def grantPermission():
if allowAccess(['Permission_Admin'], request) == False:
apiLog.logWarn("{} attmepted to grant permission")
return flask.jsonify({"Success": False, "Error": "No Permission"})
result = checkJWT(request.headers["JWT"])
username = result["username"]
content = request.data.decode("UTF-8")
#TODO check the username and the corresponding role to the dictionary then grant permission
apiLog.logInfo("Permission granted by {}".format(username))
return flask.jsonify(json.loads("{'Success':True}"))
def grantPermission(currentusername): #UPDATE: Added param for check both role and username
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO check the username and the corresponding role to the dictionary then grant permission
if allowAccess(['Permission_Admin'],request) == True:
if currentusername != username:
apiLog.logWarn("{} unauthorized access".format(username))
return flask.jsonify(json.dumps(response["Error"])),400
content = request.data.decode("UTF-8")
return flask.jsonify(json.loads("{'Success':True}"))
else:
return flask.jsonify({"Success":False, "Error":"No Permission"})
def confirm_email(token):
try:
mailkey = URLSafeTimedSerializer(
'blowfish'
) #TODO move this to a secure position (encrypted perhaps)
username = mailkey.loads(token, salt='email-confirm')
#TODO a request that changes emailVerify boolean to true and compare username to database
apiLog.logInfo("Email verified for {}".format(username))
return redirect('https://localhost:5000/login')
except Exception:
apiLog.logWarn("Email verification failed")
return 'The token does not match'
def login():
LoginUser = request.data.decode("UTF-8")
try:
#LoginUser = decryption(LoginUser,request.headers['id'])
LoginUser = json.loads(LoginUser)
except:
return flask.jsonify(
json.dumps({
"Success": False,
"Error": "Error Content"
})), 400
print(LoginUser)
username = ""
password = ""
try:
username = LoginUser["username"]
password = LoginUser["password"]
except:
return flask.jsonify({
"Success": False,
"Error": "Error Content Unfound"
}), 400
try:
#TODO check username and check password
response = apiDB.login(username, password)
if response["Success"] == False:
return flask.jsonify(json.dumps(response)), 400
#TODO if true to one time password(send email)
emailaddr = apiDB.getEmail(username)
#print({"Success":True, "Status":"One Time Password", "Username":username})
mailkey = URLSafeTimedSerializer(
'onetimeblow'
) #TODO move this to a secure position (encrypted perhaps)
otp = mailkey.dumps(username, salt='oneblowfish')
sendMail('One Time Passcode', emailaddr, "Please use this OTP: " + otp)
apiLog.logInfo('Login {} {}'.format(username, True))
return flask.jsonify(
json.dumps({
"Success": True,
"Status": "One Time Password",
"Username": username
})), 200
except Exception as e:
print(e)
apiLog.logWarn('Login {} {}'.format(username, False))
return flask.jsonify(
json.dumps({
"Success": False,
"Error": "Error Unknown"
})), 400
def login(username, password):
UserJson = readJsonDict(userPath)
if username in UserJson:
temp = UserJson[username]
if bcrypt.checkpw(password.encode('UTF-8'),
temp["password"].encode('UTF-8')):
apiLog.logInfo('Login {} {}'.format(username, True))
return {"Success": True}
else:
apiLog.logWarn('Login {} {}'.format(username, False))
return {"Success": False, "Error": "Password Incorrect"}
else:
apiLog.logWarn("Login unknown {}".format(False))
return {"Success": False, "Error": "Username does not exist"}
def getData(patientusername):
#TODO check jwt check role
response = checkJWT(request.headers["JWT"])
if response["Success"] == False:
apiLog.logError(response["Error"])
return flask.jsonify(response), 400
username = response["username"]
role = apiDB.getrole(username)
if role == "Client" and patientusername != username:
apiLog.logWarn("{} unauthorized access".format(username))
return "unauthorized access", 400
User = apiDB.getUser(patientusername)
if User == False:
return "No Such user", 400
apiLog.logInfo("{} accessed {}'s data".format(username, patientusername))
return flask.jsonify(User), 200
def updatePW():
response = checkJWT(request.headers["JWT"])
username = response["username"]
try:
LoginUser = json.loads(LoginUser)
except:
print("Error A")
return flask.jsonify(json.dumps({"Success":False, "Error":"Error Content-type"})),400
password = ""
try:
password = LoginUser["password"]
except:
print("Error B")
return flask.jsonify(json.dumps({"Success":False, "Error":"Error Content Unfound"})),400
if allowAccess(['Staff','Permission_Admin','Client'],request) == True:
if patientusername != username:
apiLog.logWarn("{} unauthorized access".format(username))
return flask.jsonify(json.dumps(response["Error"])),400
return flask.jsonify(apiDB.update(username, password))
def requestPermission(role, usernameT):
#TODO check jwt
if allowAccess(['Staff', 'Permission_Admin', 'Client'],
request) == True: #DO ADMIN HAVE TO REQUEST PERMISSION?
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO compare to the username
#result = checkJWT(request.headers["JWT"])
#if result["Success"] == True and result["username"]==currentusername:
if username == usernameT:
apiLog.logInfo(
'Permission requested, username: {} role: {}'.format(
username, role))
return flask.jsonify(apiDB.requestPermission(username, role))
return flask.jsonify(
json.loads("{'Success':False,'Error':Incorrect username}"))
apiLog.logWarn("{} has Incorrect JWT".format(username))
return 'JWT Incorrect'
def getData(patientusername):
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO check jwt check role
if allowAccess(['Staff','Permission_Admin','Client'],request) == True:
if patientusername != username:
apiLog.logWarn("{} unauthorized access".format(username))
return flask.jsonify(json.dumps(response["Error"])),400
#response = checkJWT(request.headers["JWT"])
#if response["Success"] == False:
#apiLog.logError(response["Error"])
#return flask.jsonify(json.dumps(response)),400
#username = response["username"]
#role = apiDB.getrole(username)
#if role == "Client" and patientusername != username:
#apiLog.logWarn("{} unauthorized access".format(username))
#return flask.jsonify(json.dumps(response["Error"])),400
User = apiDB.getUser(patientusername)
print(User)
apiLog.logInfo("{} accessed {}'s data".format(username, patientusername))
return flask.jsonify(json.dumps(User)),200
else:
apiLog.logError(response["Error"])
return flask.jsonify(json.dumps(response)),400
def listPermission():
if allowAccess(['Permission_Admin'], request) == True:
apiLog.logInfo("Admin request to list all permissions")
return flask.jsonify(apiDB.listPermission())
apiLog.logWarn("{} attempted to list permissions".format(""))
return 'Error'