MerginMaps
diff --git a/‎.prod.env‎
Lines changed: 6 additions & 0 deletions b/‎.prod.env‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎server/.test.env‎
Lines changed: 3 additions & 0 deletions b/‎server/.test.env‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎server/Pipfile‎
Lines changed: 1 addition & 1 deletion b/‎server/Pipfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/Pipfile.lock‎
Lines changed: 492 additions & 473 deletions b/‎server/Pipfile.lock‎
Lines changed: 492 additions & 473 deletions
diff --git a/‎server/application.py‎
Lines changed: 6 additions & 6 deletions b/‎server/application.py‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎server/mergin/.env‎
Lines changed: 2 additions & 0 deletions b/‎server/mergin/.env‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎server/mergin/app.py‎
Lines changed: 1 addition & 9 deletions b/‎server/mergin/app.py‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎server/mergin/auth/app.py‎
Lines changed: 10 additions & 7 deletions b/‎server/mergin/auth/app.py‎
Lines changed: 10 additions & 7 deletions
diff --git a/‎server/mergin/auth/bearer.py‎
Lines changed: 2 additions & 4 deletions b/‎server/mergin/auth/bearer.py‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎server/mergin/auth/config.py‎
Lines changed: 2 additions & 0 deletions b/‎server/mergin/auth/config.py‎
Lines changed: 2 additions & 0 deletions
@@ -61,6 +61,12 @@ SECRET_KEY=fixme
 
 #BEARER_TOKEN_EXPIRATION=3600 * 12  # in seconds
 
+#SECURITY_BEARER_SALT=NODEFAULT
+SECURITY_BEARER_SALT=fixme
+
+#SECURITY_EMAIL_SALT=NODEFAULT
+SECURITY_EMAIL_SALT=fixme
+
 #SECURITY_PASSWORD_SALT=NODEFAULT
 SECURITY_PASSWORD_SALT=fixme
 
 
@@ -20,3 +20,6 @@ GLOBAL_WORKSPACE='mergin'
 GLOBAL_STORAGE=104857600
 COLLECT_STATISTICS=0
 GEODIFF_WORKING_DIR=/tmp/geodiff
+SECURITY_BEARER_SALT='bearer'
+SECURITY_EMAIL_SALT='email'
+SECURITY_PASSWORD_SALT='password'
@@ -39,7 +39,7 @@ urllib3 = "==2.2.2"
 shapely = "==2.0.6"
 psycogreen = "==1.0.2"
 importlib-metadata = "==8.4.0"  # https://github.com/pallets/flask/issues/4502
-typing_extensions= "==4.12.2"
+typing_extensions = "==4.12.2"
 # requirements for development on windows
 colorama = "==0.4.5"
 
 
@@ -26,7 +26,7 @@
 from mergin.sync.tasks import remove_temp_files, remove_projects_backups
 from mergin.celery import celery, configure_celery
 from mergin.stats.config import Configuration
-from mergin.stats.tasks import send_statistics
+from mergin.stats.tasks import save_statistics, send_statistics
 from mergin.stats.app import register as register_stats
 
 Configuration.SERVER_TYPE = "ce"
@@ -65,14 +65,14 @@ def setup_periodic_tasks(sender, **kwargs):
         remove_projects_backups,
         name="remove old project backups",
     )
+    sender.add_periodic_task(
+        crontab(hour="*/12", minute=0),
+        save_statistics,
+        name="Save usage statistics to database",
+    )
     if Configuration.COLLECT_STATISTICS:
         sender.add_periodic_task(
             crontab(hour=randint(0, 5), minute=randint(0, 60)),
             send_statistics,
             name="send usage statistics",
         )
-
-
-# send report after start
-if Configuration.COLLECT_STATISTICS:
-    send_statistics.delay()
@@ -1,6 +1,8 @@
 GEODIFF_LOGGER_LEVEL="2"
 # only for dev - should be overwritten in production
 SECRET_KEY='top-secret'
+SECURITY_BEARER_SALT='top-secret'
+SECURITY_EMAIL_SALT='top-secret'
 SECURITY_PASSWORD_SALT='top-secret'
 MAIL_DEFAULT_SENDER=''
 FLASK_DEBUG=0
@@ -139,15 +139,6 @@ def create_simple_app() -> Flask:
     if Configuration.GEVENT_WORKER:
         flask_app.wsgi_app = GeventTimeoutMiddleware(flask_app.wsgi_app)
 
-    @flask_app.cli.command()
-    def init_db():
-        """Re-creates application database"""
-        print("Database initialization ...")
-        db.drop_all(bind=None)
-        db.create_all(bind=None)
-        db.session.commit()
-        print("Done. Tables created.")
-
     add_commands(flask_app)
 
     return flask_app
@@ -211,6 +202,7 @@ def load_user_from_header(header_val):  # pylint: disable=W0613,W0612
             try:
                 data = decode_token(
                     app.app.config["SECRET_KEY"],
+                    app.app.config["SECURITY_BEARER_SALT"],
                     header_val,
                     app.app.config["BEARER_TOKEN_EXPIRATION"],
                 )
 
@@ -80,17 +80,15 @@ def authenticate(login, password):
         return user
 
 
-def generate_confirmation_token(app, email):
+def generate_confirmation_token(app, email, salt):
     serializer = URLSafeTimedSerializer(app.config["SECRET_KEY"])
-    return serializer.dumps(email, salt=app.config["SECURITY_PASSWORD_SALT"])
+    return serializer.dumps(email, salt=salt)
 
 
-def confirm_token(token, expiration=3600 * 24 * 3):
+def confirm_token(token, salt, expiration=3600):
     serializer = URLSafeTimedSerializer(current_app.config["SECRET_KEY"])
     try:
-        email = serializer.loads(
-            token, salt=current_app.config["SECURITY_PASSWORD_SALT"], max_age=expiration
-        )
+        email = serializer.loads(token, salt=salt, max_age=expiration)
     except:
         return
     return email
@@ -103,7 +101,12 @@ def send_confirmation_email(app, user, url, template, header, **kwargs):
     """
     from ..celery import send_email_async
 
-    token = generate_confirmation_token(app, user.email)
+    salt = (
+        app.config["SECURITY_EMAIL_SALT"]
+        if url == "confirm-email"
+        else app.config["SECURITY_PASSWORD_SALT"]
+    )
+    token = generate_confirmation_token(app, user.email, salt)
     confirm_url = f"{url}/{token}"
     html = render_template(
         template, subject=header, confirm_url=confirm_url, user=user, **kwargs
 
@@ -7,8 +7,7 @@
 from flask.sessions import TaggedJSONSerializer
 
 
-def decode_token(secret_key, token, max_age=None):
-    salt = "bearer-session"
+def decode_token(secret_key, salt, token, max_age=None):
     serializer = TaggedJSONSerializer()
     signer_kwargs = {"key_derivation": "hmac", "digest_method": hashlib.sha1}
     s = URLSafeTimedSerializer(
@@ -17,8 +16,7 @@ def decode_token(secret_key, token, max_age=None):
     return s.loads(token, max_age=max_age)
 
 
-def encode_token(secret_key, data):
-    salt = "bearer-session"
+def encode_token(secret_key, salt, data):
     serializer = TaggedJSONSerializer()
     signer_kwargs = {"key_derivation": "hmac", "digest_method": hashlib.sha1}
     s = URLSafeTimedSerializer(
 
@@ -6,6 +6,8 @@
 
 
 class Configuration(object):
+    SECURITY_BEARER_SALT = config("SECURITY_BEARER_SALT")
+    SECURITY_EMAIL_SALT = config("SECURITY_EMAIL_SALT")
     SECURITY_PASSWORD_SALT = config("SECURITY_PASSWORD_SALT")
     BEARER_TOKEN_EXPIRATION = config(
         "BEARER_TOKEN_EXPIRATION", default=3600 * 12, cast=int