def login(): if request.method == 'POST': errors = [] name = request.form['name'] team = Teams.query.filter_by(name=name).first() if team and bcrypt_sha256.verify(request.form['password'], team.password): try: session.regenerate() # NO SESSION FIXATION FOR YOU except: pass # TODO: Some session objects don't implement regenerate :( session['username'] = team.name session['id'] = team.id session['admin'] = team.admin session['nonce'] = sha512(os.urandom(10)) db.session.close() logger = logging.getLogger('logins') logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8'))) if request.args.get('next') and is_safe_url(request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('challenges.challenges_view')) else: errors.append("That account doesn't seem to exist") db.session.close() return render_template('login.html', errors=errors) else: db.session.close() return render_template('login.html')
def loginAndroid(): errors = [] name = request.form['name'] student = Students.query.filter_by(name=name).first() if student: if student and bcrypt_sha256.verify(request.form['password'], student.password): try: session.regenerate() # NO SESSION FIXATION FOR YOU except: pass # TODO: Some session objects don't implement regenerate :( session['username'] = student.name session['id'] = student.id session['admin'] = student.admin session['nonce'] = sha512(os.urandom(10)) session.modified = True db.session.close() logger = logging.getLogger('logins') logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8'))) if request.args.get('next') and is_safe_url(request.args.get('next')): return redirect(request.args.get('next')) return jsonify({'status': '200', 'nonce': session['nonce']}) else: # This user exists but the password is wrong errors.append("Your username or password is incorrect") db.session.close() return jsonify({'status': '400', 'message': 'Invalid Login'}) else: # This user just doesn't exist errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors)
def login(): logger = logging.getLogger('logins') if request.method == 'POST': errors = [] name = request.form['name'] # Check if the user submitted an email address or a team name if utils.check_email_format(name) is True: team = Teams.query.filter_by(email=name).first() elif utils.check_sno_format(name) is True: team = Teams.query.filter_by(sno=name).first() else: team = Teams.query.filter_by(name=name).first() if team: if team and bcrypt_sha256.verify(request.form['password'], team.password): try: session.regenerate() # NO SESSION FIXATION FOR YOU except: pass # TODO: Some session objects don't implement regenerate :( session['username'] = team.name session['id'] = team.id session['admin'] = team.admin session['nonce'] = utils.sha512(os.urandom(10)) db.session.close() logger.warn("[{date}] {ip} - {username} logged in".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=session['username'].encode('utf-8'))) if request.args.get('next') and utils.is_safe_url( request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('challenges.challenges_view')) else: # This user exists but the password is wrong logger.warn( "[{date}] {ip} - submitted invalid password for {username}" .format(date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=team.name.encode('utf-8'))) errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: # This user just doesn't exist logger.warn( "[{date}] {ip} - submitted invalid account information".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip())) errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: db.session.close() return render_template('login.html')
def login(): if request.method == 'POST': errors = [] name = request.form['name'] team = Teams.query.filter_by(name=name).first() if team: if team and bcrypt_sha256.verify(request.form['password'], team.password): try: session.regenerate() # NO SESSION FIXATION FOR YOU except: pass # TODO: Some session objects don't implement regenerate :( session['username'] = team.name session['id'] = team.id session['admin'] = team.admin session['mentor'] = team.mentor print team.mentor session['nonce'] = utils.sha512(os.urandom(10)) db.session.close() logger = logging.getLogger('logins') logger.warn("[{0}] {1} logged in".format(time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8'))) if request.args.get('next') and utils.is_safe_url(request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('views.index', welcome=1)) else: # This user exists but the password is wrong errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: # This user just doesn't exist errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: db.session.close() return render_template('login.html')
def register(): if not can_register(): return redirect(url_for('auth.login')) if request.method == 'POST': errors = [] name = request.form['name'] email = request.form['email'] password = request.form['password'] name_len = len(name) == 0 names = Users.query.add_columns('name', 'id').filter_by(name=name).first() emails = Users.query.add_columns('email', 'id').filter_by(email=email).first() pass_short = len(password) == 0 pass_long = len(password) > 128 valid_email = re.match( r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", request.form['email']) if not valid_email: errors.append("That email doesn't look right") if names: errors.append('That username is already taken') if emails: errors.append('That email has already been used') if pass_short: errors.append('Pick a longer password') if pass_long: errors.append('Pick a shorter password') if name_len: errors.append('Pick a longer team name') if len(errors) > 0: return render_template('register.html', errors=errors, name=request.form['name'], email=request.form['email'], password=request.form['password']) else: with app.app_context(): team = Users(name, email.lower(), password) db.session.add(team) db.session.commit() db.session.flush() session['username'] = team.name session['id'] = team.id session['admin'] = team.admin session['nonce'] = sha512(os.urandom(10)) if can_send_mail() and get_config( 'verify_emails' ): ## Confirming users is enabled and we can send email. db.session.close() logger = logging.getLogger('regs') logger.warn( "[{0}] {1} registered (UNCONFIRMED) with {2}".format( time.strftime("%m/%d/%Y %X"), request.form['name'].encode('utf-8'), request.form['email'].encode('utf-8'))) return redirect(url_for('auth.confirm_user')) else: ## Don't care about confirming users if can_send_mail( ): ## We want to notify the user that they have registered. sendmail( request.form['email'], "You've successfully registered for {}".format( get_config('ctf_name'))) db.session.close() logger = logging.getLogger('regs') logger.warn("[{0}] {1} registered with {2}".format( time.strftime("%m/%d/%Y %X"), request.form['name'].encode('utf-8'), request.form['email'].encode('utf-8'))) if request.args.get('next') and is_safe_url(request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('challenges.challenges_view')) else: return render_template('register.html')
def login(): logger = logging.getLogger('logins') if request.method == 'POST': errors = [] name = request.form['name'].strip() password = request.form['password'] # Check if email or password is empty if not name or not password: errors.append("Please enter your email and password") db.session.close() return render_template('login.html', errors=errors) # Check if the user submitted a valid email address if utils.check_email_format(name) is False: errors.append("Your email is not in a valid format") db.session.close() return render_template('login.html', errors=errors) # Send POST request to NCL SIO authentication API base64creds = base64.b64encode(name + ':' + password) headers = {'Authorization': 'Basic ' + base64creds} sio_url = utils.ncl_sio_url() try: r = requests.post(sio_url + '/authentications', headers=headers, timeout=30) except requests.exceptions.RequestException as e: logger.warn("[{date}] {ip} - error connecting to SIO authentication service: {exception}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), exception=e )) errors.append("There is a problem with your login request. Please contact the website administrator") db.session.close() return render_template('login.html', errors=errors) if r.status_code == 200: # Successful login # Check if this user has permission to login (i.e. is in this CTF NCL team) ncl_team_name = utils.ncl_team_name() is_user_in_ncl_team = False user_id = r.json()['id'] # Send GET request to NCL SIO teams API try: teams_r = requests.get(sio_url + '/teams?name=' + ncl_team_name, timeout=30) except requests.exceptions.RequestException as teams_re: logger.warn("[{date}] {ip} - error connecting to SIO teams service: {exception}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), exception=teams_re )) errors.append("There is a problem with connecting to login service. Please contact the website administrator") db.session.close() return render_template('login.html', errors=errors) if teams_r.status_code == 200: # teams GET success team_members = teams_r.json()['members'] for member in team_members: if member['userId'] == user_id: is_user_in_ncl_team = True break else: # teams GET failed logger.warn("[{date}] {ip} - invalid response status code: {status}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), status=str(teams_r.status_code) )) errors.append("Unknown response from login service. Please contact the website administrator") db.session.close() return render_template('login.html', errors=errors) if not is_user_in_ncl_team: # User is not part of NCL team, deny login! logger.warn("[{date}] {ip} - not in this CTF NCL team for {username}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=name.encode('utf-8') )) errors.append("You do not have permissions to login to this site") db.session.close() return render_template('login.html', errors=errors) # User is now allowed to login # Try to get info from DB team = Teams.query.filter_by(email=name).first() # Add to DB if it does not exist if not team: team = Teams(name.lower(), name.lower(), "unused_password") db.session.add(team) db.session.commit() db.session.flush() # Get info from DB session['username'] = team.name session['id'] = team.id session['admin'] = team.admin session['nonce'] = utils.sha512(os.urandom(10)) db.session.close() logger.warn("[{date}] {ip} - {username} logged in".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=session['username'].encode('utf-8') )) if request.args.get('next') and utils.is_safe_url(request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('challenges.challenges_view')) elif r.status_code == 404: # This user does not exist logger.warn("[{date}] {ip} - submitted invalid user email".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip() )) errors.append("Your email or password is incorrect") db.session.close() return render_template('login.html', errors=errors) elif r.status_code == 500: # This user exists but the password is wrong logger.warn("[{date}] {ip} - submitted invalid password for {username}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), username=name.encode('utf-8') )) errors.append("Your email or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: # Unknown response status code logger.warn("[{date}] {ip} - unknown response status code: {status}".format( date=time.strftime("%m/%d/%Y %X"), ip=utils.get_ip(), status=str(r.status_code) )) errors.append("Unknown login error. Please contact the website administrator") db.session.close() return render_template('login.html', errors=errors) else: db.session.close() return render_template('login.html')