def search():
searchForm = SearchForm()
if searchForm.validate_on_submit():
if utils.banned_characters(searchForm.search.data):
log.logger.critical('Malicious character detected in search')
abort(404)
if request.content_type != r'application/x-www-form-urlencoded':
print('dd')
abort(404)
query = searchForm.search.data
resp = make_response(redirect(url_for('search_result',query=escape(query))))
return resp
def reset_password_link(token):
searchForm = SearchForm()
email = utils.confirmation_token(token)
if not email:
message = 'Link is expired please request again'
return redirect(url_for('login', errors=message))
form = PasswordResetForm()
if form.validate_on_submit():
try:
user = Models.Customer.query.filter_by(email=email).first()
except:
flash('Invalid email')
return redirect(url_for('login'))
salt = user.generate_salt()
user.password_salt = salt
user.password_hash = user.generate_hash(form.password.data, salt)
Models.database.session.commit()
log.logger.info('{0} has succesfully reset his password'.format(
user.username))
return redirect(url_for('login'))
return render_template('reset_password.html',
form=form,
token=token,
searchForm=searchForm)
def catalog():
searchForm = SearchForm()
products = Models.database.session.query(Models.Product).all()
return render_template('shop.html',
products=products,
itemCount=len(products),
searchForm=searchForm)
def support():
searchForm = SearchForm()
form = SupportForm()
if form.validate_on_submit():
if request.content_type != r'application/x-www-form-urlencoded':
log.logger.error('Incorrect request content format at /support route')
abort(404)
if utils.banned_characters(form.subject.data) or utils.banned_characters(form.message.data,matches='[/\\<>%=]') or utils.banned_characters(form.name.data) or utils.banned_characters(form.email.data):
log.logger.critical('Malicious character detected in support route')
abort(404)
try:
if os.environ.get('IS_PROD', None):
utils.mailgun_send_messageV2('*****@*****.**', form.subject.data, form.message.data,form.email.data)
else:
mail = Mail(current_app)
msg = Message(
subject=form.subject.data,
recipients=['*****@*****.**'],
body=form.message.data,
sender=form.name.data,
reply_to=form.email.data
)
mail.send(msg)
flash('Email has sent to u')
resp = make_response(redirect(request.url))
if resp.headers['Location'] == '/support':
return resp
except Exception as message:
print(message)
#log.logger.exception(message)
return render_template('support.html',searchForm=searchForm,form=form)
def transfer(username):
searchForm = SearchForm()
if current_user.username == username:
transfer = TransferForm()
return render_template('Transfer.html',searchForm=searchForm,form=transfer)
else:
abort(404)
def deposit(username):
searchForm =SearchForm()
if username == current_user.username:
deposit = DepositForm()
return render_template('Deposit.html',searchForm=searchForm, form=deposit), 200
else:
pass #log
def account(username):
searchForm = SearchForm()
print(current_user.account.accountid)
if current_user.is_authenticated and current_user.username == username:
return render_template('account.html', searchForm=searchForm)
else:
abort(404)
def current_password():
searchForm = SearchForm()
if current_user.is_authenticated:
form = ChangePasswordForm()
return render_template('current_password.html',form=form, searchForm=searchForm)
else:
abort(404)
def reset_link():
if current_user.is_authenticated:
abort(404)
searchForm = SearchForm()
errors=''
form = EmailForm()
return render_template('reset.html',form=form,errors=errors,searchForm=searchForm)
def accountUpdate(username):
if current_user.is_authenticated and current_user.username == username:
form = AccountForm()
searchForm = SearchForm()
if form.validate_on_submit():
key_vault = vault.Vault()
try:
key_vault.key_client.get_key(username)
except:
key_vault.set_key(username, 4096, key_vault.key_ops)
user = Models.Customer.query.filter_by(username=username).first()
user.account.payment_method = form.payment_method.data
user.account.credit_card = key_vault.encrypt(
username, form.credit_card.data)
user.account.address = form.address.data
Models.database.session.commit()
key_vault.key_client.close()
key_vault.secret_client.close()
log.logger.info('{0} successfuly updated his/her account'.format(
user.username))
return redirect(url_for('account', username=username))
else:
log.logger.exception(form.errors)
print(form.errors)
return render_template('accountUpdate.html',
form=form,
searchForm=searchForm)
else:
abort(404)
def reset_password_link(token):
if current_user.is_authenticated:
abort(404)
searchForm = SearchForm()
email = utils.confirmation_token(token)
print(email)
if not email:
flash('This link has expired!')
resp = make_response(redirect(url_for('login')))
if resp.headers['Location'] == '/login':
return resp
else:
abort(404)
form = PasswordResetForm()
if form.validate_on_submit():
if request.content_type != 'application/x-www-form-urlencoded':
log.logger.error('Incorrect content format found!')
abort(404)
try:
user = Models.Customer.query.filter_by(email=email).first()
except:
flash('Invalid email')
return redirect(url_for('login'))
salt = user.generate_salt()
user.password_salt = salt
user.password_hash = user.generate_hash(form.password.data,salt)
Models.database.session.commit()
log.logger.info('{0} has succesfully reset his password'.format(user.username))
resp = make_response(redirect(url_for('login')))
if resp.headers['Location'] == '/login':
return resp
else:
abort(404)
return render_template('reset_password.html',form=form,token=token,searchForm=searchForm)
def reset_link():
searchForm = SearchForm()
error = ''
form = EmailForm()
if form.validate_on_submit():
if request.content_type != r'application/x-www-form-urlencoded':
log.logger.error('Incorrect content format sent detected in /reset route')
abort(404)
if Models.Customer.query.filter_by(email=str(escape(form.email.data))).first():
token = utils.generate_token(form.email.data)
password_reset_url = url_for('users.reset_password_link',token=token,_external=True)
html = render_template('reset_email.html',password_reset_url=password_reset_url)
if os.environ.get('IS_PROD',None):
utils.mailgun_send_message(form.email.data,'Password Recovery',html)
else:
utils.send_email(form.email.data,'Password Recovery',html)
flash('WE have emailed you the password link to reset!')
resp = make_response(redirect(url_for('reset_link')))
if resp.headers['Location'] == '/reset':
return resp
else:
abort(404)
else:
error = 'This email is not registered with us!'
return render_template('reset.html',form=form,errors=error,searchForm=searchForm)
def search_result():
searchForm = SearchForm()
query = request.args.get('query')
search = "%{}%".format(query)
result = Models.database.session.query(Models.Product).filter(or_(Models.Product.Name.ilike(search),Models.Product.Description.ilike(search),Models.Product.model.ilike(search))).all()
print(result)
return render_template('search.html',product=result,itemCount=len(result),query=query,searchForm=searchForm), 201
def account_update_page(username):
searchForm = SearchForm()
if current_user.is_authenticated and current_user.username == username:
form = AccountForm()
return render_template('accountUpdate.html',form=form,searchForm=searchForm)
else:
log.logger.warning('An attempt to access to this page without authenticcation was deny')
abort(404)
def profile(username):
searchForm = SearchForm()
print(current_user.is_active)
if current_user.is_authenticated and current_user.username == username:
return render_template('profile.html', active='profile',searchForm=searchForm)
else:
abort(404)
log.logger.warning('An attempt to access to this page without authenticcation was deny')
def reset_link():
searchForm = SearchForm()
errors = ''
form = EmailForm()
return render_template('reset.html',
form=form,
errors=errors,
searchForm=searchForm)
def profile(username):
searchForm = SearchForm()
print(current_user.is_active)
if current_user.is_authenticated and current_user.username == username:
return render_template('profile.html',
active='profile',
searchForm=searchForm)
else:
abort(404)
def account_update_page(username):
searchForm = SearchForm()
if current_user.is_authenticated and current_user.username == username:
form = AccountForm()
return render_template('accountUpdate.html',
form=form,
searchForm=searchForm)
else:
abort(404)
def unconfirmed():
if current_user.is_authenticated:
if current_user.verified == 0:
searchForm = SearchForm()
return render_template('unconfirm.html',searchForm=searchForm)
else:
abort(404)
else:
abort(404)
def verify_token():
searchForm = SearchForm()
if session.get('username'):
confirm2faForm = Confirm2faForm()
return render_template('VerifyToken.html',searchForm=searchForm,form=confirm2faForm),200 ,{
'Cache-Control': 'no-cache, no-store, must-revalidate',
'Pragma': 'no-cache',
'Expires': '0'}
else:
abort(404)
def login():
searchForm = SearchForm()
errors = ''
if current_user.is_authenticated:
return redirect(url_for('home_page'))
form = LoginForm()
return render_template('login.html',
form=form,
errors=errors,
searchForm=searchForm)
def current():
searchForm = SearchForm()
if current_user.is_authenticated:
form = ChangePasswordForm()
if form.validate_on_submit():
if request.content_type != r'application/x-www-form-urlencoded':
log.logger.error('Incorrect request content format at /current route')
abort(404)
if utils.banned_characters(form.currentPassword.data):
log.logger.critical('Malicious character detected in support route. An attempt to inject is possible')
abort(404)
user = Models.Customer.query.filter_by(username=current_user.username).first()
saved_hash= user.password_hash
password_hashed = utils.generate_hash(form.currentPassword.data,user.password_salt)
if saved_hash == password_hashed:
if utils.banned_characters(form.confirm.data.upper(),matches='({0})'.format(str(escape(current_user.username.upper())))):
flash('Password should not contain anything related to your username. Please try again!')
resp = make_response(redirect(url_for('current_password')))
if resp.headers['Location'] == '/current':
return resp
elif utils.read_common_password(form.confirm.data) or utils.banned_characters(form.confirm.data.upper(),matches='(PASSWORD)') or utils.banned_characters(form.confirm.data.upper(), matches='(PASSWORD)') or utils.banned_characters(form.confirm.data.upper(), matches='(ADMIN)'):
flash('This password is either too common and subsceptiple to hackers or password contain words like \"username\" or \"password\" or \"admin\"')
resp = make_response(redirect(url_for('current_password')))
if resp.headers['Location'] == '/current_password':
return resp
else:
try:
user = Models.Customer.query.filter_by(username=current_user.username).first()
new_salt = utils.generate_salt()
new_hash = utils.generate_hash(form.confirm.data,new_salt)
user.password_salt = new_salt
user.password_hash = new_hash
Models.database.session.commit()
logout_user()
session.destroy()
flash('Password has changed,please try to login with new credential')
resp = make_response(redirect(url_for('login')))
if resp.headers['Location'] == '/login':
return resp
except:
Models.database.session.rollback()
else:
flash('Invalid current password')
resp = make_response(redirect(url_for('current_password')))
if resp.headers['Location'] == '/current':
return resp
else:
abort(404)
def login():
searchForm = SearchForm()
if current_user.is_authenticated:
# print(current_user.username)
abort(404)
errors = ''
form = LoginForm()
if form.validate_on_submit():
if utils.banned_characters(
form.username.data) or utils.banned_characters(
form.password.data):
log.logger.critical(
'Malicious characters such as \'\"<>#/ detected')
errors = 'Invalid username or password'
return redirect(url_for('login'))
user = Models.Customer.query.filter_by(
username=str(escape(form.username.data))).first()
if user != None:
saved_password_hash = user.password_hash
saved_password_salt = user.password_salt
password_hash = utils.generate_hash(
str(escape(form.password.data)), saved_password_salt)
if password_hash == saved_password_hash:
if user.verified == 1:
print('verified authen')
u = Models.Customer.query.get(user.userid)
login_user(u)
response = make_response(redirect(url_for('home_page')))
log.logger.info(
'{0} successfully logs into his account'.format(
u.username))
return redirect(url_for('home_page'))
else:
u = Models.Customer.query.get(user.userid)
login_user(u)
log.logger.warning(
'{0} successfully logs into his account without activating it'
.format(u.username))
return redirect(url_for('users.unconfirmed'))
else:
errors = 'Invalid username or password'
else:
errors = 'Invalid username or password'
else:
print(form.errors)
return render_template('login.html',
form=form,
errors=errors,
searchForm=searchForm)
def home_page():
searchForm = SearchForm()
# print(request.headers.get('X-Forwarded-For', request.remote_addr))
# print(paranoid._get_remote_addr())
# print(test.session)
# # for key in red.scan_iter():
# # print(json.loads(red.get(key)))
# d = socket.gethostname()
# print(socket.gethostbyname(d))
if request.remote_addr in ['127.0.0.1']:
return render_template('index.html', searchForm=searchForm)
def support():
searchForm = SearchForm()
form = SupportForm()
if form.validate_on_submit():
mail = Mail(current_app)
msg = Message(subject=form.subject.data,
recipients=['*****@*****.**'],
body=form.message.data,
sender=form.name.data,
reply_to=form.email.data)
mail.send(msg)
flash('Email has sent to u')
redirect(request.url)
return render_template('support.html', searchForm=searchForm, form=form)
def login():
print(session)
searchForm = SearchForm()
errors = ''
if current_user.is_authenticated:
resp = make_response(redirect(url_for('home_page')))
if resp.headers['Location'] == '/':
return resp
elif session.get('username'):
resp = make_response(redirect(url_for('verify_token')))
if resp.headers['Location'] == '/VerifyToken':
return resp
form = LoginForm()
if_prod = os.environ.get('IS_PROD')
return render_template('login.html',form=form,errors=errors,searchForm=searchForm,if_prod=if_prod)
def account(username):
searchForm = SearchForm()
if current_user.is_authenticated and current_user.username == username:
print(current_user.account.credit_card)
credit_card = current_user.account.credit_card
if current_user.account.credit_card != None:
key_vault = vault.Vault()
credit_card = credit_card.decode('utf-8') #key_vault.decrypt(current_user.account.credit_card,username)
key_vault.close_all_connections()
return render_template('account.html', searchForm=searchForm, credit_card=credit_card)
else:
return render_template('account.html', searchForm=searchForm, credit_card=credit_card)
else:
log.logger.warning('An attempt to access to this page without authenticcation was deny')
abort(404)
def home_page():
print(current_user.is_authenticated)
print(session.get('username'))
if 'created' not in session:
session['created'] = datetime.datetime.now()
print(session['created'])
searchForm = SearchForm()
print(request.headers.get('X-Forwarded-For', request.remote_addr))
twst = request.headers.get('X-Forwarded-For', request.remote_addr)
print(paranoid._get_remote_addr())
# print(test.session)
# # for key in red.scan_iter():
# # print(json.loads(red.get(key)))
# d = socket.gethostname()
# print(socket.gethostbyname(d))
# allowed_content_type =
print(session)
response = make_response(render_template('index.html',searchForm=searchForm,ip=twst))
return response
def reset_link():
searchForm = SearchForm()
error = ''
form = EmailForm()
if form.validate_on_submit():
if Models.Customer.query.filter_by(
email=str(escape(form.email.data))).first():
token = utils.generate_token(form.email.data)
password_reset_url = url_for('users.reset_password_link',
token=token,
_external=True)
html = render_template('reset_email.html',
password_reset_url=password_reset_url)
utils.send_email(form.email.data, 'Password Recovery', html)
errors = 'We have emailed youthe password link to reset!'
return redirect(url_for('reset_link', errors=errors))
else:
error = 'This email is not registered with us!'
return render_template('reset.html',
form=form,
errors=error,
searchForm=searchForm)
def accountUpdate(username):
if current_user.is_authenticated and current_user.username == username:
form = AccountForm()
searchForm = SearchForm()
if form.validate_on_submit():
if utils.banned_characters(form.credit_card.data):
log.logger.critical('Malicious Character detected in /profile/{0}/account/update'.format(username))
logout_user()
abort(404)
if request.content_type != 'application/x-www-form-urlencoded':
log.logger.error('Incorrect content type format found in /profile/{0}/account/update'.format(username))
abort(404)
key_vault = vault.Vault()
# try:
# key_vault.key_client.get_key(username)
# except:
# key_vault.set_key(username,4096,key_vault.key_ops)
user = Models.Customer.query.filter_by(username=username).first()
user.account.payment_method = form.payment_method.data
user.account.credit_card = bytes(form.credit_card.data,'utf-8') #key_vault.encrypt(username,form.credit_card.data)
user.account.address = form.address.data
log.logger.info(f'{user.username} has changed his account information.')
Models.database.session.commit()
key_vault.key_client.close()
key_vault.secret_client.close()
log.logger.info('{0} successfuly updated his/her account'.format(user.username))
resp = make_response(redirect(url_for('account',username=username)))
print(resp.headers['Location'])
if resp.headers['Location'] == '/profile/'+current_user.username+'/account':
return resp
else:
log.logger.exception(form.errors)
print(form.errors)
return render_template('accountUpdate.html', form=form,searchForm=searchForm)
else:
abort(404)
