def test_generate_token(self):
self.assertEqual(len(generate_token()), 32)
self.assertEqual(len(generate_token(False)), 32)
self.assertEqual(len(generate_token(True)), config.TOKEN_SHORT_LENGTH)
tokens = []
for i in range(1000):
token = generate_token(True)
self.assertNotIn(token, tokens)
tokens.append(token)
def authenticate(request):
v = validate_request(request)
if v==0:
body = request.POST
if 'api_key' not in body: return jsonResponse({'error':True,'data':{'msg':'API key not found.'}},403)
api_key = body['api_key']
if api_key not in API_TOKENS: return jsonResponse({'error':True,'data':{'msg':'Invalid API key.'}},403)
if 'timestamp' not in body: return jsonResponse({'error':True,'data':{'msg':'Timestamp not found.'}},403)
timestamp = body['timestamp']
if int(time.time()) - int(timestamp) > 3600: return jsonResponse({'error':True,'data':{'msg':'Invalid timestamp.'}},403)
if 'username' not in body: return jsonResponse({'error':True,'data':{'msg':'Username not found.'}},403)
username = body['username']
try: user = Author.objects.filter(username=username)[0]
except: return jsonResponse({'error':True,'data':{'msg':'User does not exist.'}},404)
signature = body['signature']
print "%s&%s&%s&%s"%(user.username,user.password,timestamp,API_TOKENS[api_key])
server_signature = hashlib.md5("%s&%s&%s&%s"%(user.username,user.password,timestamp,API_TOKENS[api_key])).hexdigest()
if signature != server_signature:
return jsonResponse({'error':True,'data':{'msg':'Cannot verify the signature.'}},404)
access_token = helpers.generate_token()
user.access_token = access_token
user.save()
return jsonResponse({'error':False,'data':{'msg':'Successfully authenticated','access_token':access_token}},200)
elif v==-1:
return jsonResponse({'error':True,'data':{'msg':'All requests must be POST.'}},403)
else:
return jsonResponse({'error':True,'data':{'msg':'Invalid signature.'}},403)
def revoke(sqlsession, device):
error = False
errors = []
device = sqlsession.query(Device).filter_by(id=device).first()
if device:
if device.is_online:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((config.api_host, config.api_port))
temporary_token = helpers.generate_token()
q = Query()
q.create_register_webui(config.webui_token, temporary_token)
s.send(q.to_command())
q.create_kick(temporary_token, device.pubkey)
s.send(q.to_command())
q.create_unregister(temporary_token)
s.send(q.to_command())
s.close()
except Exception:
error = True
errors.append(('flash', 'Connection to device failed.'))
else:
error = True
errors.append(('device', 'Device does not exist.'))
return error, errors
def login():
email = request.json['email']
password = request.json['password']
cursor = mysql.connection.cursor()
cursor.execute('''select id, email, salt, password from users''')
idx = -1
users = []
for user in cursor.fetchall():
users.append(user)
mysql.connection.commit()
cursor.close()
for i, user in enumerate(users):
if user['email'] == email:
idx = i
break
if idx == -1:
return json.dumps({'message': 'User Does not Exist', 'error': True})
else:
salt = users[idx]['salt']
newHash = generate_hash(password, salt)
if (newHash == users[idx]['password']):
token = generate_token({'id': users[idx]['id']})
return json.dumps({'token': token, 'error': False})
else:
return json.dumps({
'message': 'Invalid Credentials',
'error': True
})
def invited(token):
try:
enemy_token, game_type, game_limit = get_cache(
'invite_{}'.format(token))
except:
return send_error('game not found')
enemy_user = None
user_id = get_cache('user_{}'.format(enemy_token))
if user_id:
try:
enemy_user = User.get(pk=user_id)
except User.DoesNotExist:
# TODO: if user not found game will be created with None as white player
pass
user_token = generate_token(True)
game = Game.new_game(enemy_token,
user_token,
game_type,
game_limit,
white_user=enemy_user,
black_user=request.user)
delete_cache('wait_{}'.format(enemy_token))
result = {'game': user_token}
result.update(game.get_info(consts.BLACK))
return send_data(result)
def login():
try:
email = request.json['email']
password = request.json['password']
cursor = mysql.connection.cursor()
cursor.execute('''select * from users where email = %s''', (email, ))
results = cursor.fetchall()
items = []
for item in results:
items.append(item)
if items:
items = items[0]
mysql.connection.commit()
cursor.close()
if not items:
return json.dumps({
'message':
'Account does not exists. Please Signup before logging in.',
'error': True
})
else:
newPasswordHash = generate_hash(password, items['salt'])
if items['password'] != newPasswordHash:
return json.dumps({
'message':
'Invalid Password. Please Enter Correct Password.',
'error': True
})
else:
return json.dumps({
'token': generate_token({'id': items['id']}),
'error': False
})
except:
return json.dumps({'message': 'Some Error Occured', 'error': True})
def flash(sqlsession, token, device):
error = False
errors = []
token = None
device = None
if type(token) == int:
token = sqlsession.query(models.Token).filter_by(id=token).first()
if type(device) == int:
device = sqlsession.query(models.Device).filter_by(id=device).first()
if device:
if token:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((config.api_host, config.api_port))
temporary_token = helpers.generate_token()
q = Query()
q.create_register_webui(config.webui_token, temporary_token)
s.send(q.to_command())
q.create_flash(temporary_token, token.value, device.pubkey)
s.send(q.to_command())
q.create_unregister(temporary_token)
s.send(q.to_command())
s.close()
except Exception:
error = True
errors.append(('flash', 'Connection to device failed.'))
else:
error = True
errors.append(('token', 'Token does not exist.'))
else:
error = True
errors.append(('device', 'Device does not exist.'))
return error, errors
def invite(data):
game_type = data['type']
game_limit = data['limit']
if game_type != consts.TYPE_NOLIMIT and not game_limit:
return send_error('game limit must be set for no limit game')
token_game = generate_token(True)
token_invite = generate_token(True)
set_cache('invite_{}'.format(token_invite),
(token_game, game_type, game_limit))
if request.user:
set_cache('user_{}'.format(token_game), request.user.pk, 3600)
set_cache('wait_{}'.format(token_game),
(game_type, game_limit, token_invite))
return send_data({
'game': token_game,
'invite': token_invite,
})
def checkCredentials(cursor, email, password):
cursor.execute('''select * from users where email = %s''', (email, ))
result = cursor.fetchone()
password_hash = generate_hash(password, result['salt'])
token = None
if password_hash == result['password']:
token = generate_token({'id': result['id']})
return token
def add(sqlsession, **kwargs):
error = False
errors = []
name = None
description = None
expiry_date = None
owner = None
for attribute in kwargs:
if attribute == 'owner':
if type(kwargs[attribute]) == int:
owner = sqlsession.query(
models.User).filter_by(id=owner).first()
if not owner:
if 'owner_name' in kwargs:
owner_query = sqlsession.query(
models.User).filter_by(name=kwargs['owner_name'])
if owner_query.count() == 1:
owner = owner_query.first()
else:
errors.append(('owner', 'User was not found.'))
else:
errors.append(('owner', 'User was not found.'))
elif attribute == 'expiry_date':
try:
expiry_date = helpers.str_to_date(kwargs[attribute])
except BaseException:
error = True
errors.append((
'expiry_date',
'Expiry date has a bad format. It should be YYYY-mm-dd.'
))
elif attribute == 'name':
name = kwargs[attribute]
elif attribute == 'description':
description = kwargs[attribute]
else:
pass
if not error:
token = models.Token(name=name,
value=helpers.generate_token(),
description=description,
owner=owner,
flashed=False,
expiry_date=expiry_date,
creation_date=helpers.today())
sqlsession.add(token)
sqlsession.commit()
return token.id, None
else:
return False, errors
def post(self):
game_type = self.data['type']
game_limit = self.data['limit']
if game_type != consts.TYPE_NOLIMIT and not game_limit:
raise errors.APIException(
'game limit must be set for no limit game')
token_game = generate_token(True)
token_invite = generate_token(True)
set_cache('invite_{}'.format(token_invite),
(token_game, game_type, game_limit))
if request.user:
set_cache('user_{}'.format(token_game), request.user.pk, 3600)
set_cache('wait_{}'.format(token_game),
(game_type, game_limit, token_invite))
return {
'game': token_game,
'invite': token_invite,
}
def authenticate(cls, username, password):
try:
user = cls.get(username=username,
password=encrypt_password(password))
except cls.DoesNotExist:
return False
token = generate_token()
set_cache(token, user.pk, config.SESSION_TIME)
return token
def add(sqlsession, **kwargs):
error = False
errors = []
name = None
description = None
expiry_date = None
owner = None
for attribute in kwargs:
if attribute == 'owner':
if type(kwargs[attribute]) == int:
owner = sqlsession.query(models.User).filter_by(id=owner).first()
if not owner:
if 'owner_name' in kwargs:
owner_query = sqlsession.query(models.User).filter_by(name=kwargs['owner_name'])
if owner_query.count() == 1:
owner = owner_query.first()
else:
errors.append(('owner', 'User was not found.'))
else:
errors.append(('owner', 'User was not found.'))
elif attribute == 'expiry_date':
try:
expiry_date = helpers.str_to_date(kwargs[attribute])
except BaseException:
error = True
errors.append(('expiry_date', 'Expiry date has a bad format. It should be YYYY-mm-dd.'))
elif attribute == 'name':
name = kwargs[attribute]
elif attribute == 'description':
description = kwargs[attribute]
else:
pass
if not error:
token = models.Token(
name=name,
value=helpers.generate_token(),
description=description,
owner=owner,
flashed=False,
expiry_date=expiry_date,
creation_date=helpers.today()
)
sqlsession.add(token)
sqlsession.commit()
return token.id, None
else:
return False, errors
def _post(data):
game_type = data['type']
game_limit = data['limit']
token = generate_token(True)
pool = GamePool.create(
player1=token,
user1=request.user,
type_game=game_type,
time_limit=game_limit,
)
set_cache('wait_{}'.format(token), (game_type, game_limit))
return send_data({'game': token})
def get_reset(self):
if not self.email:
raise AttributeError('your email is not defined')
if self.date_last_reset:
seconds = (datetime.now() - self.date_last_reset).total_seconds()
if seconds < config.RESET_PERIOD:
raise errors.ResetRequestError(config.RESET_PERIOD -
int(seconds))
token = generate_token()
set_cache(token, self.pk, config.RESET_TIME)
self.date_last_reset = datetime.now()
self.save()
return token
def get_verification(self):
if self.verified:
raise errors.VerifiedError
if not self.email:
raise AttributeError('your email is not defined')
if self.date_verification_token:
seconds = (datetime.now() -
self.date_verification_token).total_seconds()
if seconds < config.VERIFICATION_PERIOD:
raise errors.VerificationRequestError(
config.VERIFICATION_PERIOD - int(seconds))
token = generate_token()
set_cache(token, self.pk, config.VERIFICATION_TIME)
self.date_verification_token = datetime.now()
self.save()
return token
def open(sqlsession, id):
id = int(id)
user = sqlsession.query(
models.User).filter_by(username=session['username']).first()
device = None
if id == 0:
if user.default_device:
device = user.default_device
else:
id = int(config('default_door_device'))
if id > 0 and not device:
device = sqlsession.query(models.Device).filter_by(id=id).first()
if device:
access_granted = False
if user.level > 9000:
access_granted = True
else:
for token in user.tokens:
if token in device.tokens:
access_granted = True
if not access_granted:
flash('No access on device with id %s' % id, 'danger')
else:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((config.api_host, config.api_port))
temporary_token = helpers.generate_token()
q = Query()
q.create_register_webui(config.webui_token, temporary_token)
s.send(q.to_command())
q.create_open(temporary_token, device.pubkey)
s.send(q.to_command())
q.create_unregister(temporary_token)
s.send(q.to_command())
s.close()
flash('%s has been opened.' % device.name, 'success')
except Exception as e:
flash('Failed to access device %s' % device.name, 'danger')
else:
flash('Could not find device with id %s' % id, 'danger')
return redirect(request.referrer)
def open(sqlsession, id):
id = int(id)
user = sqlsession.query(models.User).filter_by(username=session['username']).first()
device = None
if id == 0:
if user.default_device:
device = user.default_device
else:
id = int(config('default_door_device'))
if id > 0 and not device:
device = sqlsession.query(models.Device).filter_by(id=id).first()
if device:
access_granted = False
if user.level > 9000:
access_granted = True
else:
for token in user.tokens:
if token in device.tokens:
access_granted = True
if not access_granted:
flash('No access on device with id %s' % id, 'danger')
else:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((config.api_host, config.api_port))
temporary_token = helpers.generate_token()
q = Query()
q.create_register_webui(config.webui_token, temporary_token)
s.send(q.to_command())
q.create_open(temporary_token, device.pubkey)
s.send(q.to_command())
q.create_unregister(temporary_token)
s.send(q.to_command())
s.close()
flash('%s has been opened.' % device.name, 'success')
except Exception as e:
flash('Failed to access device %s' % device.name, 'danger')
else:
flash('Could not find device with id %s' % id, 'danger')
return redirect(request.referrer)
def post(self, game_id):
try:
pool = GamePool.get(GamePool.pk == game_id)
except GamePool.DoesNotExist:
raise errors.APINotFound('game')
except Exception as e:
raise errors.APIException('wrong format')
if pool.user1 and pool.user1 == request.user:
raise errors.APIException('you cannot start game with yourself')
pool.player2 = generate_token(True)
pool.user2 = request.user
pool.is_started = True
pool.save()
game = Game.new_game(pool.player1,
pool.player2,
pool.type_game,
pool.time_limit,
white_user=pool.user1,
black_user=pool.user2)
delete_cache('wait_{}'.format(pool.player1))
result = {'game': pool.player2}
result.update(game.get_info(consts.BLACK))
return result
def flash(sqlsession, token, device):
error = False
errors = []
token = None
device = None
if type(token) == int:
token = sqlsession.query(models.Token).filter_by(id=token).first()
if type(device) == int:
device = sqlsession.query(
models.Device).filter_by(id=device).first()
if device:
if token:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((config.api_host, config.api_port))
temporary_token = helpers.generate_token()
q = Query()
q.create_register_webui(config.webui_token,
temporary_token)
s.send(q.to_command())
q.create_flash(temporary_token, token.value, device.pubkey)
s.send(q.to_command())
q.create_unregister(temporary_token)
s.send(q.to_command())
s.close()
except Exception:
error = True
errors.append(('flash', 'Connection to device failed.'))
else:
error = True
errors.append(('token', 'Token does not exist.'))
else:
error = True
errors.append(('device', 'Device does not exist.'))
return error, errors
def accept(game_id):
try:
pool = GamePool.get(GamePool.pk == game_id)
except GamePool.DoesNotExist:
return send_error('Game not found')
except Exception as e:
return send_error('Wrong format')
if pool.user1 and pool.user1 == request.user:
return send_error('You cannot start game with yourself')
with config.DB.atomic():
pool.player2 = generate_token(True)
pool.user2 = request.user
pool.is_started = True
pool.save()
game = Game.new_game(pool.player1,
pool.player2,
pool.type_game,
pool.time_limit,
white_user=pool.user1,
black_user=pool.user2)
delete_cache('wait_{}'.format(pool.player1))
result = {'game': pool.player2}
result.update(game.get_info(consts.BLACK))
return send_data(result)
def register():
"""
Create a new user account using the supplied user info and send a confirmation email to the user.
Integrated recaptcha prevents excessive calls to register user accounts
:return: JWT with the user credentials enclosed
"""
req = loads(request.data)
firstName = req.get('first_name')
lastName = req.get('last_name')
email = req.get('email')
username = req.get('username')
password = req.get('password')
recaptchaResponse = req.get('g-recaptcha-response')
# the data to be returned to the client
data = {
"jwt_token": None
}
# todo uncomment when no longer testing
# let's verify the user passed the recaptcha
# r = requests.post('https://www.google.com/recaptcha/api/siteverify',
# data=dict(secret=os.environ.get('RECAPTCHA_SECRET'), response=recaptchaResponse))
# resp = r.json()
#
# if not resp['success']: # they must be a robot or something
# return create_response({}, status=403)
if email is None or username is None:
return create_response({}, status=400)
# check if the user already exists
user = User.query.filter_by(username_lower=lower(username)).first()
if user is not None: # todo maybe I should return error messages?
return create_response({}, status=409)
try:
user = User(
first_name=firstName,
last_name=lastName,
email=email,
username=username,
password=password
)
db.session.add(user)
db.session.commit()
payload = {
"username": user.username,
"confirmed": user.confirmed
}
jwt_token = create_jwt(payload)
data['jwt_token'] = jwt_token
# creates a confirmation email for the user based on their email and secret
token = generate_token(user.email, user.confirm_secret)
if send_confirmation_email(to=user.email, token=token):
# the email was sent, let the user know
return create_response(data)
return create_response({}, status=500)
except Exception as e:
db.session.rollback()
return create_response({}, status=500)