bisco/azionelab
1
0
Fork 0
generated from bisco/codex-bootstrap
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): separate booking and check-in tokens

Browse Source
This commit is contained in:
bisco
2026-04-29 21:49:21 +02:00
parent 5cad1871e7
commit 13a05f6d0d
10 changed files with 214 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend/checkins/services.py
View File

@@ -98,17 +98,12 @@ def _get_reservation_for_check_in_token(raw_token, *, lock_token=False):
try:
token = queryset.get(
token_hash=ReservationToken.hash_token(raw_token),
purpose=ReservationToken.Purpose.CHECK_IN,
)
except ReservationToken.DoesNotExist as exc:
raise InvalidToken("Check-in token is invalid.") from exc
if token.purpose == ReservationToken.Purpose.CHECK_IN:
if token.used_at is not None or token.is_expired:
raise InvalidToken("Check-in token is invalid.")
elif token.purpose == ReservationToken.Purpose.CONFIRMATION:
if token.reservation.status != Reservation.Status.CONFIRMED:
raise InvalidToken("Check-in token is invalid.")
else:
if token.used_at is not None or token.is_expired:
raise InvalidToken("Check-in token is invalid.")
return token.reservation