def login():
if request.method == 'POST':
errors = []
name = request.form['name']
team = Teams.query.filter_by(name=name).first()
if team and bcrypt_sha256.verify(request.form['password'], team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = sha512(os.urandom(10))
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8')))
if request.args.get('next') and is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
else:
errors.append("That account doesn't seem to exist")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
def loginAndroid():
errors = []
name = request.form['name']
student = Students.query.filter_by(name=name).first()
if student:
if student and bcrypt_sha256.verify(request.form['password'], student.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = student.name
session['id'] = student.id
session['admin'] = student.admin
session['nonce'] = sha512(os.urandom(10))
session.modified = True
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8')))
if request.args.get('next') and is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return jsonify({'status': '200', 'nonce': session['nonce']})
else: # This user exists but the password is wrong
errors.append("Your username or password is incorrect")
db.session.close()
return jsonify({'status': '400', 'message': 'Invalid Login'})
else: # This user just doesn't exist
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
def login():
logger = logging.getLogger('logins')
if request.method == 'POST':
errors = []
name = request.form['name']
# Check if the user submitted an email address or a team name
if utils.check_email_format(name) is True:
team = Teams.query.filter_by(email=name).first()
elif utils.check_sno_format(name) is True:
team = Teams.query.filter_by(sno=name).first()
else:
team = Teams.query.filter_by(name=name).first()
if team:
if team and bcrypt_sha256.verify(request.form['password'],
team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = utils.sha512(os.urandom(10))
db.session.close()
logger.warn("[{date}] {ip} - {username} logged in".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=session['username'].encode('utf-8')))
if request.args.get('next') and utils.is_safe_url(
request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
else: # This user exists but the password is wrong
logger.warn(
"[{date}] {ip} - submitted invalid password for {username}"
.format(date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')))
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else: # This user just doesn't exist
logger.warn(
"[{date}] {ip} - submitted invalid account information".format(
date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip()))
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
def login():
if request.method == 'POST':
errors = []
name = request.form['name']
team = Teams.query.filter_by(name=name).first()
if team:
if team and bcrypt_sha256.verify(request.form['password'], team.password):
try:
session.regenerate() # NO SESSION FIXATION FOR YOU
except:
pass # TODO: Some session objects don't implement regenerate :(
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['mentor'] = team.mentor
print team.mentor
session['nonce'] = utils.sha512(os.urandom(10))
db.session.close()
logger = logging.getLogger('logins')
logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8')))
if request.args.get('next') and utils.is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('views.index', welcome=1))
else: # This user exists but the password is wrong
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else: # This user just doesn't exist
errors.append("Your username or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
def register():
if not can_register():
return redirect(url_for('auth.login'))
if request.method == 'POST':
errors = []
name = request.form['name']
email = request.form['email']
password = request.form['password']
name_len = len(name) == 0
names = Users.query.add_columns('name',
'id').filter_by(name=name).first()
emails = Users.query.add_columns('email',
'id').filter_by(email=email).first()
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = re.match(
r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)",
request.form['email'])
if not valid_email:
errors.append("That email doesn't look right")
if names:
errors.append('That username is already taken')
if emails:
errors.append('That email has already been used')
if pass_short:
errors.append('Pick a longer password')
if pass_long:
errors.append('Pick a shorter password')
if name_len:
errors.append('Pick a longer team name')
if len(errors) > 0:
return render_template('register.html',
errors=errors,
name=request.form['name'],
email=request.form['email'],
password=request.form['password'])
else:
with app.app_context():
team = Users(name, email.lower(), password)
db.session.add(team)
db.session.commit()
db.session.flush()
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = sha512(os.urandom(10))
if can_send_mail() and get_config(
'verify_emails'
): ## Confirming users is enabled and we can send email.
db.session.close()
logger = logging.getLogger('regs')
logger.warn(
"[{0}] {1} registered (UNCONFIRMED) with {2}".format(
time.strftime("%m/%d/%Y %X"),
request.form['name'].encode('utf-8'),
request.form['email'].encode('utf-8')))
return redirect(url_for('auth.confirm_user'))
else: ## Don't care about confirming users
if can_send_mail(
): ## We want to notify the user that they have registered.
sendmail(
request.form['email'],
"You've successfully registered for {}".format(
get_config('ctf_name')))
db.session.close()
logger = logging.getLogger('regs')
logger.warn("[{0}] {1} registered with {2}".format(
time.strftime("%m/%d/%Y %X"), request.form['name'].encode('utf-8'),
request.form['email'].encode('utf-8')))
if request.args.get('next') and is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
else:
return render_template('register.html')
def login():
logger = logging.getLogger('logins')
if request.method == 'POST':
errors = []
name = request.form['name'].strip()
password = request.form['password']
# Check if email or password is empty
if not name or not password:
errors.append("Please enter your email and password")
db.session.close()
return render_template('login.html', errors=errors)
# Check if the user submitted a valid email address
if utils.check_email_format(name) is False:
errors.append("Your email is not in a valid format")
db.session.close()
return render_template('login.html', errors=errors)
# Send POST request to NCL SIO authentication API
base64creds = base64.b64encode(name + ':' + password)
headers = {'Authorization': 'Basic ' + base64creds}
sio_url = utils.ncl_sio_url()
try:
r = requests.post(sio_url + '/authentications', headers=headers, timeout=30)
except requests.exceptions.RequestException as e:
logger.warn("[{date}] {ip} - error connecting to SIO authentication service: {exception}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
exception=e
))
errors.append("There is a problem with your login request. Please contact the website administrator")
db.session.close()
return render_template('login.html', errors=errors)
if r.status_code == 200: # Successful login
# Check if this user has permission to login (i.e. is in this CTF NCL team)
ncl_team_name = utils.ncl_team_name()
is_user_in_ncl_team = False
user_id = r.json()['id']
# Send GET request to NCL SIO teams API
try:
teams_r = requests.get(sio_url + '/teams?name=' + ncl_team_name, timeout=30)
except requests.exceptions.RequestException as teams_re:
logger.warn("[{date}] {ip} - error connecting to SIO teams service: {exception}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
exception=teams_re
))
errors.append("There is a problem with connecting to login service. Please contact the website administrator")
db.session.close()
return render_template('login.html', errors=errors)
if teams_r.status_code == 200: # teams GET success
team_members = teams_r.json()['members']
for member in team_members:
if member['userId'] == user_id:
is_user_in_ncl_team = True
break
else: # teams GET failed
logger.warn("[{date}] {ip} - invalid response status code: {status}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
status=str(teams_r.status_code)
))
errors.append("Unknown response from login service. Please contact the website administrator")
db.session.close()
return render_template('login.html', errors=errors)
if not is_user_in_ncl_team:
# User is not part of NCL team, deny login!
logger.warn("[{date}] {ip} - not in this CTF NCL team for {username}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=name.encode('utf-8')
))
errors.append("You do not have permissions to login to this site")
db.session.close()
return render_template('login.html', errors=errors)
# User is now allowed to login
# Try to get info from DB
team = Teams.query.filter_by(email=name).first()
# Add to DB if it does not exist
if not team:
team = Teams(name.lower(), name.lower(), "unused_password")
db.session.add(team)
db.session.commit()
db.session.flush()
# Get info from DB
session['username'] = team.name
session['id'] = team.id
session['admin'] = team.admin
session['nonce'] = utils.sha512(os.urandom(10))
db.session.close()
logger.warn("[{date}] {ip} - {username} logged in".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=session['username'].encode('utf-8')
))
if request.args.get('next') and utils.is_safe_url(request.args.get('next')):
return redirect(request.args.get('next'))
return redirect(url_for('challenges.challenges_view'))
elif r.status_code == 404: # This user does not exist
logger.warn("[{date}] {ip} - submitted invalid user email".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip()
))
errors.append("Your email or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
elif r.status_code == 500: # This user exists but the password is wrong
logger.warn("[{date}] {ip} - submitted invalid password for {username}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=name.encode('utf-8')
))
errors.append("Your email or password is incorrect")
db.session.close()
return render_template('login.html', errors=errors)
else: # Unknown response status code
logger.warn("[{date}] {ip} - unknown response status code: {status}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
status=str(r.status_code)
))
errors.append("Unknown login error. Please contact the website administrator")
db.session.close()
return render_template('login.html', errors=errors)
else:
db.session.close()
return render_template('login.html')
