def send_email(username):
if request.method == 'POST':
mailaddr = apiDB.getEmail(username)
print(username)
print(mailaddr)
mailkey = URLSafeTimedSerializer(
'blowfish'
) #TODO move this to a secure position (encrypted perhaps)
token = mailkey.dumps(username, salt='email-confirm')
sendMail(
'Verification Code', mailaddr,
"<a href=http://127.0.0.1:3864/confirm_email/" + token +
">Follow this link for account activation</a>")
apiLog.logInfo("Sent email verification to {}".format(mailaddr))
return flask.jsonify(
json.dumps({
"Success": True,
"Status": 'Sent verification code'
})), 200
else:
apiLog.logError("Failed to send email verification")
return flask.jsonify(
json.dumps({
"Success": False,
"Status": 'Failed to send verification code'
})), 400
def register(
username,
password,
email="",
role="Client"): #for testing can be used for searching as it's dict
Userjson = readJsonDict(userPath)
if username in Userjson:
return {"Success": False, "Error": "Username in use"}
if email == "":
return {"Success": False, "Error": "email missing"}
hashedpassword = bcrypt.hashpw(password.encode('UTF-8'), bcrypt.gensalt())
Userjson[username] = {
"password": hashedpassword.decode('UTF-8'),
"role": role,
"email": email,
"emailVerify": False
}
writeJson(userPath, Userjson)
apiLog.logInfo('Registered user, username: {} email: {} role: {}'.format(
username, email, role))
return {
"Success": True,
"username": username,
"password": hashedpassword.decode('UTF-8'),
"role": role,
"email": email,
"emailVerify": False
}
def requestPermission(username, role):
PermJson = readJsonDict(PermPath)
requestRole = {"username": username, "role": role}
PermJson[username] = role
writeJson(PermPath, PermJson)
apiLog.logInfo('Permission requested, username: {} role: {}'.format(
username, role))
return requestRole
def processData():
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO check the jwt (DONE)
if allowAccess(['Staff','Permission_Admin'],request) == True:
Data = apiDB.MenuUser()
apiLog.logInfo("{} accessed database".format(username))
#TODO record log
return flask.jsonify(json.dumps(Data)),200
def grantPermission():
if allowAccess(['Permission_Admin'], request) == False:
apiLog.logWarn("{} attmepted to grant permission")
return flask.jsonify({"Success": False, "Error": "No Permission"})
result = checkJWT(request.headers["JWT"])
username = result["username"]
content = request.data.decode("UTF-8")
#TODO check the username and the corresponding role to the dictionary then grant permission
apiLog.logInfo("Permission granted by {}".format(username))
return flask.jsonify(json.loads("{'Success':True}"))
def confirm_email(token):
try:
mailkey = URLSafeTimedSerializer(
'blowfish'
) #TODO move this to a secure position (encrypted perhaps)
username = mailkey.loads(token, salt='email-confirm')
#TODO a request that changes emailVerify boolean to true and compare username to database
apiLog.logInfo("Email verified for {}".format(username))
return redirect('https://localhost:5000/login')
except Exception:
apiLog.logWarn("Email verification failed")
return 'The token does not match'
def login():
LoginUser = request.data.decode("UTF-8")
try:
#LoginUser = decryption(LoginUser,request.headers['id'])
LoginUser = json.loads(LoginUser)
except:
return flask.jsonify(
json.dumps({
"Success": False,
"Error": "Error Content"
})), 400
print(LoginUser)
username = ""
password = ""
try:
username = LoginUser["username"]
password = LoginUser["password"]
except:
return flask.jsonify({
"Success": False,
"Error": "Error Content Unfound"
}), 400
try:
#TODO check username and check password
response = apiDB.login(username, password)
if response["Success"] == False:
return flask.jsonify(json.dumps(response)), 400
#TODO if true to one time password(send email)
emailaddr = apiDB.getEmail(username)
#print({"Success":True, "Status":"One Time Password", "Username":username})
mailkey = URLSafeTimedSerializer(
'onetimeblow'
) #TODO move this to a secure position (encrypted perhaps)
otp = mailkey.dumps(username, salt='oneblowfish')
sendMail('One Time Passcode', emailaddr, "Please use this OTP: " + otp)
apiLog.logInfo('Login {} {}'.format(username, True))
return flask.jsonify(
json.dumps({
"Success": True,
"Status": "One Time Password",
"Username": username
})), 200
except Exception as e:
print(e)
apiLog.logWarn('Login {} {}'.format(username, False))
return flask.jsonify(
json.dumps({
"Success": False,
"Error": "Error Unknown"
})), 400
def login(username, password):
UserJson = readJsonDict(userPath)
if username in UserJson:
temp = UserJson[username]
if bcrypt.checkpw(password.encode('UTF-8'),
temp["password"].encode('UTF-8')):
apiLog.logInfo('Login {} {}'.format(username, True))
return {"Success": True}
else:
apiLog.logWarn('Login {} {}'.format(username, False))
return {"Success": False, "Error": "Password Incorrect"}
else:
apiLog.logWarn("Login unknown {}".format(False))
return {"Success": False, "Error": "Username does not exist"}
def processData():
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO check the jwt (DONE)
if allowAccess(['Staff', 'Permission_Admin'], request) == True:
Data = apiDB.MenuUser()
apiLog.logInfo("{} accessed database".format(username))
#TODO record log
return flask.jsonify(Data), 200
elif allowAccess(['Client'], request) == True:
Data = {}
Data[username] = username
return flask.jsonify(Data), 200
else:
apiLog.logError("{} raised {}".format(username, response["Error"]))
return flask.jsonify(response), 400
def getData(patientusername):
#TODO check jwt check role
response = checkJWT(request.headers["JWT"])
if response["Success"] == False:
apiLog.logError(response["Error"])
return flask.jsonify(response), 400
username = response["username"]
role = apiDB.getrole(username)
if role == "Client" and patientusername != username:
apiLog.logWarn("{} unauthorized access".format(username))
return "unauthorized access", 400
User = apiDB.getUser(patientusername)
if User == False:
return "No Such user", 400
apiLog.logInfo("{} accessed {}'s data".format(username, patientusername))
return flask.jsonify(User), 200
def requestPermission(role, usernameT):
#TODO check jwt
if allowAccess(['Staff', 'Permission_Admin', 'Client'],
request) == True: #DO ADMIN HAVE TO REQUEST PERMISSION?
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO compare to the username
#result = checkJWT(request.headers["JWT"])
#if result["Success"] == True and result["username"]==currentusername:
if username == usernameT:
apiLog.logInfo(
'Permission requested, username: {} role: {}'.format(
username, role))
return flask.jsonify(apiDB.requestPermission(username, role))
return flask.jsonify(
json.loads("{'Success':False,'Error':Incorrect username}"))
apiLog.logWarn("{} has Incorrect JWT".format(username))
return 'JWT Incorrect'
def register():
try:
NewUser = decryption(request.data.decode("UTF-8"),
request.headers["id"])
NewUser = json.loads(NewUser)
username = NewUser['username']
password = NewUser['password']
email = NewUser['email']
#TODO check username
#TODO check password
response = apiDB.register(username, password, email=email)
if response["Success"] == False:
return response["Error"], 400
apiLog.logInfo(
'Registered user, username: {} email: {} role: Client'.format(
username, email))
return flask.jsonify(json.dumps(response)), 200
except Exception as e:
print(e)
return 'Error', 400
def getData(patientusername):
response = checkJWT(request.headers["JWT"])
username = response["username"]
#TODO check jwt check role
if allowAccess(['Staff','Permission_Admin','Client'],request) == True:
if patientusername != username:
apiLog.logWarn("{} unauthorized access".format(username))
return flask.jsonify(json.dumps(response["Error"])),400
#response = checkJWT(request.headers["JWT"])
#if response["Success"] == False:
#apiLog.logError(response["Error"])
#return flask.jsonify(json.dumps(response)),400
#username = response["username"]
#role = apiDB.getrole(username)
#if role == "Client" and patientusername != username:
#apiLog.logWarn("{} unauthorized access".format(username))
#return flask.jsonify(json.dumps(response["Error"])),400
User = apiDB.getUser(patientusername)
print(User)
apiLog.logInfo("{} accessed {}'s data".format(username, patientusername))
return flask.jsonify(json.dumps(User)),200
else:
apiLog.logError(response["Error"])
return flask.jsonify(json.dumps(response)),400
def OneTimeCode(passcode):
try:
mailkey = URLSafeTimedSerializer(
'onetimeblow'
) #TODO move this to a secure position (encrypted perhaps)
username = mailkey.loads(passcode, salt='oneblowfish', max_age=180)
print(
username
) #TODO a request that changes emailVerify boolean to true and compare username to database
apiDB.emailVerify(username)
apiLog.logInfo("OTP verified for {}".format(username))
return flask.jsonify(
json.dumps({
"Success": True,
"Status": 'Passed OTP',
"JWT": str(issueJWT(username).decode("UTF-8"))
})), 200
except Exception as e:
print(e)
apiLog.logError("Failed to verify OTP")
return flask.jsonify(json.dumps({
"Success": False,
"Status": str(e)
})), 400
def listPermission():
if allowAccess(['Permission_Admin'], request) == True:
apiLog.logInfo("Admin request to list all permissions")
return flask.jsonify(apiDB.listPermission())
apiLog.logWarn("{} attempted to list permissions".format(""))
return 'Error'
