JSON Token won't load the value after being verified-CodePudding

Once I get to the verify_token function it keeps executing the except statement instead of returning the value in 'id_user' and I'm not sure why. I am using these libraries. flask-login, sqlalchemy, itsdangerous for jsonwebserializer, and wtforms.

Functions

def get_reset_token(user):
    serial = Serializer(app.config['SECRET_KEY'], expires_in=900) # 15 mins in seconds
    return serial.dumps({'id_user':user.id}).decode('utf-8')

def verify_token(token):
    serial = Serializer(app.config['SECRET_KEY'])
    try:
        user_id = serial.load(token)['id_user']
    except:
        return None
    return Users.query.get('id_user')

def send_mail(user):
    token = get_reset_token(user)
    message = Message('Password Reset Request', recipients = [user.email], sender='[email protected]')
    message.body= f'''
To Reset your password, click the following link:

{url_for('reset_token', token = token, _external = True)}

If you did not send this email, please ignore this message.
'''
    mail.send(message)

ROUTES

@app.route('/password_reset', methods = ['GET', 'POST'])
def password_reset():
    form = Password_request()
    if request.method == "POST":
        if form.validate_on_submit:
            user = Users.query.filter_by(email = form.email.data).first()
            send_mail(user)
            flash('Check your email. Password change request has been sent')
            return redirect(url_for('login'))
        else:
            flash('Your email was not linked to an account')
    return render_template('password_reset.html', form = form)


@app.route('/password_reset/<token>', methods = ['GET', 'POST'])
def reset_token(token):
    user = verify_token(token)
    if user == None:
        flash('The token is invalid or expired')
        return redirect(url_for('password_reset'))

    form = Password_success()
    if form.validate_on_submit:
        hashed_password=generate_password_hash(form.password.data, method = 'sha256')
        user.password = hashed_password
        db.session.commit()
        flash('Your password has been updated!')
    return redirect(url_for('signup'))

CodePudding user response：

def verify_token(token):
    serial = Serializer(app.config['SECRET_KEY'])
    try:
        user_id = serial.load(token)['id_user']
    except:
        return None
    return Users.query.get('id_user') # this looks wrong

Shouldn't the last line of verify_token be return Users.query.get(user_id)? You're assigning the value of the token to that variable , then ignoring it and telling SQLAlchemy to find a record with the ID of the string value 'id_user' which I doubt is what you're intending to do.

def verify_token(token):
    serial = Serializer(app.config['SECRET_KEY'])
    try:
        user_id = serial.load(token)['id_user']
    except:
        return None
    return Users.query.get(user_id) # What happens when you change this?