def do_post(request, *args, **kwargs): """ User logout :param Auth: authorization token in header, string, True :return: 200, OK :return: 400 """ log = request.log _db = get_md2db() dbc = _db.cursor() tk = request.auth_token q = "select username from users u join session_token t on u.id = t.id_user where t.id = '{}'".format(qu_esc(tk)) dbc.execute(q) if dbc.rowcount != 1: log.critical('Users {} found'.format(dbc.rowcount)) return base_common.msg.error(msgs.USER_NOT_FOUND) db_user = dbc.fetchone() user = {'username': db_user['username']} return base_common.msg.post_ok(user)
def sequencer(): global _sequencer if not _sequencer: _sequencer = SequencerFactory(dbacommon.get_md2db()) return _sequencer
def do_get(request, *args, **kwargs): """ Get user data :param Auth: authorization token in header, string, True :param username: requested user username, string, True :return: 200, OK :return: 400 """ log = request.log _db = get_md2db() dbc = _db.cursor() username = request.get_argument('username', default='') username = qu_esc(username) q = "select id, username from users where username = '******'".format(username) dbc.execute(q) if dbc.rowcount != 1: log.critical('Users {} found'.format(dbc.rowcount)) return base_common.msg.error(amsgs.USER_NOT_FOUND) db_user = dbc.fetchone() user = {'uid': db_user['id'], 'username': db_user['username']} return base_common.msg.post_ok(user)
def do_put(request, *args, **kwargs): """ Save hash for give parameters :param hash_data: data for storing, string, True :return: 202, Data hash :return: 404, Missing argument """ log = request.log _db = get_md2db() dbc = _db.cursor() import tornado.web try: hdata = request.get_argument("data") except tornado.web.MissingArgumentError: log.critical("Missing data argument for hash2param") return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) h_id = sequencer().new("h") h2p = prepare_hash2params_query(h_id, hdata) try: dbc.execute(h2p) except IntegrityError as e: log.critical("Insert hash for data: {}".format(e)) return base_common.msg.error("Save data hash") _db.commit() return base_common.msg.post_ok({"h": h_id})
def do_get(request, *args, **kwargs): """ Get data for given hash :param hash: data hash, string, True :return: 202, Data :return: 404, Missing argument """ log = request.log _db = get_md2db() dbc = _db.cursor() try: h = request.get_argument('hash') except tornado.web.MissingArgumentError as e: log.critical('Missing hash argument') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) get_data_q = prepare_get_query(h) try: dbc.execute(get_data_q) except IntegrityError as e: log.critical('Retrieve data for hash: {}'.format(e)) return base_common.msg.error('Retrieve hash data') if dbc.rowcount != 1: log.warning('Found {} hashes'.format(dbc.rowcount)) return base_common.msg.error('No data found for given hash') dbd = dbc.fetchone() d = dbd['data'] did = dbd['id'] d_last_accessed = dbd['last_access'] if d_last_accessed: log.warning('New access to {}'.format(h)) if not log_hash_access(_db, did, request.r_ip, log): log.warning("Error save hash access log") return base_common.msg.error(msgs.WRONG_OR_EXPIRED_TOKEN) try: d = json.loads(d) except Exception as e: log.warning('Load hash data: {}'.format(e)) if not log_hash_access(_db, did, request.r_ip, log): log.warning("Error save hash access log") return base_common.msg.get_ok(d)
def do_post(request, *args, **kwargs): """ Register user account :param username: users username, string, True :param password: users password, string, True :return: 201, Created :return: 404 """ log = request.log try: username = request.get_argument('username') password = request.get_argument('password') except tornado.web.MissingArgumentError: return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) if len(password) < 3: return base_common.msg.error(msgs.PASSWORD_TO_SHORT) password = format_password(username, password) _db = get_md2db() dbc = _db.cursor() if _check_user_registered(dbc, username): return base_common.msg.error(msgs.USERNAME_ALREADY_TAKEN) u_id = sequencer().new('u') if not u_id: return base_common.msg.error(msgs.ERROR_SERIALIZE_USER) quser = _prepare_user_query(u_id, username, password) try: dbc.execute(quser) except IntegrityError as e: log.critical('User registration: {}'.format(e)) return base_common.msg.error(msgs.ERROR_REGISTER_USER) tk = get_token(u_id, dbc, log) if not tk: return base_common.msg.error('Cannot login user') _db.commit() return base_common.msg.put_ok({'token': tk}, http_status=200)
def do_post(request, *args, **kwargs): """ User login :param username: users username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_md2db() dbc = _db.cursor() try: username = request.get_argument('username') password = request.get_argument('password') except tornado.web.MissingArgumentError: log.critical('Missing argument') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) # password = format_password(username, password) q = "select id, password from users where username = '******'".format( qu_esc(username) ) dbc.execute(q) if dbc.rowcount != 1: log.critical('{} users found: {}'.format(username, dbc.rowcount)) return base_common.msg.error(msgs.USER_NOT_FOUND) us = dbc.fetchone() u_id = us['id'] u_pwd = us['password'] if not check_password(u_pwd, username, password): log.critical('Username {} wrong password: {}'.format(username, password)) return base_common.msg.error(msgs.USER_NOT_FOUND) # ASSIGN TOKEN tk = get_token(u_id, dbc, log) if not tk: return base_common.msg.error(msgs.ERROR_LOGIN_USER) _db.commit() return base_common.msg.post_ok({'token': tk})
def do_put(request, *args, **kwargs): """ Forgot password :param username: users username, string, True :return: 200, OK :return: 404, notice """ log = request.log _db = get_md2db() try: username = request.get_argument('username') except tornado.web.MissingArgumentError: log.critical('Missing argument username') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) if not check_user_exists(username, _db, log): log.critical('User check fail') return base_common.msg.error(msgs.USER_NOT_FOUND) # GET HASH FOR FORGOTTEN PASSWORD rh = BaseAPIRequestHandler(log) data = {'cmd': 'forgot_password', 'username': username} rh.set_argument('data', json.dumps(data)) res = base_api.hash2params.save_hash.do_put(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error('Cannot handle forgot password') tk = res['h'] message = get_email_message(request, username, tk) # SAVE EMAIL FOR SENDING rh1 = BaseAPIRequestHandler(log) rh1.set_argument('sender', support_mail) rh1.set_argument('receiver', username) rh1.set_argument('message', message) res = base_api.mail_api.save_mail.do_put(rh1) if 'http_status' not in res or res['http_status'] != 204: return base_common.msg.error('Error finishing change password request') return base_common.msg.post_ok(msgs.OK)
def do_post(request, *args, **kwargs): """ User logout :param Auth: authorization token in header, string, True :return: 200, OK :return: 400 """ log = request.log _db = get_md2db() dbc = _db.cursor() tk = request.auth_token if not authorized_by_token(dbc, tk, log): return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) if not close_session_by_token(dbc, tk, log): log.warning("Clossing session with token {}".format(tk)) return base_common.msg.error(msgs.CLOSE_USER_SESSION) _db.commit() return base_common.msg.post_ok()
def do_post(request, *args, **kwargs): """ Change password :param username: users username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_md2db() dbc = _db.cursor() # TODO: check users token try: newpassword = request.get_argument('newpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument password') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) # CHANGE PASSWORD FROM FORGOT PASSWORD FLOW h2p = get_url_token(request, log) if h2p and len(h2p) > 60: rh = BaseAPIRequestHandler(log) rh.set_argument('hash', h2p) rh.r_ip= request.r_ip res = base_api.hash2params.retrieve_hash.do_get(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) username = res['username'] else: # TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST tk = request.auth_token if not authorized_by_token(dbc, tk, log): return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) username, oldpwdhashed, user_id = get_user_by_token(dbc, tk, log) if not username: log.critical('User not found by token') return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) try: oldpassword = request.get_argument('oldpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument oldpassword') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) if not check_password(oldpwdhashed, username, oldpassword): log.critical("Passwords don't match, entered : {}".format(oldpassword)) return base_common.msg.error(msgs.WRONG_PASSWORD) # UPDATE USERS PASSWORD password = format_password(username, newpassword) uq = "update users set password = '******' where username = '******'".format( password, username ) try: dbc.execute(uq) except Exception as e: log.critical('Change password: {}'.format(e)) return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR) _db.commit() return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)
def do_post(request, *args, **kwargs): """ Change password :param username: users new username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_md2db() dbc = _db.cursor() try: newusername = request.get_argument('username') password = request.get_argument('password') except tornado.web.MissingArgumentError: log.critical('Missing argument password') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) tk = request.auth_token u_n, u_p, u_i = get_user_by_token(dbc, tk, log) newusername = qu_esc(newusername) password = qu_esc(password) if not check_password(u_p, u_n, password): log.critical('Wrong users password: {}'.format(password)) return base_common.msg.error(msgs.WRONG_PASSWORD) # SAVE HASH FOR USERNAME CHANGE rh = BaseAPIRequestHandler(log) data = {'cmd': 'change_username', 'newusername': newusername, 'user_id': u_i, 'password': password} rh.set_argument('data', json.dumps(data)) res = base_api.hash2params.save_hash.do_put(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error('Cannot handle forgot password') h = res['h'] message = _get_email_message(request, h) # SAVE EMAILS FOR SENDING rh1 = BaseAPIRequestHandler(log) rh1.set_argument('sender', support_mail) rh1.set_argument('receiver', newusername) rh1.set_argument('message', message) res = base_api.mail_api.save_mail.do_put(rh1) if 'http_status' not in res or res['http_status'] != 204: return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE) message2 = _get_email_warning(u_n, newusername) rh2 = BaseAPIRequestHandler(log) rh2.set_argument('sender', support_mail) rh2.set_argument('receiver', u_n) rh2.set_argument('message', message2) res = base_api.mail_api.save_mail.do_put(rh2) if 'http_status' not in res or res['http_status'] != 204: return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE) return base_common.msg.post_ok(msgs.CHANGE_USERNAME_REQUEST)
def do_get(request, *args, **kwargs): """ Change password :param username: users new username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_md2db() dbc = _db.cursor() h2p = get_url_token(request, log) if not h2p or len(h2p) < 64: log.critical('Wrong or expired token {}'.format(h2p)) return base_common.msg.error(msgs.WRONG_OR_EXPIRED_TOKEN) rh = BaseAPIRequestHandler(log) rh.set_argument('hash', h2p) rh.r_ip = request.r_ip res = base_api.hash2params.retrieve_hash.do_get(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) try: user_id = res['user_id'] newusername = res['newusername'] password = res['password'] except KeyError as e: log.critical('Missing hash parameter: {}'.format(e)) return base_common.msg.error(msgs.TOKEN_MISSING_ARGUMENT) q = '''select username from users where id = '{}' '''.format(user_id) try: dbc.execute(q) except IntegrityError as e: log.critical('Error fetching user: {}'.format(e)) return base_common.msg.error(msgs.USER_NOT_FOUND) if dbc.rowcount != 1: log.critical('Users found {}'.format(dbc.rowcount)) return base_common.msg.error(msgs.USER_NOT_FOUND) dbu = dbc.fetchone() passwd = format_password(newusername, password); q1 = '''update users set username = '******', password = '******' where id = '{}' '''.format(newusername, passwd, user_id) try: dbc.execute(q1) except IntegrityError as e: log.critical('Error updating user: {}'.format(e)) return base_common.msg.error(msgs.USER_UPDATE_ERROR) _db.commit() message = _get_email_message() # SAVE EMAILS FOR SENDING rh1 = BaseAPIRequestHandler(log) rh1.set_argument('sender', support_mail) rh1.set_argument('receiver', newusername) rh1.set_argument('message', message) res = base_api.mail_api.save_mail.do_put(rh1) if 'http_status' not in res or res['http_status'] != 204: return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE) return base_common.msg.post_ok(msgs.USER_NAME_CHANGED)