def test_base64decode():
"""The base64decode wrapper works properly"""
if six.PY2:
assert base64decode('YWJjMTIz') == 'abc123'
assert base64decode(unicode('YWJjMTIz')) == 'abc123'
assert base64decode(unicode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ%3D'), urldecode=True) == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4'
assert base64decode('8J-Yhg==') == '😆'
assert base64decode('8J-Yhg%3D%3D', urldecode=True) == '😆'
else:
assert base64decode('YWJjMTIz') == 'abc123'
assert base64decode('YWJjMTIz') == 'abc123'
assert base64decode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ%3D', urldecode=True) == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4'
assert base64decode('8J-Yhg==') == '😆'
assert base64decode('8J-Yhg%3D%3D', urldecode=True) == '😆'
def reset_password(data=None):
if utils.get_config('no_emails'):
return redirect(url_for('auth.login'))
logger = logging.getLogger('logins')
if data is not None:
try:
s = TimedSerializer(app.config['SECRET_KEY'])
name = s.loads(utils.base64decode(data, urldecode=True),
max_age=1800)
except BadTimeSignature:
return render_template('reset_password.html',
errors=['Your link has expired'])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template('reset_password.html',
errors=['Your reset token is invalid'])
if request.method == "GET":
return render_template('reset_password.html', mode='set')
if request.method == "POST":
team = Teams.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(
request.form['password'].strip())
db.session.commit()
logger.warn(
"[{date}] {ip} - successful password reset for {username}".
format(date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')))
db.session.close()
return redirect(url_for('auth.login'))
if request.method == 'POST':
email = request.form['email'].strip()
team = Teams.query.filter_by(email=email).first()
errors = []
if utils.can_send_mail() is False:
return render_template(
'reset_password.html',
errors=[
'Email could not be sent due to server misconfiguration'
])
if not team:
return render_template(
'reset_password.html',
errors=[
'If that account exists you will receive an email, please check your inbox'
])
utils.forgot_password(email, team.name)
return render_template(
'reset_password.html',
errors=[
'If that account exists you will receive an email, please check your inbox'
])
return render_template('reset_password.html')
def confirm_user(data=None):
if not utils.get_config('verify_emails'):
# If the CTF doesn't care about confirming email addresses then redierct to challenges
return redirect(url_for('challenges.challenges_view'))
logger = logging.getLogger('regs')
# User is confirming email account
if data and request.method == "GET":
try:
s = TimedSerializer(app.config['SECRET_KEY'])
email = s.loads(utils.base64decode(data, urldecode=True),
max_age=1800)
except BadTimeSignature:
return render_template('confirm.html',
errors=[get_tip('LINK_EXPIRED')])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template('confirm.html',
errors=[get_tip('INVIDE_RESET_TOKEN')])
team = Teams.query.filter_by(email=email).first_or_404()
team.verified = True
db.session.commit()
logger.warn(
get_tip('USER_HAVE_CM').format(date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8'),
email=team.email.encode('utf-8')))
db.session.close()
if utils.authed():
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('auth.login'))
# User is trying to start or restart the confirmation flow
if not utils.authed():
return redirect(url_for('auth.login'))
team = Teams.query.filter_by(id=session['id']).first_or_404()
if data is None:
if request.method == "POST":
# User wants to resend their confirmation email
if team.verified:
return redirect(url_for('views.profile'))
else:
utils.verify_email(team.email)
logger.warn(
get_tip('EMAIL_CF_RESENT').format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8'),
email=team.email.encode('utf-8')))
return render_template('confirm.html',
team=team,
infos=[get_tip('EMAIL_CF_SENT')])
elif request.method == "GET":
# User has been directed to the confirm page
team = Teams.query.filter_by(id=session['id']).first_or_404()
if team.verified:
# If user is already verified, redirect to their profile
return redirect(url_for('views.profile'))
return render_template('confirm.html', team=team)
def confirm_user(data=None):
if not utils.get_config('verify_emails'):
# If the CTF doesn't care about confirming email addresses then redierct to challenges
return redirect(url_for('challenges.challenges_view'))
logger = logging.getLogger('regs')
# User is confirming email account
if data and request.method == "GET":
try:
s = TimedSerializer(app.config['SECRET_KEY'])
email = s.loads(utils.base64decode(data, urldecode=True), max_age=1800)
except BadTimeSignature:
return render_template('confirm.html', errors=['Your confirmation link has expired'])
except BadSignature:
return render_template('confirm.html', errors=['Your confirmation link seems wrong'])
team = Teams.query.filter_by(email=email).first_or_404()
team.verified = True
db.session.commit()
logger.warn("[{date}] {ip} - {username} confirmed their account".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8'),
email=team.email.encode('utf-8')
))
db.session.close()
if utils.authed():
return redirect(url_for('challenges.challenges_view'))
return redirect(url_for('auth.login'))
# User is trying to start or restart the confirmation flow
if not utils.authed():
return redirect(url_for('auth.login'))
team = Teams.query.filter_by(id=session['id']).first_or_404()
if data is None:
if request.method == "POST":
# User wants to resend their confirmation email
if team.verified:
return redirect(url_for('views.profile'))
else:
utils.verify_email(team.email)
logger.warn("[{date}] {ip} - {username} initiated a confirmation email resend".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8'),
email=team.email.encode('utf-8')
))
return render_template('confirm.html', team=team, infos=['Your confirmation email has been resent!'])
elif request.method == "GET":
# User has been directed to the confirm page
team = Teams.query.filter_by(id=session['id']).first_or_404()
if team.verified:
# If user is already verified, redirect to their profile
return redirect(url_for('views.profile'))
return render_template('confirm.html', team=team)
def test_base64decode():
"""The base64decode wrapper works properly"""
if six.PY2:
assert base64decode('YWJjMTIz') == 'abc123'
assert base64decode(unicode('YWJjMTIz')) == 'abc123'
assert base64decode(unicode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ')) == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4'
assert base64decode('8J-Yhg') == '😆'
else:
assert base64decode('YWJjMTIz') == 'abc123'
assert base64decode('InRlc3RAbWFpbGluYXRvci5jb20iLkRHeGVvQS5sQ3NzVTNNMlF1QmZvaE8tRnRkZ0RRTEtiVTQ') == '"*****@*****.**".DGxeoA.lCssU3M2QuBfohO-FtdgDQLKbU4'
assert base64decode('dXNlcit1c2VyQGN0ZmQuaW8') == '*****@*****.**'
assert base64decode('8J-Yhg') == '😆'
def reset_password(data=None):
logger = logging.getLogger('logins')
if data is not None and request.method == "GET":
return render_template('reset_password.html', mode='set')
if data is not None and request.method == "POST":
try:
s = TimedSerializer(app.config['SECRET_KEY'])
name = s.loads(utils.base64decode(data, urldecode=True),
max_age=1800)
except BadTimeSignature:
return render_template('reset_password.html',
errors=['Your link has expired'])
except:
return render_template(
'reset_password.html',
errors=['Your link appears broken, please try again.'])
team = Teams.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(request.form['password'].strip())
db.session.commit()
logger.warn(
"[{date}] {ip} - successful password reset for {username}".format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')))
db.session.close()
return redirect(url_for('auth.login'))
if request.method == 'POST':
email = request.form['email'].strip()
team = Teams.query.filter_by(email=email).first()
if not team:
return render_template(
'reset_password.html',
errors=[
'If that account exists you will receive an email, please check your inbox'
])
s = TimedSerializer(app.config['SECRET_KEY'])
token = s.dumps(team.name)
text = """
Did you initiate a password reset?
{0}/{1}
""".format(url_for('auth.reset_password', _external=True),
utils.base64encode(token, urlencode=True))
utils.sendmail(email, text)
return render_template(
'reset_password.html',
errors=[
'If that account exists you will receive an email, please check your inbox'
])
return render_template('reset_password.html')
def reset_password(data=None):
logger = logging.getLogger('logins')
if data is not None:
try:
s = TimedSerializer(app.config['SECRET_KEY'])
name = s.loads(utils.base64decode(data, urldecode=True),
max_age=1800)
except BadTimeSignature:
return render_template('reset_password.html',
errors=['您的密码重置链接已经过期'])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template('reset_password.html',
errors=['您的密码重置令牌已经失效'])
if request.method == "GET":
return render_template('reset_password.html', mode='set')
if request.method == "POST":
team = Teams.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(
request.form['password'].strip())
db.session.commit()
logger.warn(
"[{date}] {ip} - successful password reset for {username}".
format(date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')))
db.session.close()
return redirect(url_for('auth.login'))
if request.method == 'POST':
email = request.form['email'].strip()
team = Teams.query.filter_by(email=email).first()
errors = []
if utils.can_send_mail() is False:
return render_template('reset_password.html',
errors=['邮件信息配置异常,无法发送邮件,请联系管理员'])
if not team:
return render_template('reset_password.html',
errors=['如果邮箱有效,将会收到一封密码重置邮件,请注意查收'])
utils.forgot_password(email, team.name)
return render_template('reset_password.html',
errors=['如果邮箱有效,将会收到一封密码重置邮件,请注意查收'])
return render_template('reset_password.html')
def reset_password(data=None):
logger = logging.getLogger('logins')
if data is not None:
try:
s = TimedSerializer(app.config['SECRET_KEY'])
name = s.loads(utils.base64decode(data, urldecode=True),
max_age=1800)
except BadTimeSignature:
return render_template('reset_password.html',
errors=[get_tip('LINK_EXPIRED')])
except (BadSignature, TypeError, base64.binascii.Error):
return render_template('reset_password.html',
errors=[get_tip('INVIDE_RESET_TOKEN')])
if request.method == "GET":
return render_template('reset_password.html', mode='set')
if request.method == "POST":
team = Teams.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(
request.form['password'].strip())
db.session.commit()
logger.warn(
get_tip('PASS_HAVE_RESET').format(
date=time.strftime("%m/%d/%Y %X"),
ip=utils.get_ip(),
username=team.name.encode('utf-8')))
db.session.close()
return redirect(url_for('auth.login'))
if request.method == 'POST':
email = request.form['email'].strip()
team = Teams.query.filter_by(email=email).first()
errors = []
if utils.can_send_mail() is False:
return render_template('reset_password.html',
errors=[get_tip('EMAIL_NOT_CONFIG')])
if not team:
return render_template('reset_password.html',
errors=[get_tip('FORGOT_PASS_NOTICE')])
utils.forgot_password(email, team.name)
return render_template('reset_password.html',
errors=[get_tip('FORGOT_PASS_NOTICE')])
return render_template('reset_password.html')
