kinto 18.1.0__py3-none-any.whl → 20.4.0__py3-none-any.whl

kinto/core/permission/testing.py

@@ -344,6 +344,12 @@ class PermissionTest:
         )
         self.assertEqual(sorted(per_object_ids.keys()), ["/url/a", "/url/a/id/1", "/url/a/id/2"])
 
+    def test_accessible_objects_with_user_principle(self):
+        self.permission.add_user_principal("user1", "group")
+        self.permission.add_principal_to_ace("id1", "write", "user1")
+        per_object_ids = self.permission.get_accessible_objects(["user1"])
+        self.assertEqual(sorted(per_object_ids.keys()), ["id1"])
+
     #
     # get_object_permissions()
     #

kinto/core/resource/__init__.py

@@ -665,7 +665,7 @@ class Resource:
         obj = self._get_object_or_404(self.object_id)
         self._raise_412_if_modified(obj)
 
-        # Retreive the last_modified information from a querystring if present.
+        # Retrieve the last_modified information from a querystring if present.
         last_modified = self.request.validated["querystring"].get("last_modified")
 
         # If less or equal than current object. Ignore it.
@@ -1058,6 +1058,11 @@ class Resource:
 
     def _extract_filters(self):
         """Extracts filters from QueryString parameters."""
+
+        def is_valid_timestamp(value):
+            # Is either integer, or integer as string, or integer between 2 quotes.
+            return isinstance(value, int) or re.match(r'^(\d+)$|^("\d+")$', str(value))
+
         queryparams = self.request.validated["querystring"]
 
         filters = []
@@ -1081,7 +1086,7 @@ class Resource:
                     operator = COMPARISON.GT
                 else:
                     if param == "_to":
-                        message = "_to is now deprecated, " "you should use _before instead"
+                        message = "_to is now deprecated, you should use _before instead"
                         url = (
                             "https://kinto.readthedocs.io/en/2.4.0/api/"
                             "resource.html#list-of-available-url-"
@@ -1090,7 +1095,7 @@ class Resource:
                         send_alert(self.request, message, url)
                     operator = COMPARISON.LT
 
-                if value == "" or not isinstance(value, (int, str, type(None))):
+                if value is not None and not is_valid_timestamp(value):
                     raise_invalid(self.request, **error_details)
 
                 filters.append(Filter(self.model.modified_field, value, operator))
@@ -1127,7 +1132,7 @@ class Resource:
                 error_details["description"] = "Invalid character 0x00"
                 raise_invalid(self.request, **error_details)
 
-            if field == self.model.modified_field and value == "":
+            if field == self.model.modified_field and not is_valid_timestamp(value):
                 raise_invalid(self.request, **error_details)
 
             filters.append(Filter(field, value, operator))

kinto/core/resource/schema.py

@@ -37,8 +37,7 @@ class URL(URL):
 
     def __init__(self, *args, **kwargs):
         message = (
-            "`kinto.core.resource.schema.URL` is deprecated, "
-            "use `kinto.core.schema.URL` instead."
+            "`kinto.core.resource.schema.URL` is deprecated, use `kinto.core.schema.URL` instead."
         )
         warnings.warn(message, DeprecationWarning)
         super().__init__(*args, **kwargs)

kinto/core/resource/viewset.py

@@ -2,10 +2,10 @@ import functools
 import warnings
 
 import colander
-from cornice.validators import colander_validator
 from pyramid.settings import asbool
 
 from kinto.core import authorization
+from kinto.core.cornice.validators import colander_validator
 
 from .schema import (
     ObjectGetQuerySchema,

kinto/core/statsd.py

@@ -1,63 +1 @@
-import types
-from urllib.parse import urlparse
-
-from pyramid.exceptions import ConfigurationError
-
-from kinto.core import utils
-
-
-try:
-    import statsd as statsd_module
-except ImportError:  # pragma: no cover
-    statsd_module = None
-
-
-class Client:
-    def __init__(self, host, port, prefix):
-        self._client = statsd_module.StatsClient(host, port, prefix=prefix)
-
-    def watch_execution_time(self, obj, prefix="", classname=None):
-        classname = classname or utils.classname(obj)
-        members = dir(obj)
-        for name in members:
-            value = getattr(obj, name)
-            is_method = isinstance(value, types.MethodType)
-            if not name.startswith("_") and is_method:
-                statsd_key = f"{prefix}.{classname}.{name}"
-                decorated_method = self.timer(statsd_key)(value)
-                setattr(obj, name, decorated_method)
-
-    def timer(self, key):
-        return self._client.timer(key)
-
-    def count(self, key, count=1, unique=None):
-        if unique is None:
-            return self._client.incr(key, count=count)
-        else:
-            return self._client.set(key, unique)
-
-
-def statsd_count(request, count_key):
-    statsd = request.registry.statsd
-    if statsd:
-        statsd.count(count_key)
-
-
-def load_from_config(config):
-    # If this is called, it means that a ``statsd_url`` was specified in settings.
-    # (see ``kinto.core.initialization``)
-    # Raise a proper error if the ``statsd`` module is not installed.
-    if statsd_module is None:
-        error_msg = "Please install Kinto with monitoring dependencies (e.g. statsd package)"
-        raise ConfigurationError(error_msg)
-
-    settings = config.get_settings()
-    uri = settings["statsd_url"]
-    uri = urlparse(uri)
-
-    if settings["project_name"] != "":
-        prefix = settings["project_name"]
-    else:
-        prefix = settings["statsd_prefix"]
-
-    return Client(uri.hostname, uri.port, prefix)
+from kinto.plugins.statsd import load_from_config  # noqa: F401

kinto/core/storage/__init__.py

@@ -87,6 +87,21 @@ class StorageBase:
         """
         raise NotImplementedError
 
+    def all_resources_timestamps(self, resource_name):
+        """Get the highest timestamp of every objects in this `resource_name` for
+        each `parent_id`.
+
+        .. note::
+
+            This should take deleted objects into account.
+
+        :param str resource_name: the resource name.
+
+        :returns: the latest timestamp of the resource by `parent_id`.
+        :rtype: dict[str, int]
+        """
+        raise NotImplementedError
+
     def create(
         self,
         resource_name,

kinto/core/storage/memory.py

@@ -153,6 +153,10 @@ class Storage(MemoryBasedStorage):
             raise exceptions.ReadonlyError(message=error_msg)
         return self.bump_and_store_timestamp(resource_name, parent_id)
 
+    @synchronized
+    def all_resources_timestamps(self, resource_name):
+        return {k: v[resource_name] for k, v in self._timestamps.items() if resource_name in v}
+
     def bump_and_store_timestamp(
         self, resource_name, parent_id, obj=None, modified_field=None, last_modified=None
     ):
@@ -284,13 +288,26 @@ class Storage(MemoryBasedStorage):
         modified_field=DEFAULT_MODIFIED_FIELD,
     ):
         parent_id_match = re.compile(parent_id.replace("*", ".*"))
-        by_parent_id = {
+
+        timestamps_by_parent_id = {
             pid: resources
-            for pid, resources in self._cemetery.items()
+            for pid, resources in self._timestamps.items()
             if parent_id_match.match(pid)
         }
+        if resource_name is not None:
+            for pid, resources in timestamps_by_parent_id.items():
+                del self._timestamps[pid][resource_name]
+        else:
+            for pid, resources in timestamps_by_parent_id.items():
+                del self._timestamps[pid]
+
         num_deleted = 0
-        for pid, resources in by_parent_id.items():
+        tombstones_by_parent_id = {
+            pid: resources
+            for pid, resources in self._cemetery.items()
+            if parent_id_match.match(pid)
+        }
+        for pid, resources in tombstones_by_parent_id.items():
             if resource_name is not None:
                 resources = {resource_name: resources[resource_name]}
             for resource, resource_objects in resources.items():

kinto/core/storage/postgresql/__init__.py

@@ -79,7 +79,7 @@ class Storage(StorageBase, MigratorMixin):
 
     # MigratorMixin attributes.
     name = "storage"
-    schema_version = 22
+    schema_version = 23
     schema_file = os.path.join(HERE, "schema.sql")
     migrations_directory = os.path.join(HERE, "migrations")
 
@@ -247,6 +247,36 @@ class Storage(StorageBase, MigratorMixin):
 
         return obj.last_epoch
 
+    def all_resources_timestamps(self, resource_name):
+        query = """
+        WITH existing_timestamps AS (
+          -- Timestamp of latest object by parent_id.
+          (
+            SELECT parent_id, MAX(last_modified) AS last_modified
+            FROM objects
+            WHERE resource_name = :resource_name
+            GROUP BY parent_id
+          )
+          -- Timestamp of resources without sub-objects.
+          UNION
+          (
+            SELECT parent_id, last_modified
+            FROM timestamps
+            WHERE resource_name = :resource_name
+          )
+        )
+        SELECT parent_id, MAX(as_epoch(last_modified)) AS last_modified
+          FROM existing_timestamps
+          GROUP BY parent_id
+          ORDER BY last_modified DESC
+        """
+        with self.client.connect(readonly=True) as conn:
+            result = conn.execute(sa.text(query), dict(resource_name=resource_name))
+            rows = result.fetchmany(self._max_fetch_size + 1)
+
+        results = {r[0]: r[1] for r in rows}
+        return results
+
     @deprecate_kwargs({"collection_id": "resource_name", "record": "obj"})
     def create(
         self,

kinto/core/storage/postgresql/client.py

@@ -95,14 +95,14 @@ def create_from_config(config, prefix="", with_transaction=True):
     url = filtered_settings[prefix + "url"]
     existing_client = _CLIENTS[transaction_per_request].get(url)
     if existing_client:
-        msg = "Reuse existing PostgreSQL connection. " f"Parameters {prefix}* will be ignored."
+        msg = f"Reuse existing PostgreSQL connection. Parameters {prefix}* will be ignored."
         warnings.warn(msg)
         return existing_client
 
     # Initialize SQLAlchemy engine from filtered_settings.
     poolclass_key = prefix + "poolclass"
     filtered_settings.setdefault(
-        poolclass_key, ("kinto.core.storage.postgresql." "pool.QueuePoolWithMaxBacklog")
+        poolclass_key, ("kinto.core.storage.postgresql.pool.QueuePoolWithMaxBacklog")
     )
     filtered_settings[poolclass_key] = config.maybe_dotted(filtered_settings[poolclass_key])
     engine = sqlalchemy.engine_from_config(filtered_settings, prefix=prefix, url=url)

kinto/core/storage/postgresql/migrations/migration_022_023.sql

@@ -0,0 +1,5 @@
+CREATE INDEX IF NOT EXISTS idx_objects_resource_name_parent_id_deleted
+    ON objects(resource_name, parent_id, deleted);
+
+-- Bump storage schema version.
+INSERT INTO metadata (name, value) VALUES ('storage_schema_version', '23');

kinto/core/storage/postgresql/pool.py

@@ -21,7 +21,7 @@ class _QueueWithMaxBacklog(Queue):
         with self.mutex:
             self.cur_backlog += 1
             try:
-                if self.max_backlog >= 0:
+                if self.max_backlog >= 0:  # pragma: no branch
                     if self.cur_backlog > self.max_backlog:
                         block = False
                         timeout = None

kinto/core/storage/postgresql/schema.sql

@@ -47,7 +47,8 @@ CREATE UNIQUE INDEX IF NOT EXISTS idx_objects_parent_id_resource_name_last_modif
     ON objects(parent_id, resource_name, last_modified DESC);
 CREATE INDEX IF NOT EXISTS idx_objects_last_modified_epoch
     ON objects(as_epoch(last_modified));
-
+CREATE INDEX IF NOT EXISTS idx_objects_resource_name_parent_id_deleted
+    ON objects(resource_name, parent_id, deleted);
 
 CREATE TABLE IF NOT EXISTS timestamps (
   parent_id TEXT NOT NULL COLLATE "C",
@@ -131,4 +132,4 @@ INSERT INTO metadata (name, value) VALUES ('created_at', NOW()::TEXT);
 
 -- Set storage schema version.
 -- Should match ``kinto.core.storage.postgresql.PostgreSQL.schema_version``
-INSERT INTO metadata (name, value) VALUES ('storage_schema_version', '22');
+INSERT INTO metadata (name, value) VALUES ('storage_schema_version', '23');

kinto/core/storage/testing.py

@@ -783,6 +783,39 @@ class TimestampsTest:
         after = self.storage.resource_timestamp(**self.storage_kw)
         self.assertTrue(before < after)
 
+    def test_all_timestamps_by_parent_id(self):
+        self.storage.create(obj={"id": "main"}, resource_name="bucket", parent_id="")
+        self.storage.create(obj={"id": "cid1"}, resource_name="collection", parent_id="/main")
+        self.storage.create(obj={"id": "cid2"}, resource_name="collection", parent_id="/main")
+        self.storage.create(obj={}, resource_name="record", parent_id="/main/cid2")
+        self.storage.create(obj={}, resource_name="record", parent_id="/main/cid2")
+
+        self.assertEqual(
+            {
+                "": self.storage.resource_timestamp(resource_name="bucket", parent_id=""),
+            },
+            self.storage.all_resources_timestamps(resource_name="bucket"),
+        )
+        self.assertEqual(
+            {
+                "/main": self.storage.resource_timestamp(
+                    resource_name="collection", parent_id="/main"
+                ),
+            },
+            self.storage.all_resources_timestamps(resource_name="collection"),
+        )
+        self.assertEqual(
+            {
+                "/main/cid1": self.storage.resource_timestamp(
+                    resource_name="record", parent_id="/main/cid1"
+                ),
+                "/main/cid2": self.storage.resource_timestamp(
+                    resource_name="record", parent_id="/main/cid2"
+                ),
+            },
+            self.storage.all_resources_timestamps(resource_name="record"),
+        )
+
     @skip_if_ci
     def test_timestamps_are_unique(self):  # pragma: no cover
         obtained = []
@@ -1263,6 +1296,9 @@ class DeletedObjectsTest:
         self.create_object(parent_id="/abc/a", resource_name="c")
         self.create_object(parent_id="/efg", resource_name="c")
 
+        all_timestamps = self.storage.all_resources_timestamps(resource_name="c")
+        self.assertEqual(set(all_timestamps.keys()), {"/abc/a", "/efg"})
+
         before1 = self.storage.resource_timestamp(parent_id="/abc/a", resource_name="c")
         # Different parent_id with object.
         before2 = self.storage.resource_timestamp(parent_id="/efg", resource_name="c")
@@ -1272,11 +1308,15 @@ class DeletedObjectsTest:
         self.storage.delete_all(parent_id="/abc/*", resource_name=None, with_deleted=False)
         self.storage.purge_deleted(parent_id="/abc/*", resource_name=None)
 
+        all_timestamps = self.storage.all_resources_timestamps(resource_name="c")
+        self.assertEqual(set(all_timestamps.keys()), {"/efg", "/ijk"})
+
+        time.sleep(0.002)  # make sure we don't recreate timestamps at same msec.
         after1 = self.storage.resource_timestamp(parent_id="/abc/a", resource_name="c")
         after2 = self.storage.resource_timestamp(parent_id="/efg", resource_name="c")
         after3 = self.storage.resource_timestamp(parent_id="/ijk", resource_name="c")
 
-        self.assertNotEqual(before1, after1)
+        self.assertNotEqual(before1, after1)  # timestamp was removed, it will differ.
         self.assertEqual(before2, after2)
         self.assertEqual(before3, after3)
 

kinto/core/testing.py

@@ -5,18 +5,22 @@ from collections import defaultdict
 from unittest import mock
 
 import webtest
-from cornice import errors as cornice_errors
 from pyramid.url import parse_url_overrides
 
-from kinto.core import DEFAULT_SETTINGS, statsd
+from kinto.core import DEFAULT_SETTINGS
+from kinto.core.cornice import errors as cornice_errors
 from kinto.core.storage import generators
 from kinto.core.utils import encode64, follow_subrequest, memcache, sqlalchemy
+from kinto.plugins import prometheus, statsd
 
 
 skip_if_ci = unittest.skipIf("CI" in os.environ, "ci")
 skip_if_no_postgresql = unittest.skipIf(sqlalchemy is None, "postgresql is not installed.")
 skip_if_no_memcached = unittest.skipIf(memcache is None, "memcached is not installed.")
 skip_if_no_statsd = unittest.skipIf(not statsd.statsd_module, "statsd is not installed.")
+skip_if_no_prometheus = unittest.skipIf(
+    not prometheus.prometheus_module, "prometheus is not installed."
+)
 
 
 class DummyRequest(mock.MagicMock):

kinto/core/utils.py

@@ -1,4 +1,5 @@
 import collections.abc as collections_abc
+import functools
 import hashlib
 import hmac
 import os
@@ -12,7 +13,6 @@ from urllib.parse import unquote
 import jsonpatch
 import rapidjson
 from colander import null
-from cornice import cors
 from pyramid import httpexceptions
 from pyramid.authorization import Authenticated
 from pyramid.interfaces import IRoutesMapper
@@ -20,6 +20,8 @@ from pyramid.request import Request, apply_request_extensions
 from pyramid.settings import aslist
 from pyramid.view import render_view_to_response
 
+from kinto.core.cornice import cors
+
 
 try:
     import sqlalchemy
@@ -261,8 +263,9 @@ def reapply_cors(request, response):
             settings = request.registry.settings
             allowed_origins = set(aslist(settings["cors_origins"]))
             required_origins = {"*", origin}
-            if allowed_origins.intersection(required_origins):
-                response.headers["Access-Control-Allow-Origin"] = origin
+            matches = allowed_origins.intersection(required_origins)
+            if matches:
+                response.headers["Access-Control-Allow-Origin"] = matches.pop()
 
         # Import service here because kinto.core import utils
         from kinto.core import Service
@@ -287,7 +290,7 @@ def current_service(request):
     """Return the Cornice service matching the specified request.
 
     :returns: the service or None if unmatched.
-    :rtype: cornice.Service
+    :rtype: kinto.core.cornice.Service
     """
     if request.matched_route:
         services = request.registry.cornice_services
@@ -541,3 +544,10 @@ def apply_json_patch(obj, ops):
         raise ValueError(e)
 
     return result
+
+
+def safe_wraps(wrapper, *args, **kwargs):
+    """Safely wraps partial functions."""
+    while isinstance(wrapper, functools.partial):
+        wrapper = wrapper.func
+    return functools.wraps(wrapper, *args, **kwargs)

kinto/core/views/batch.py

@@ -1,11 +1,11 @@
 import logging
 
 import colander
-from cornice.validators import colander_validator
 from pyramid import httpexceptions
 from pyramid.security import NO_PERMISSION_REQUIRED
 
 from kinto.core import Service, errors
+from kinto.core.cornice.validators import colander_validator
 from kinto.core.errors import ErrorSchema
 from kinto.core.resource.viewset import CONTENT_TYPES
 from kinto.core.utils import build_request, build_response, merge_dicts

kinto/core/views/errors.py

@@ -22,6 +22,8 @@ def authorization_required(response, request):
     """
     if Authenticated not in request.effective_principals:
         if response.content_type != "application/json":
+            # This is always the case when `HTTPForbidden` is raised by Pyramid
+            # on protected views with unauthenticated requests.
             error_msg = "Please authenticate yourself to use this endpoint."
             response = http_error(
                 httpexceptions.HTTPUnauthorized(),
@@ -53,7 +55,7 @@ def page_not_found(response, request):
 
     if not request.path.startswith(f"/{request.registry.route_prefix}"):
         errno = ERRORS.VERSION_NOT_AVAILABLE
-        error_msg = "The requested API version is not available " "on this server."
+        error_msg = "The requested API version is not available on this server."
     elif trailing_slash_redirection_enabled:
         redirect = None
 
@@ -80,8 +82,7 @@ def page_not_found(response, request):
 def service_unavailable(response, request):
     if response.content_type != "application/json":
         error_msg = (
-            "Service temporary unavailable "
-            "due to overloading or maintenance, please retry later."
+            "Service temporary unavailable due to overloading or maintenance, please retry later."
         )
         response = http_error(response, errno=ERRORS.BACKEND, message=error_msg)
 

kinto/core/views/openapi.py

@@ -1,8 +1,8 @@
 import colander
-from cornice.service import get_services
 from pyramid.security import NO_PERMISSION_REQUIRED
 
 from kinto.core import Service
+from kinto.core.cornice.service import get_services
 from kinto.core.openapi import OpenAPI
 
 

kinto/plugins/accounts/__init__.py

@@ -6,19 +6,12 @@ from pyramid.exceptions import ConfigurationError
 from kinto.authorization import PERMISSIONS_INHERITANCE_TREE
 
 from .authentication import AccountsAuthenticationPolicy as AccountsPolicy
-from .utils import (
-    ACCOUNT_CACHE_KEY,
-    ACCOUNT_POLICY_NAME,
-    ACCOUNT_RESET_PASSWORD_CACHE_KEY,
-    ACCOUNT_VALIDATION_CACHE_KEY,
-)
+from .utils import ACCOUNT_CACHE_KEY, ACCOUNT_POLICY_NAME
 
 
 __all__ = [
     "ACCOUNT_CACHE_KEY",
     "ACCOUNT_POLICY_NAME",
-    "ACCOUNT_RESET_PASSWORD_CACHE_KEY",
-    "ACCOUNT_VALIDATION_CACHE_KEY",
     "AccountsPolicy",
 ]
 
@@ -27,16 +20,13 @@ DOCS_URL = "https://kinto.readthedocs.io/en/stable/api/1.x/accounts.html"
 
 def includeme(config):
     settings = config.get_settings()
-    validation_enabled = settings.get("account_validation", False)
     config.add_api_capability(
         "accounts",
         description="Manage user accounts.",
         url="https://kinto.readthedocs.io/en/latest/api/1.x/accounts.html",
-        validation_enabled=validation_enabled,
+        validation_enabled=False,
     )
     kwargs = {}
-    if not validation_enabled:
-        kwargs["ignore"] = "kinto.plugins.accounts.views.validation"
     config.scan("kinto.plugins.accounts.views", **kwargs)
 
     PERMISSIONS_INHERITANCE_TREE["root"].update({"account:create": {}})
@@ -45,13 +35,6 @@ def includeme(config):
         "read": {"account": ["write", "read"]},
     }
 
-    if validation_enabled:
-        # Valid mailers other than the default are `debug` and `testing`
-        # according to
-        # https://docs.pylonsproject.org/projects/pyramid_mailer/en/latest/#debugging
-        mailer = settings.get("mail.mailer", "")
-        config.include("pyramid_mailer" + (f".{mailer}" if mailer else ""))
-
     # Check that the account policy is mentioned in config if included.
     accountClass = "AccountsPolicy"
     policy = None
@@ -83,8 +66,7 @@ def includeme(config):
     if "basicauth" in auth_policies and policy in auth_policies:
         if auth_policies.index("basicauth") < auth_policies.index(policy):
             error_msg = (
-                "'basicauth' should not be mentioned before '%s' "
-                "in 'multiauth.policies' setting."
+                "'basicauth' should not be mentioned before '%s' in 'multiauth.policies' setting."
             ) % policy
             raise ConfigurationError(error_msg)
 

kinto/plugins/accounts/authentication.py

@@ -5,31 +5,27 @@ from kinto.core import utils
 from kinto.core.storage import exceptions as storage_exceptions
 
 from .utils import (
+    ACCOUNT_CACHE_KEY,
     ACCOUNT_POLICY_NAME,
-    cache_account,
-    delete_cached_reset_password,
-    get_account_cache_key,
-    get_cached_account,
-    get_cached_reset_password,
-    is_validated,
-    refresh_cached_account,
 )
 
 
 def account_check(username, password, request):
     settings = request.registry.settings
-    validation_enabled = settings.get("account_validation", False)
-    cache_key = get_account_cache_key(username, request.registry)
+    hmac_secret = settings["userid_hmac_secret"]
+    cache_key = utils.hmac_digest(hmac_secret, ACCOUNT_CACHE_KEY.format(username))
+    cache_ttl = int(settings.get("account_cache_ttl_seconds", 30))
     hashed_password = utils.hmac_digest(cache_key, password)
 
     # Check cache to see whether somebody has recently logged in with the same
     # username and password.
-    cache_result = get_cached_account(username, request.registry)
+    cache = request.registry.cache
+    cache_result = cache.get(cache_key)
 
     # Username and password have been verified previously. No need to compare hashes
     if cache_result == hashed_password:
         # Refresh the cache TTL.
-        refresh_cached_account(username, request.registry)
+        cache.expire(cache_key, cache_ttl)
         return True
 
     # Back to standard procedure
@@ -41,53 +37,11 @@ def account_check(username, password, request):
     except storage_exceptions.ObjectNotFoundError:
         return None
 
-    if validation_enabled and not is_validated(existing):
-        return None
-
     hashed = existing["password"].encode(encoding="utf-8")
     pwd_str = password.encode(encoding="utf-8")
     # Check if password is valid (it is a very expensive computation)
     if bcrypt.checkpw(pwd_str, hashed):
-        cache_account(hashed_password, username, request.registry)
-        return True
-
-    # Last chance, is this a "reset password" flow?
-    return reset_password_flow(username, password, request)
-
-
-def reset_password_flow(username, password, request):
-    cache_key = get_account_cache_key(username, request.registry)
-    hashed_password = utils.hmac_digest(cache_key, password)
-    pwd_str = password.encode(encoding="utf-8")
-
-    cached_password = get_cached_reset_password(username, request.registry)
-    if not cached_password:
-        return None
-
-    # The temporary reset password is only available for changing a user's password.
-    if request.method.lower() not in ["post", "put", "patch"]:
-        return None
-
-    # Only allow modifying a user account, no other resource.
-    uri = utils.strip_uri_prefix(request.path)
-    resource_name, _ = utils.view_lookup(request, uri)
-    if resource_name != "account":
-        return None
-
-    try:
-        data = request.json["data"]
-    except (ValueError, KeyError):
-        return None
-
-    # Request one and only one data field: the `password`.
-    if not data or "password" not in data or len(data.keys()) > 1:
-        return None
-
-    cached_password_str = cached_password.encode(encoding="utf-8")
-    if bcrypt.checkpw(pwd_str, cached_password_str):
-        # Remove the temporary reset password from the cache.
-        delete_cached_reset_password(username, request.registry)
-        cache_account(hashed_password, username, request.registry)
+        cache.set(cache_key, hashed_password, ttl=cache_ttl)
         return True