Challenge - 5 Problems

🎖️

Password Reset Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

What does this Flask route do when a password reset is requested?

Consider this Flask route for password reset requests. What is the main behavior when a user submits their email?

Flask

from flask import Flask, request, render_template_string
app = Flask(__name__)

@app.route('/reset-password', methods=['GET', 'POST'])
def reset_password():
    if request.method == 'POST':
        email = request.form.get('email')
        if email and '@' in email:
            # Simulate sending reset email
            return 'Reset email sent to ' + email
        else:
            return 'Invalid email', 400
    return render_template_string('<form method="post"><input name="email" type="email"/><button>Send</button></form>')

AIt sends a reset email if the email contains '@', otherwise returns a 400 error.

BIt always sends a reset email regardless of the email format.

CIt only accepts GET requests and ignores POST.

DIt returns a 404 error if the method is GET.

Attempts:

2 left

📝 Syntax

intermediate

2:00remaining

Which option correctly generates a secure token for password reset?

Which code snippet correctly generates a secure token for a password reset link in Flask?

Flask

import secrets

def generate_token():
    # Fill in the correct token generation
    pass

Areturn secrets.choice(['a','b','c','d'])

Breturn secrets.randbelow(1000000)

Creturn secrets.token_hex(4)

Dreturn secrets.token_urlsafe(32)

Attempts:

2 left

🔧 Debug

advanced

2:30remaining

Why does this password reset email sending code fail to send emails?

Review this Flask snippet for sending password reset emails. Why does it fail to send emails?

Flask

from flask_mail import Mail, Message

app.config.update(
    MAIL_SERVER='smtp.example.com',
    MAIL_PORT=587,
    MAIL_USE_TLS=True,
    MAIL_USERNAME='user@example.com',
    MAIL_PASSWORD='password'
)
mail = Mail(app)

def send_reset_email(user_email, token):
    msg = Message('Reset Your Password', sender='noreply@example.com', recipients=[user_email])
    msg.body = f'Click to reset: http://example.com/reset/{token}'
    mail.send(msg)

AThe mail.send() method is missing app context, causing failure.

BMAIL_USE_TLS should be False for port 587.

CThe sender email must match MAIL_USERNAME exactly.

DThe Mail object is created before app is fully initialized, causing failure.

Attempts:

2 left

❓ state_output

advanced

1:30remaining

What is the output of this Flask password reset token verification code?

Given this token verification function, what is the output when token='abc123' and stored_tokens={'abc123': 'user1'}?

Flask

stored_tokens = {'abc123': 'user1'}

def verify_token(token):
    user = stored_tokens.get(token)
    if user:
        return f'Token valid for {user}'
    else:
        return 'Invalid token'

result = verify_token('abc123')

ANone

B"Invalid token"

C"Token valid for user1"

DKeyError

Attempts:

2 left

🧠 Conceptual

expert

2:00remaining

Which option best describes the security risk of using predictable tokens in password reset emails?

Why is it dangerous to use predictable tokens (like incremental numbers) in password reset links?

APredictable tokens improve performance but reduce email deliverability.

BAttackers can guess tokens and reset passwords of other users easily.

CThey cause the reset link to expire too quickly, annoying users.

DUsing predictable tokens requires more server memory to store.

Attempts:

2 left