def decode_token(token, email_verification):
s = TimedJSONWebSignatureSerializer('THISISVERYSECRET', expires_in=600)
try:
payload = s.loads(token)
username = payload['username']
try:
user = User.objects.get(username=username)
if email_verification:
if user.email_verified:
return False
if payload['email'] != user.email:
return False
user.email_verified = True
user.save()
return True
else:
if user.reset_pending:
return user
except User.DoesNotExist:
return False
except Exception:
return False
def forgot_password():
if current_user.is_authenticated:
return redirect('auth.account')
form = ForgotPasswordForm()
if request.method == 'POST':
if form.validate_on_submit():
user = StaffAccount.query.filter_by(email=form.email.data).first()
if not user:
flash(u'User not found. ไม่พบบัญชีในฐานข้อมูล', 'warning')
return render_template('auth/forgot_password.html',
form=form,
errors=form.errors)
serializer = TimedJSONWebSignatureSerializer(
app.config.get('SECRET_KEY'), expires_in=72000)
token = serializer.dumps({'email': form.email.data})
url = url_for('auth.reset_password',
token=token,
email=form.email.data,
_external=True)
message = u'Click the link below to reset the password.'\
u' กรุณาคลิกที่ลิงค์เพื่อทำการตั้งค่ารหัสผ่านใหม่\n\n{}'.format(url)
try:
send_mail(
['{}@mahidol.ac.th'.format(form.email.data)],
title=
'MUMT-MIS: Password Reset. ตั้งรหัสผ่านใหม่สำหรับระบบ MUMT-MIS',
message=message)
except:
flash(u'Failed to send an email to {}. ระบบไม่สามารถส่งอีเมลได้กรุณาตรวจสอบอีกครั้ง'\
.format(form.email.data), 'danger')
else:
flash(
u'Please check your mahidol.ac.th email for the link to reset the password within 20 minutes.'
u' โปรดตรวจสอบอีเมล mahidol.ac.th ของท่านเพื่อทำการแก้ไขรหัสผ่านภายใน 20 นาที',
'success')
return redirect(url_for('auth.login'))
return render_template('auth/forgot_password.html',
form=form,
errors=form.errors)
def init_app(self, app):
"""
Do setup that requires a Flask app.
"""
self.app = app
# Set some default configuration options
app.config.setdefault('OIDC_SCOPES', ['openid', 'email'])
app.config.setdefault('OIDC_GOOGLE_APPS_DOMAIN', None)
app.config.setdefault('OIDC_ID_TOKEN_COOKIE_NAME', 'oidc_id_token')
app.config.setdefault('OIDC_ID_TOKEN_COOKIE_TTL', 7 * 86400) # 7 days
# should ONLY be turned off for local debugging
app.config.setdefault('OIDC_ID_TOKEN_COOKIE_SECURE', True)
app.config.setdefault(
'OIDC_VALID_ISSUERS',
['accounts.google.com', 'https://accounts.google.com'])
app.config.setdefault('OIDC_CLOCK_SKEW', 60) # 1 minute
app.config.setdefault('OIDC_REQUIRE_VERIFIED_EMAIL', True)
# register callback route and cookie-setting decorator
app.route('/oidc_callback')(self.oidc_callback)
app.before_request(self.before_request)
app.after_request(self.after_request)
# load client_secrets.json
self.flow = flow_from_clientsecrets(app.config['OIDC_CLIENT_SECRETS'],
scope=app.config['OIDC_SCOPES'])
assert isinstance(self.flow, OAuth2WebServerFlow)
# create signers using the Flask secret key
self.destination_serializer = JSONWebSignatureSerializer(
app.config['SECRET_KEY'])
self.cookie_serializer = TimedJSONWebSignatureSerializer(
app.config['SECRET_KEY'])
try:
self.credentials_store = app.config['OIDC_CREDENTIALS_STORE']
except KeyError:
pass
def check_access_token(access_token):
"""
检验检验用户传入的 token
:param access_token:token
:return:
"""
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY,
expires_in=600)
try:
# 尝试使用对象的 loads 函数
# 对 access_token 进行反序列化( 类似于解密 )
# 查看是否能够获取到数据:
data = serializer.loads(access_token)
except BadData:
# 如果出错, 则说明 access_token 里面不是我们认可的.
# 返回 None
return None
else:
# 如果能够从中获取 data, 则把 data 中的 openid 返回
return data.get('openid')
def verify_token(token):
'''token认证'''
s = TimedJSONWebSignatureSerializer(
current_app.config['SECRET_KEY']
)
try:
data = s.loads(token)
except BadSignature:
raise AuthFailed(msg='token不正确')
except SignatureExpired:
raise AuthFailed(msg='token过期')
uid = data['uid']
scope = data['scope']
user = User(uid, scope)
allow = has_permission(scope, request.endpoint)
if not allow:
raise Forbidden()
if user:
g.current_user = user
return True
return False
def check_verify_email_token(token):
# 邮件验证链接有效期为1天
serializer = TimedJSONWebSignatureSerializer(dev.SECRET_KEY,
expires_in=60 * 60 * 24)
try:
# 解析传入的token值, 获取数据data
data = serializer.loads(token)
except BadData:
return None
else:
# 如果有值, 则获取
user_id = data.get('user_id')
email = data.get('email')
# 尝试从User表中获取对应的用户
try:
user = User.objects.get(id=user_id, email=email)
except Exception as e:
return None
else:
return user
def encrypt(self,
content: dict,
expiration=None,
nonce=False,
type_name=None):
expiration = self.expiration if expiration is None or expiration <= 0 else expiration
try:
s = TimedJSONWebSignatureSerializer(self.secret_key, expiration)
if nonce:
crypto_nonce = Crypto_Nonce()
token_in_db = crypto_nonce.get_content_type_name(
type_name, expiration)
if token_in_db is not None:
return token_in_db
content['nonce_id'] = str(uuid.uuid1())
token = s.dumps(content)
crypto_nonce.save(content['nonce_id'], token, type_name)
return token
else:
return s.dumps(content)
except Exception as e:
raise CryptoError(e)
def generate_verify_email_url(self):
"""
生成邮箱验证链接
:param user: 当前登录用户
:return: verify_url
"""
# 调用itsdangerous中的类,生成对象,有效期1天
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY,
expires_in=60 * 60 * 24)
# 拼接参数
data = {'user_id': self.id, 'email': self.email}
# 生成token值,这个值是bytes类型,所以解码为str类型
token = serializer.dumps(data).decode()
# 拼接url
verify_url = settings.EMAIL_VERIFY_URL + '?token=' + token
# 返回
return verify_url
def validate_token(user, token, operation, new_password=None):
s = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
print('验证token')
try:
data = s.loads(token)
except (BadSignature, SignatureExpired):
return False
if operation != data.get('operation') or user.id != data.get('id'):
return False
if operation == Operations.CONFIRM:
user.confirmed = True
elif operation == Operations.RESET_PASSWORD:
user.set_password(new_password)
elif operation == Operations.CHANGE_EMAIL:
pass
else:
return False
db.session.commit()
return True
def check_verify_email_token(token):
"""
校验token值
:param token: token值
:return: 用户对象 或 None
"""
serializer = TimedJSONWebSignatureSerializer(secret_key=dev.SECRET_KEY)
try:
user_info = serializer.loads(token)
except BadSignature as e:
print(e)
return None
user_id = user_info.get('user_id')
try:
user = User.objects.get(pk=user_id)
except User.DoesNotExist as e:
print(e)
return None
return user
def request_password_reset():
form = UserForgotPasswordForm()
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if not user:
flash('Your email address doesnt exist', 'error')
return redirect(request.url)
else:
try:
msg = Message()
msg.subject = 'Rest Password'
msg.recipients = [user.email]
serialize = TimedJSONWebSignatureSerializer(
current_app.secret_key, expires_in=1000)
token = serialize.dumps({'user_id': user.id})
url = url_for('auth.reset_password',
token=token,
_external=True)
msg.body = f"""
Please Click On The Link TO Rest Your Rest Password
<a href='{url}'></a>
"""
msg.sender = 'ISERVICE'
mail.send(msg)
except Exception as e:
print(e)
flash('An error occurred (check connection to the internet)',
'error')
return redirect(request.url)
else:
flash(
'Message has been sent to your email to reset your password',
'error')
return redirect(request.url)
return render_template('auth/pages/request_password_reset.html',
form=form,
t='Forgot Password',
st='you can recover your password')
def emial_active(request, token):
try:
# uid = token_confirm.confirm_validte_token(token) # 方法一,解密token,将uid取出来
serializer = TimedJSONWebSignatureSerializer('SECRET_KEY', 3600) # 方法二
info = serializer.loads(token) # 解密,加密的时候是字典,解密的时候还是字典
uid = info.get('uid')
except SignatureExpired as e: # token过期的错误SignatureExpired
# uid = token_confirm.remove_validate_token(token) # 方法一,解密出错则删除token
user = User.objects.get(pk=uid) # 连账号也删除,让用户重新注册
user.delete()
return HttpResponse('激活链接过期,请重新注册')
try:
user = User.objects.get(pk=uid) # 在数据库里查找用户,找不到则表示用户不存在
except:
return HttpResponse('用户不存在,请重新注册')
# 激活
user.is_active = 1
user.save()
return redirect(reverse('user:login')) # 激活成功,重定向到登录页面
def view_token_verify(self, token):
s = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
try:
data = s.loads(token)
except:
return None
if data.get('view') is None or \
data.get('user') is None or \
data.get('linkpass') is None:
# token 信息不完整
return None
user = User.query.filter_by(uid=data.get('user')).first()
if user.uid != self.uid and \
not user.can(Permission.ADMINISTER):
# 当前用户不具有管理员权限且和 token 中用户不一致
return None
fileid = data.get('view')
password = data.get('linkpass')
file = File.query.get(fileid)
if file is None or \
(file.private==True and \
file.ownerid != self.uid and \
not self.can(Permission.ADMINISTER)) or \
file.linkpass != password:
# 文件不存在 或
# 文件私有且当前用户不具有管理员权限且当前用户不是文件所有人 或
# 文件提取码不正确
return None
# 返回 查看的类型、顺序、方向、关键词、根文件 id 以及当前路径
return {
'type': data.get('type') or 'all',
'order': data.get('order') or 'time',
'direction': data.get('direction') or 'front',
'key': data.get('key') or '',
'password': data.get('linkpass'),
'rootid': data.get('view'),
'path': data.get('path') or \
file.path + file.filename + '/'
}
def check_verify_email_token(token):
# 提取参数
# 调用itsdangerous类生成serializer对象
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY,
expires_in=3600*24)
try:
data = serializer.loads(token)
except BadData:
# 如果没有获取值,则报错
return None
else:
user_id = data.get('user_id')
email = data.get('email')
# 校验参数
try:
user = User.objects.get(id=user_id, email= email)
except Exception as e:
return None
else:
# 查询到对应用户数据则返回用户对象
return user
def validate_token(token):
if not token:
flash("連結載入失敗,請重新點擊邀請信中的連結", FlashCategory.ERROR)
return None
s = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
try:
invitation_info_dict = s.loads(token)
except SignatureExpired:
flash("該連結已經過期~請申請新的註冊連結", FlashCategory.ERROR)
return None
except BadSignature:
flash("該連結為無效連結~請重新申請", FlashCategory.ERROR)
return None
# 避免同一token被重複註冊的情況
if SttUser.objects(invitation_info__token=token):
flash("該連結已經被註冊過了喔~請申請新的註冊連結", FlashCategory.WARNING)
return None
invitation_info_dict.update({"token": token})
return invitation_info_dict
def post(self, request):
user_name = request.POST.get("user_name")
pwd = request.POST.get("pwd")
email = request.POST.get("email")
if not all([user_name, pwd, email]):
return render(request, "register.html", {"error": "数据不完整"})
if not re.match(r"^[a-z0-9][\w.\-]*@[a-z0-9\-]+(\.[a-z]{2,5}){1,2}$",
email):
render(request, "register.html", {"error": "邮箱不规范!"})
allow = request.POST.get("allow")
if allow != "on":
return render(request, "register.html", {"error": "请同意协议!"})
# 校验用户名是否存在
try:
user = User.objects.get(username=user_name)
except User.DoesNotExist:
# 用户名不存在
user = None
if user:
return render(request, "register.html", {"error": "用户已存在!"})
user = User.objects.create_user(username=user_name,
password=pwd,
email=email)
user.is_active = 0
user.save()
# 使用itsdangous进行生成token
Serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY, 3600)
info = {"confirm": user.id}
token = Serializer.dumps(info).decode()
# 发送
# email_title = '天天生鲜'
# email_body = '天天生鲜正文'
# msg = '<a href="http://192.168.58.130:8000/user/active/%s" target="_blank">http://192.168.58.130:8000/user/active/%s</a>' %(token,token)
# send_status = send_mail(email_title, email_body, settings.EMAIL_FROM,[email], html_message=msg)
send_email_active.delay(email, token)
return redirect(reverse("goods:index"))
def post(self, req):
username = req.POST.get('username')
password = req.POST.get('password')
email = req.POST.get('email')
user = MyUser.objects.create_user(username=username,
email=email,
password=password)
# 将用户设置为未激活状态
user.is_active = False
user.save()
# 向用户发送激活邮件
userid = user.id
from django.conf import settings
util = TimedJSONWebSignatureSerializer(
secret_key=settings.SECRET_KEY, )
userid = util.dumps({"userid": userid}).decode("utf-8")
info = "请点击激活 <a href='http://127.0.0.1:8000/active/%s/' > 点我激活 %s </a>" % (
userid,
username,
)
from django.conf import settings
mail = EmailMultiAlternatives("请激活", info, settings.DEFAULT_FROM_EMAIL,
[email])
mail.content_subtype = "html"
mail.send()
if user:
return redirect(reverse('pulls:login'))
else:
lf = MyUserLogin()
rf = MyUserRegist()
errormessage = '注册失败'
return render(req, 'pulls/login_regist.html', locals())
def change_email(self, token):
s = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
try:
data = s.loads(token)
except:
return False
if data.get('change_email') != self.uid:
return False
new_email = data.get('new_email')
if new_email is None:
return False
if self.query.filter_by(email=new_email).first() is not None:
return False
self.email = new_email
if self.avatar_hash is None or \
self.avatar_hash[0] != ':':
# 用户无自定义头像则重新生成 avatar hash
self.avatar_hash = hashlib.md5(
new_email.encode('utf-8')).\
hexdigest()
db.session.add(self)
db.session.commit()
return True
def test_csrf_not_signed_correctly(csrf_app, csrf):
"""Test CSRF malicious attempt with passing malicious cookie and header."""
from invenio_rest.errors import RESTCSRFError
from itsdangerous import TimedJSONWebSignatureSerializer
with csrf_app.test_client() as client:
# try to pass our own signed cookie and header in an attempt to bypass
# the CSRF check
csrf_serializer = TimedJSONWebSignatureSerializer('my_secret')
malicious_cookie = csrf_serializer.dumps({'user': '******'},
'my_secret')
CSRF_COOKIE_NAME = csrf_app.config['CSRF_COOKIE_NAME']
client.set_cookie('localhost', CSRF_COOKIE_NAME, malicious_cookie)
res = client.post(
'/csrf-protected',
data=json.dumps(dict(foo='bar')),
content_type='application/json',
headers={'X-CSRF-Token': malicious_cookie},
)
assert res.json['message'] == RESTCSRFError.description
assert res.status_code == 400
def check_verify_token(token):
'''
把token解密, 返回user
:return:
'''
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY,
expires_in=3600 * 24)
try:
data = serializer.loads(token)
except BadData:
return None
else:
user_id = data.get('user_id')
email = data.get('email')
try:
user = User.objects.get(id=user_id, email=email)
except Exception as e:
return http.HttpResponseForbidden('获取用户出错')
return user
def test_jwt():
foo.configure(force=True)
pirincipal = TimedJSONWebSignatureSerializer(
settings.jwt.secret, algorithm_name=settings.jwt.algorithm)
with Given(app, ['jwt', 'create']):
assert stderr == ''
token = f'{stdout}'[:-1]
assert pirincipal.loads(token) == {}
# Create a jwt token with a payload
payload = dict(a=1)
when(given + f'\'{json.dumps(payload)}\'')
assert stderr == ''
token = f'{stdout}'[:-1]
assert pirincipal.loads(token) == payload
# Create a expired token
when(given + '-e -1')
assert stderr == ''
token = f'{stdout}'[:-1]
with pytest.raises(SignatureExpired):
pirincipal.loads(token)
def move_token_verify(self, token):
s = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
try:
data = s.loads(token)
except:
return None
if data.get('move') is None or \
data.get('user') is None or \
data.get('path') is None:
return None
user = User.query.filter_by(uid=data.get('user')).first()
if user.uid != self.uid and \
not user.can(Permission.ADMINISTER):
return None
fileid = data.get('move')
file = File.query.filter_by(uid=fileid).first()
if file is None or \
(file.ownerid != self.uid and \
not user.can(Permission.ADMINISTER)):
# 文件不存在 或 用户不具有管理员权限且不是文件所有者
return None
# 返回要移动的文件 id,以及要移动到的路径
return [fileid, data.get('path')]
def decode_token(token, reason, return_header=None):
payload = None
if token:
t = TimedJSONWebSignatureSerializer(current_app.config['SECRET_KEY'])
try:
payload = t.loads(token, return_header)
except SignatureExpired:
raise APIException("Expired token.", 401)
except BadSignature:
raise APIException("Invalid token.", 401)
if payload["reason"] != reason:
raise APIException("Invalid token.", 401)
data = Token.get(token)
if data is None:
raise APIException("Invalid token.", 401)
if data.has_expired:
raise APIException("Expired token.", 401)
if reason in ("reset", "activation"):
data.expired = True
data.save()
return payload
def check_verify_email_token(token):
"""
校验验证邮箱的路径传递到视图中的token:包含user_id 和email
:return: 验证成功则返回user
"""
serializer = TimedJSONWebSignatureSerializer(
settings.SECRET_KEY, constants.BIND_USER_ACCESS_TOKEN_EXPIRES)
# 尝试将tokee进行解析
try:
data = serializer.loads(token)
except BadData:
return None
else:
# 解析成功则动data中获取user_id和email,查询用户数据
user_id = data["user_id"]
email = data["email"]
# 尝试获取用户信息
try:
user = User.objects.get(id=user_id, email=email)
except User.DoesNotExist:
return None
else:
return user
def process_request(self, request):
url_path = request.path
for each in exclued_path:
if re.match(each, url_path):
return None
auth_token = request.COOKIES.get("auth_token", None)
if not auth_token:
return HttpResponseRedirect('/auth/login')
s = TimedJSONWebSignatureSerializer(secret_key="hard to guess",
expires_in=60)
try:
data = s.loads(auth_token)
id = data.get("id", None)
except (BadSignature, SignatureExpired):
return HttpResponseRedirect('/auth/login')
print(id)
if id != 1:
return HttpResponseRedirect('/auth/login')
else:
return None
def post(self, request):
"""处理注册业务"""
# 1. 接收数据
username = request.POST.get('user_name')
password = request.POST.get('pwd')
email = request.POST.get('email')
# 2. 校验数据,数据完整性和格式交由前端register.js
## 校验用户名是否重复
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = None
if user:
return render(request, 'register.html', {'errmsg': '用户已存在'})
# 3. 业务处理
user = User.objects.create_user(username, email, password)
user.is_active = 0
user.save()
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY, 3600)
token = serializer.dumps({'confirm': user.id}).decode()
## 发送账户激活邮件
send_register_active_email.delay(email, username, token)
return redirect(reverse('goods:index'))
def get(self, request, token: str):
"""
用户激活
:param request:
:param token: 对字典 {'confirm':用户id} 进行加密后得到的字符串
:return:
"""
try:
# 解密token
s = TimedJSONWebSignatureSerializer(settings.SECRET_KEY)
# 字符串 -> bytes
# dict_data = s.loads(token.encode())
dict_data = s.loads(token)
except SignatureExpired:
# 判断是否失效
return HttpResponse('激活链接已经失效')
# 获取用户id
user_id = dict_data.get('confirm')
# 修改字段为已激活
User.objects.filter(id=user_id).update(is_active=True)
# 响应请求
return HttpResponse('激活成功,跳转到登录界面')
def register(request):
if request.method == "POST":
user_form = UserRegisterForm(request.POST)
if user_form.is_valid():
new_user = user_form.save(commit=False)
new_user.set_password(user_form.cleaned_data['password'])
new_user.is_active = False
new_user.save()
recvlist = ['*****@*****.**']
# 发送邮件 SMTP POP3
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY)
serializerstr = serializer.dumps({
'userid': new_user.id
}).decode('utf-8')
try:
send_mail('Django邮件', 'Django可以发送邮件',
settings.DEFAULT_FROM_EMAIL, recvlist)
mail = EmailMultiAlternatives(
"python发送激活验证邮件",
"<h2><a href='http://127.0.0.1:8000/active/%s/'>点我 激活</a></h2>"
% (serializerstr), settings.EMAIL_HOST_USER, recvlist)
mail.content_subtype = 'html'
mail.send()
print('发送成功')
except Exception as e:
print(e)
return render(request, 'blog/login.html')
else:
return HttpResponse('注册表单输入有错')
elif request.method == "GET":
user_form = UserRegisterForm()
context = {'user_form': user_form}
return render(request, 'blog/register.html', context)
else:
return HttpResponse('请用get或post请求数据')
def decode_single_use_JWS(cls, token, required_type):
try:
s = TimedJSONWebSignatureSerializer(
current_app.config['SECRET_KEY'])
data = s.loads(token.encode("utf-8"))
user_id = data.get('id')
token_type = data.get('type')
if token_type != required_type:
return {'success': False, 'message': 'Wrong token type (needed %s)' % required_type}
if not user_id:
return {'success': False, 'message': 'No User ID provided'}
user = cls.query.filter_by(
id=user_id).execution_options(show_all=True).first()
if not user:
return {'success': False, 'message': 'User not found'}
return {'success': True, 'user': user}
except BadSignature:
return {'success': False, 'message': 'Token signature not valid'}
except SignatureExpired:
return {'success': False, 'message': 'Token has expired'}
except Exception as e:
return {'success': False, 'message': e}
def get(self, request):
#获取token
token = request.query_params.get('token')
if not token:
return Response({'message': '缺少token'}, status=400)
#验证token
serializer = TimedJSONWebSignatureSerializer(settings.SECRET_KEY,
expires_in=60 * 60 *
24) # 有效期1天
try:
data = serializer.loads(token)
except BadData:
return Response({'message': '链接信息失效'}, status=400)
#查询要激活用户对象
email = data.get('email')
user_id = data.get('user_id')
try:
user = User.objects.get(id=user_id, email=email)
except User.DoesNotExist:
return Response({'message': '激活用户不存在'}, status=400)
#修改用户邮箱激活状态
user.email_active = True
user.save()
return Response({'message': 'OK'})
