fix(security): separate booking and check-in tokens

2026-04-29 21:49:21 +02:00
parent 5cad1871e7
commit 13a05f6d0d
10 changed files with 214 additions and 64 deletions
--- a/backend/bookings/services.py
+++ b/backend/bookings/services.py
@@ -113,16 +113,19 @@ def create_pending_reservation(
            expires_at=confirmation_expires_at,
        )

+        transaction.on_commit(
+            lambda reservation=reservation, raw_confirmation_token=raw_confirmation_token: send_confirmation_email(
+                reservation=reservation,
+                raw_confirmation_token=raw_confirmation_token,
+            )
+        )
+
    result = PendingReservationResult(
        reservation=reservation,
        confirmation_token=confirmation_token,
        raw_confirmation_token=raw_confirmation_token,
        available_seats=available_seats,
    )
-    send_confirmation_email(
-        reservation=result.reservation,
-        raw_confirmation_token=result.raw_confirmation_token,
-    )
    return result


@@ -195,22 +198,22 @@ def confirm_reservation_from_token(raw_token):
        available_seats=available_seats - reservation.party_size,
        qr_code_image=generate_check_in_qr_base64(
            reservation=reservation,
-            raw_check_in_token=raw_token,
+            raw_check_in_token=raw_check_in_token,
        ),
-        qr_code_url=build_check_in_preview_url(raw_token),
+        qr_code_url=build_check_in_preview_url(raw_check_in_token),
    )


 def retrieve_reservation_qr_from_token(raw_token):
    try:
-        confirmation_token = ReservationToken.objects.select_related("reservation").get(
-            token_hash=ReservationToken.hash_token(raw_token),
-            purpose=ReservationToken.Purpose.CONFIRMATION,
+        check_in_token = ReservationToken.objects.select_related("reservation").get_valid_token(
+            raw_token,
+            ReservationToken.Purpose.CHECK_IN,
        )
    except ReservationToken.DoesNotExist as exc:
-        raise InvalidToken("Confirmation token is invalid.") from exc
+        raise InvalidToken("Check-in token is invalid.") from exc

-    reservation = confirmation_token.reservation
+    reservation = check_in_token.reservation
    if reservation.status != Reservation.Status.CONFIRMED:
        raise ReservationNotConfirmed("Reservation must be confirmed before QR retrieval.")