier, user.preferred_email, user.password[0]),
+        hash=build_hash(user.identifier, user.preferred_email, user.password),
         title=_("Password reset on {website_name}").format(
             website_name=current_app.config.get("NAME", "Canaille")
         ),
@@ -150,7 +150,7 @@ def password_reset_txt(user):
     reset_url = url_for(
         "core.auth.reset",
         user=user,
-        hash=build_hash(user.identifier, user.preferred_email, user.password[0]),
+        hash=build_hash(user.identifier, user.preferred_email, user.password),
         _external=True,
     )
 

canaille/core/auth.py

@@ -198,7 +198,7 @@ def reset(user, hash):
         build_hash(
             user.identifier,
             email,
-            user.password[0] if user.has_password() else "",
+            user.password if user.has_password() else "",
         )
         for email in user.emails
     }

canaille/core/mails.py

@@ -44,7 +44,7 @@ def send_password_reset_mail(user, mail):
         hash=build_hash(
             user.identifier,
             mail,
-            user.password[0] if user.has_password() else "",
+            user.password if user.has_password() else "",
         ),
         _external=True,
     )
@@ -85,7 +85,7 @@ def send_password_initialization_mail(user, email):
         hash=build_hash(
             user.identifier,
             email,
-            user.password[0] if user.has_password() else "",
+            user.password if user.has_password() else "",
         ),
         _external=True,
     )

tests/core/test_password_reset.py

@@ -3,7 +3,7 @@
 
 def test_password_reset(testclient, user):
     assert not user.check_password("foobarbaz")[0]
-    hash = build_hash("user", user.preferred_email, user.password[0])
+    hash = build_hash("user", user.preferred_email, user.password)
 
     res = testclient.get("/reset/user/" + hash, status=200)
 
@@ -27,7 +27,7 @@ def test_password_reset_multiple_emails(testclient, user):
     user.save()
 
     assert not user.check_password("foobarbaz")[0]
-    hash = build_hash("user", "[email protected]", user.password[0])
+    hash = build_hash("user", "[email protected]", user.password)
 
     res = testclient.get("/reset/user/" + hash, status=200)
 
@@ -55,7 +55,7 @@ def test_password_reset_bad_link(testclient, user):
 
 
 def test_password_reset_bad_password(testclient, user):
-    hash = build_hash("user", user.preferred_email, user.password[0])
+    hash = build_hash("user", user.preferred_email, user.password)
 
     res = testclient.get("/reset/user/" + hash, status=200)