def virtual_machines_view(): # Check if authed if not utils.authed() or not 'id' in session: return redirect(url_for('auth.login', next='vm')) # Look for all vms that the team has access too (has solved the chal) vmso = VMs.query.join(Solves, Solves.teamid == int( session['id'])).filter(Solves.chalid == VMs.chalid).all() vms = [] # Set up the json data for v in vmso: signer = Signer(utils.get_config('VM_KEY'), salt=v.name, digest_method=sha256) vms.append({ 'name': v.name, 'desc': v.desc, 'key': signer.sign(json.dumps({ 'team': session['id'], 'vm': v.name })).encode('base64').replace('\n', '') }) # Run the template return render_template(PLUGIN_NAME + '/vms.html', vms=vms)
def createreportdict(lat, lng, accuracy, form): dct = {} dct["latitude"] = lat dct["longitude"] = lng dct["latitude_rand"] = lat + 0.01 * random.random() dct["longitude_rand"] = lng + 0.01 * random.random() dct["accuracy"] = accuracy dct["test"] = form.test.data dct["datetest"] = None if form.datetest.data is None else form.datetest.data.strftime("%d.%m.%Y") dct["notherstest"] = form.notherstest.data dct["symptoms"] = ', '.join(form.symptoms.data) dct["dayssymptoms"] = form.dayssymptoms.data dct["notherssymptoms"] = form.notherssymptoms.data dct["age"] = form.age.data dct["sex"] = form.sex.data dct["email_addr"] = form.email_addr.data s = Signer(form.password.data) dct["signature"] = str(s.sign(form.email_addr.data)) dct["timestamp"] = firestore.SERVER_TIMESTAMP dct["email_confirmed"] = False dct["overwritten"] = False dct["source"] = "report" dct["token"] = str(generate_confirmation_token(dct["signature"])) return dct
def signup(): data = request.get_json() app_root = os.getcwd() s = Signer('superpowerfullkey') token = s.sign(data['email'].encode()).decode() token = token[::-1].split('.')[0][::-1] if 'type' not in data: data['type'] = False image_path = None else: import base64 byte_image = base64.b64decode(data['image']) if not os.path.isdir(os.path.join(app_root, "images/")): os.mkdir(os.path.join(app_root, "images/")) image_path = os.path.join( os.path.join(app_root, "images/"), data['first_name'] + ' ' + data['last_name'] + '.jpg') with open(image_path, 'wb') as f: f.write(byte_image) newuser = User(data['first_name'], data['last_name'], data['email'], data['password'], token, data['type'], filepath_=image_path if image_path is not None else None) db.session.add(newuser) db.session.commit() return jsonify(status='success', token=token)
def sign(): s = Signer( bytes(input("Enter a secret(!!) key: "), encoding="UTF-8")) print(s.sign( bytes(input("Enter data\n"), encoding="UTF-8")).decode('UTF-8'))
def gen_signed_code(self, identifier=None): """Generates a signed code in the format discount_code_base.randint.signature""" if not identifier: identifier = buid() signer = Signer(self.secret) key = "{base}.{identifier}".format(base=self.discount_code_base, identifier=identifier) return signer.sign(key)
def test_auth_mfa_success(flask_client): user = User.create( email="[email protected]", password="******", name="Test User", activated=True, enable_otp=True, otp_secret="base32secret3232", ) db.session.commit() totp = pyotp.TOTP(user.otp_secret) s = Signer(FLASK_SECRET) mfa_key = s.sign(str(user.id)) r = flask_client.post( url_for("api.auth_mfa"), json={ "mfa_token": totp.now(), "mfa_key": mfa_key, "device": "Test Device" }, ) assert r.status_code == 200 assert r.json["api_key"] assert r.json["name"] == "Test User"
def verify_mailbox_change(user, mailbox, new_email): s = Signer(MAILBOX_SECRET) mailbox_id_signed = s.sign(str(mailbox.id)).decode() verification_url = ( URL + "/dashboard/mailbox/confirm_change" + f"?mailbox_id={mailbox_id_signed}" ) send_email( new_email, f"Confirm mailbox change on SimpleLogin", render( "transactional/verify-mailbox-change.txt", user=user, link=verification_url, mailbox_email=mailbox.email, mailbox_new_email=new_email, ), render( "transactional/verify-mailbox-change.html", user=user, link=verification_url, mailbox_email=mailbox.email, mailbox_new_email=new_email, ), )
def captcha(publicID): publicID = publicID.lower() session_info = session_db.find_one({"publicID": publicID}, {"_id": 0}) hancock = Signer(str(secret_key), salt=str(session_info["privateID"])) if (publicID + "-guest") in request.cookies and hancock.validate( request.cookies.get(publicID + "-guest")): return redirect("https://www.crowdsourcejukebox.com/vote/" + publicID + "/") if request.method == "POST": captcha_response = request.form["g-recaptcha-response"] if is_human(captcha_response): resp = make_response( redirect("https://www.crowdsourcejukebox.com/vote/" + publicID + "/")) guestID = bytes(str(uuid.uuid4()), "utf-8") session_db.update_one({"publicID": publicID}, {"$inc": { "guests": 1 }}) resp.set_cookie( publicID + "-guest", value=hancock.sign(guestID), expires=datetime.datetime.now() + datetime.timedelta(hours=1), ) return resp else: return redirect("http://www.crowdsourcejukebox.com/") else: return render_template("captcha.html", sitekey=os.environ["RC_SITE_KEY"])
def cookie_serialize(secure_key, session_id, expire): """Serialize the cookie. Set the expire_time timestamp into the cookie""" signer = Signer(secure_key) session_data = session_id.encode('utf-8') + '&' + str(expire) session_data = signer.sign(session_data).decode('utf-8') return session_data
def gen_signed_code(self, identifier=None): """Generates a signed code in the format discount_code_base.randint.signature""" if not identifier: identifier = buid() signer = Signer(self.secret) key = "{base}.{identifier}".format(base=self.discount_code_base, identifier=identifier) return signer.sign(key)
def auth_payload(user, device) -> dict: ret = { "name": user.name or "", "email": user.email, "mfa_enabled": user.enable_otp } # do not give api_key, user can only obtain api_key after OTP verification if user.enable_otp: s = Signer(FLASK_SECRET) ret["mfa_key"] = s.sign(str(user.id)) ret["api_key"] = None else: api_key = ApiKey.get_by(user_id=user.id, name=device) if not api_key: LOG.d("create new api key for %s and %s", user, device) api_key = ApiKey.create(user.id, device) db.session.commit() ret["mfa_key"] = None ret["api_key"] = api_key.code # so user is automatically logged in on the web login_user(user) return ret
def sign(): # if request.method == 'GET': # # return render_template('user_signup.html') # elif request.method == 'POST': # name = request.form.get('name') # email=request.form.get('email') # password=request.form.get('password') # phone = request.form.get('phone') # address = request.form.get('address') # newUser = p.PeopleProfile(name,email,password, phone, address) # db.session.add(newUser) # db.session.commit() # flash('Record were added successfully') # return render_template('user_signup.html' ) if request.method == 'POST': email = request.form.get("email") print email userS = p.PeopleProfile.query.filter_by(email=email).first() if userS: if userS.email == email: session['email'] = userS.email flash('email already registered') return render_template('user_signup.html') else: name = request.form.get('name') email = request.form.get('email') password = request.form.get('password') # hashpw = hash_password(password) phone = request.form.get('phone') address = request.form.get('address') bloodCategoryId = request.form.get('bloodCategory') # newUser = p.PeopleProfile(email = email) newUser = p.PeopleProfile(name, email, password, phone, address, bloodCategoryId) newUser.hash_password(password) db.session.add(newUser) db.session.commit() signer = Signer(app.secret_key) token = signer.sign(email) url = url_for('confirmation', token=token, _external=True) msg = Message( "E-mail confirmation for Sahayog - A Blood Donation Portal", sender="*****@*****.**", recipients=[email]) msg.body = url # flash(msg.body) mail.send(msg) flash('Record were added successfully') return render_template('user_signup.html') elif request.method == 'GET': bloodCategoryL = b.BloodCategory.query.all() return render_template('user_signup.html', bloodCategoryList=bloodCategoryL)
def token(self) -> str: signer = Signer(current_app.config['JWT_TOKEN_SECRET']) jwt = JSONWebToken(secret_key=current_app.config['JWT_TOKEN_SECRET'], expires_in=15 * 60) string = ''.join((self.factor, self.code)) signature = signer.sign( string.encode('utf-8')).decode('utf-8').split('.')[1] return jwt.dumps({'signature': signature}).decode('utf-8')
def test_timestamp_missing(self, signer): other = Signer("secret-key") signed = other.sign("value") with pytest.raises(BadTimeSignature) as exc_info: signer.unsign(signed) assert "missing" in str(exc_info.value)
def test_malformed_timestamp(self, signer): other = Signer("secret-key") signed = other.sign(b"value.____________") with pytest.raises(BadTimeSignature) as exc_info: signer.unsign(signed) assert "Malformed" in str(exc_info.value)
def verify_email(addr): s = Signer(app.config['SECRET_KEY']) token = s.sign(addr) text = """Please click the following link to confirm your email address for {}: {}""".format( get_config('ctf_name'), url_for('auth.confirm_user', _external=True) + '/' + urllib.quote_plus(token.encode('base64')) ) sendmail(addr, text)
def test_malformed_timestamp(self, signer): other = Signer("secret-key") signed = other.sign(b"value.____________") with pytest.raises(BadTimeSignature) as exc_info: signer.unsign(signed) assert "Malformed" in str(exc_info.value)
def test_timestamp_missing(self, signer): other = Signer("secret-key") signed = other.sign("value") with pytest.raises(BadTimeSignature) as exc_info: signer.unsign(signed) assert "missing" in str(exc_info.value)
def verify_email(addr): s = Signer(app.config['SECRET_KEY']) token = s.sign(addr) text = """Please click the following link to confirm your email address for {}: {}""".format( get_config('ctf_name'), url_for('auth.confirm_user', _external=True) + '/' + token.encode('base64') ) sendmail(addr, text)
def test_frame_positive(self): signer = Signer(globals.SECRET_KEY) file = signer.sign(FILE_URL_POSITIVE) result = self.app.get(FRAME_PATH, query_string=dict(file_url=file), follow_redirects=True) self.assertEqual(result.status_code, 200) assert 'Frame Integration' in result.data
def createreportdict(form): dct = {} dct["plz"] = form.plz.data crd = json.loads(form.geolocation.data) dct["latitude"] = crd["latitude"] dct["longitude"] = crd["longitude"] dct["accuracy"] = crd["accuracy"] if dct["latitude"] == 0: dct["longitude"], dct["latitude"] = plz2longlat(dct["plz"]) dct["latitude_rand"] = dct["latitude"] + 0.01 * random.random() dct["longitude_rand"] = dct["longitude"] + 0.01 * random.random() dct["username"] = form.username.data s = Signer(form.password.data) dct["signature"] = str(s.sign(form.username.data)) dct["age"] = form.age.data dct["sex"] = form.sex.data dct["plz"] = form.plz.data dct["headache"] = form.headache.data dct["cough"] = form.cough.data dct["shortnessbreath"] = form.shortnessbreath.data dct["musclepain"] = form.musclepain.data dct["sorethroat"] = form.sorethroat.data dct["nausea"] = form.nausea.data dct["diarrhea"] = form.diarrhea.data dct["rhinorrhea"] = form.rhinorrhea.data dct["travelhistory"] = form.travelhistory.data dct["contacthistory"] = form.contacthistory.data dct["notherstest"] = form.notherstest.data dct["dayssymptoms"] = form.dayssymptoms.data dct["arzt"] = form.arzt.data dct["test"] = form.test.data dct["datetest"] = None if form.datetest.data is None else form.datetest.data.strftime("%d.%m.%Y") dct["quarantine"] = form.quarantine.data dct["datequarantine"] = None if form.datetest.data is None else form.datequarantine.data.strftime("%d.%m.%Y") #dct["notherssymptoms"] = form.notherssymptoms.data try: dct["kreis"] = plz2kreis[dct["plz"]] except: dct["kreis"] = "" print(f"error converting PLZ {dct['plz']} to Kreisebene") dct["timestamp"] = firestore.SERVER_TIMESTAMP dct["email_confirmed"] = False dct["overwritten"] = False dct["source"] = "report" dct["token"] = str(generate_confirmation_token(dct["signature"])) return dct
def create_url(text): """ Method that create signed link that should be send it to Slack. :param text: Url of the file that should be opened. :return: Signed link for opening file within embedded Frame terminal. """ signer = Signer(globals.SECRET_KEY) url = BASE_PATH + FRAME_PATH + '?file_url=' + signer.sign(text) return url
def generate_csrf_token(user): """产生token""" secret_key = current_app.config.get("WTF_CSRF_SECRET_KEY", current_app.secret_key) nonce = os.urandom(24) user_id = user.id signer = Signer(secret_key) csrf_token = signer.sign(str(user_id)) print csrf_token return csrf_token
def get(user, instance): if 'name' in request.json: if type(request.json['name']) != str and type( request.json['name']) != unicode: abort(400) name = request.json['name'].replace('.', '_') s = Signer(instance.key) signed = s.sign('GET.json.' + name) return jsonify(action=signed) abort(400)
def share(user, instance): if 'name' in request.json: if type(request.json['name']) != str and type( request.json['name']) != unicode: abort(400) s = Signer(instance.key) signed = s.sign(request.json['name'] + '.' + user.name.replace('.', '_')) return jsonify(sig=signed) abort(400)
def sign_view(): if "token" in session: bc = user_handle.uid_for_token(session["token"]) if (bc != -1): s = Signer(apis[request.args.get('api')], salt=request.args.get('rand')) return s.sign(str(bc)) abort(403) return ""
def test_submit_reset_form_invalid_user(self): s = Signer(app.config['SECRET_KEY']) token = s.sign('*****@*****.**') response = self.client.post("/reset_password", data=dict( token=token, password='******', password_confirmation='blahblah')) self.assertTemplateUsed("reset_invalid_token.html")
def send_user_confirmation_mail(app, user): signer = Signer(app.config['SECRET_KEY'], salt='confirmation') confirmation_token = signer.sign(user.username) response = send_mail(app, user, subject='Confirm your account.', html= "Hi %s \n <br>" % user.username+ "A user has been created for your mailbox.<br> " "Please confirm your account.<br>" "<a href='http://%s%s'>Confirm account</a>" % (app.config['SERVER_NAME'], url_for('confirm', confirmation_token=confirmation_token))) return response.status_code == 200
def main(): k = 'bt6n4k2m' signer = Signer(k) s = '11878121-b36d-4c38-9f87-682e8986d1f9' ss = signer.sign(s) print('signed str: {}'.format(ss)) us = signer.unsign(ss) print('unsigned str: {}'.format(us)) # 做点改动 try: print(signer.unsign('{}a'.format(ss))) except BadSignature as e: print e print('------') cid = 110000000000000262 uid = 105697106 for i in xrange(10): print(signer.sign("{}_{}".format(cid, uid + i)))
def forgot(): form = ForgotPasswordForm(request.form) if request.method == "POST" and form.validate(): s = Signer(app.config['SECRET_KEY']) token = s.sign(request.form['email']) send_password_reset(form.get_user(), token) return redirect('/forgot_confirmation') return render_template("forgot.html", form=form)
def forgot(): form = ForgotPasswordForm(request.form) if request.method == "POST" and form.validate(): s = Signer(app.config['SECRET_KEY']) token = s.sign(request.form['email']) send_password_reset(form.get_user(), token) return redirect('/forgot_confirmation') return render_template("forgot.html", form=form)
def serialize(user, instance): if 'name' in request.json and 'object' in request.json: if type(request.json['name']) != str and type( request.json['name']) != unicode: abort(400) name = str(request.json['name'].replace('.', '_')) data = pickle.dumps(byteify(request.json['object'])) s = Signer(instance.key) signed = s.sign('STORE.' + name + '.' + data) return jsonify(action=signed) abort(400)
def tokenizar(dni): # #print(type(dni)) # Punto de revision Input if isinstance(dni, float): dni = str(int(dni)) elif isinstance(dni, str): dni = str(dni) elif isinstance(dni, int): dni = str(dni) s = Signer('crosland_360') #sing solo acepta cadena str token_dni = str(s.sign(dni)).split('.')[1] return token_dni
def gen_signed_code(self, identifier=None): """ Generate a signed code. Format: ``discount_code_base.randint.signature`` """ if not identifier: identifier = buid() signer = Signer(self.secret) key = "{base}.{identifier}".format(base=self.discount_code_base, identifier=identifier) return signer.sign(key).decode('utf-8')
def auth_login(): """ Authenticate user Input: email password device: to create an ApiKey associated with this device Output: 200 and user info containing: { name: "John Wick", mfa_enabled: true, mfa_key: "a long string", api_key: "a long string" } """ data = request.get_json() if not data: return jsonify(error="request body cannot be empty"), 400 email = data.get("email") password = data.get("password") device = data.get("device") user = User.filter_by(email=email).first() if not user or not user.check_password(password): return jsonify(error="Email or password incorrect"), 400 elif not user.activated: return jsonify(error="Account not activated"), 400 ret = { "name": user.name, "mfa_enabled": user.enable_otp, } # do not give api_key, user can only obtain api_key after OTP verification if user.enable_otp: s = Signer(FLASK_SECRET) ret["mfa_key"] = s.sign(str(user.id)) ret["api_key"] = None else: api_key = ApiKey.get_by(user_id=user.id, name=device) if not api_key: LOG.d("create new api key for %s and %s", user, device) api_key = ApiKey.create(user.id, device) db.session.commit() ret["mfa_key"] = None ret["api_key"] = api_key.code return jsonify(**ret), 200
def login_user(current_user): """ Creates and assigns a session_id we can look for if the user is logged in :param current_user: :type current_user: User Object :return result: if session_id exists in the current user session cookie :type result: boolean """ s = Signer('secret_key') login_session['_session_id'] = s.sign(str(current_user.id)) return login_session.get('_session_id') is not None
def get_new_uid(user): s = Signer(SECRET_SIGN_KEY) with get_db() as cur: cur.execute("insert into mfc.schedules (username, festival) values (%s, %s) returning id", [user['email'] if user else None, festival]) uid = cur.fetchall()[0]['id'] # cookie is uid hashed with our private key cookie = cherrypy.response.cookie cookie_name = 'mfc_sch'+str(uid) cookie[cookie_name] = s.sign(str(uid)) cookie[cookie_name]['path'] = '/' cookie[cookie_name]['max-age'] = 3600 cookie[cookie_name]['version'] = 1 return uid
def test_submit_reset_form(self): s = Signer(app.config['SECRET_KEY']) token = s.sign('*****@*****.**') user = User(email='*****@*****.**') db.session.add(user) db.session.commit() response = self.client.post("/reset_password", data=dict( token=token, password='******', password_confirmation='blahblah')) self.assertRedirects(response, "/")
def verify_code(token: str, factor: str, code: str) -> bool: signer = Signer(current_app.config['JWT_TOKEN_SECRET']) jwt = JSONWebToken(secret_key=current_app.config['JWT_TOKEN_SECRET'], expires_in=15 * 60) try: data = jwt.loads(token) except (BadSignature, SignatureExpired) as e: return False string = ''.join((factor, code)) signature = signer.sign( string.encode('utf-8')).decode('utf-8').split('.')[1] if signature == data.get('signature', ''): return True return False
def render(self, template, **kwargs): attach_obj = self.model.client.model('ir.attachment') model = kwargs.get('model') if model: search_params = [ ('res_id', '=', model.id), ('res_model', '=', self.model._name) ] attach_ids = attach_obj.search(search_params) fields_to_read = ['datas_fname', 'name'] if attach_ids: attachments = attach_obj.read(attach_ids, fields_to_read) else: attachments = [] s = Signer(current_app.config.get('SECRET_KEY'), sep='$') for att in attachments: att['id'] = s.sign(str(att['id'])) kwargs['attachments'] = attachments return super(OpenERPModelView, self).render(template, **kwargs)
def _defer(f, *a, **kw): signer = Signer(current_app.secret_key) env = [ ] data = json.dumps({ "args": a, "kwargs": kw, "env": env, "call": "%s.%s" % (f.__module__,f.__name__), }) task = { "url": request.url_root+'_ah/task', "method": "POST", "body": { "_": signer.sign(data) }, } mc.set('task:url', json.dumps(task))
def create_new_app(self, app_name, app_type=None): if not app_name: return False user = self.become(session_token=self.session_token) app = Application() query = Query(Application) query.equal_to('user', user) query.equal_to('app_name', app_name) if not query.count(): app.set('app_name', app_name) app.set('type', app_type) app.set('user', user) app.save() app_id = app.id signer = Signer('this is senz dashboard') app_key = (signer.sign(app_id).split(app_id + '.'))[1] app.set('app_id', app_id) app.set('app_key', app_key) app.save() return app_name, app_key, app_id return None
class Pastie: SECRET_KEY = '\x85\xe1Pc\x11n\xe0\xc76\xa1\xd9\x93$\x1ei\x06' HTTBL_KEY = 'THIS IS NOT A VALID HTTPBL KEY' def __init__(self, data_dir='pastes/', host='http://localhost/'): self.httpbl = HttpBL(self.HTTBL_KEY) self.signer = Signer(self.SECRET_KEY) self.jinja_env = Environment(loader=FileSystemLoader( join(dirname(__file__), 'layouts')) ) self.host = host self.data_dir = data_dir if not isdir(data_dir): makedirs(data_dir) def render_template(self, template_name, **kwargs): return self.jinja_env.get_template(template_name).render(**kwargs) def sign(self, value): return self.signer.sign(value) def unsign(self, value): return self.signer.unsign(value) def dispatch(self, request, start_response): adapter = urlmap.bind_to_environ(request.environ) request.adapter = adapter try: endpoint, values = adapter.match() return endpoint(self, request, **values) except NotFound, e: return Response('Not Found', 404) except HTTPException, e: return e
def init_flask(flask_app, config): """ Initialize Flask configuration and hooks. """ config_dict = dict(config.items('flask')) # Try to convert numeric arguments to integers. for k, v in config_dict.items(): try: config_dict[k] = int(v) except: pass flask_app.config.update(**config_dict) # Disable caching for static assets in debug mode, otherwise # many Angular templates will be stale when refreshing pages. if flask_app.debug: flask_app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0 db_engine = app.database.get_engine(dict(config.items('database'))) redis = app.database.get_redis(dict(config.items('redis'))) solr = app.database.get_solr(dict(config.items('solr'))) signer = Signer(config.get('flask', 'SECRET_KEY')) sign_fn = lambda s: signer.sign(str(s).encode('utf8')).decode('utf-8') unsign_fn = signer.unsign @flask_app.after_request def after_request(response): ''' Clean up request context. ''' g.db.close() return response if flask_app.latency is not None: @flask_app.before_request def api_latency(): if request.path[:5] == '/api/': time.sleep(flask_app.latency) @flask_app.before_request def before_request(): ''' Initialize request context. ''' g.config = config g.debug = flask_app.debug g.db = app.database.get_session(db_engine) g.redis = redis g.solr = solr g.sign = sign_fn g.unsign = unsign_fn @flask_app.url_defaults def static_asset_cache_busting(endpoint, values): if endpoint == 'static' and 'filename' in values: filename = values['filename'] if filename.startswith('img') or \ filename.startswith('fonts'): values['version'] = flask_app.config['VERSION'] if flask_app.debug: flask_app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 0
def generate_machine_token(self): s = Signer(self.secret) machine_token = s.sign('haxxorbb') return machine_token
def sign(value, secret_key, *, salt=''): signer = Signer(secret_key, salt=salt) return signer.sign(value)
def get_token(self): signer = Signer(flask.current_app.config["SECRET_KEY"]) return signer.sign("{0}".format(self.id).encode("ascii")) \ .decode("ascii")
def set_sign_safe(sign_file): s = Signer(Config.login_sign) return s.sign(sign_file)
class cook(): def __init__(self): self.s = {} self.s['ip'] = '127.0.0.1' self.s['first_reg'] = 1442955065 self.s['kolvo_visits'] = 1 self.s['user_id'] = 'yap1442955065' self.s['last_visit'] = '16702' self.minus_days = 0 self.sig = Signer('andrii') def create(self): stat = json.dumps(self.s) c = self.sig.sign(str(stat)) last_elem = len(c.split('.')) signature = c.split('.')[last_elem-1] cookie = 'stat="'+stat+'";stat_signature='+signature return cookie def create_wrong(self): stat = json.dumps(self.s) c = self.sig.sign(str(stat)) last_elem = len(c.split('.')) signature = c.split('.')[last_elem-1] signature = signature[0:len(signature)-5] cookie = 'stat="'+stat+'";stat_signature='+signature return cookie def create_with_login(self,roles=None): stat = json.dumps(self.s) c = self.sig.sign(str(stat)) last_elem = len(c.split('.')) signature = c.split('.')[last_elem-1] if roles==None: roles = ['admin'] log_token = self.gen_token('andrii',roles,86400) cookie = 'stat="'+stat+'";stat_signature='+signature+';log_token="'+log_token+'"' return cookie def gen_token(self,user_id,user_roles,token_live_time): self.session = {} self.session['user_id'] = user_id self.session['ts'] = int(time.time())-self.minus_days self.session['roles'] = user_roles self.session['live_time'] = token_live_time self.session['ip'] = self.s['ip'] #create JSON from dict and compress j = json.dumps(self.session) j64 = base64.b64encode(j) #create signature j64_sign = self.sig.sign(j64) return j64_sign def create_with_wrong_token_login(self): stat = json.dumps(self.s) c = self.sig.sign(str(stat)) last_elem = len(c.split('.')) signature = c.split('.')[last_elem-1] log_token = self.gen_token('andrii',['admin'],86400) cookie = 'stat="'+stat+'";stat_signature='+signature+';log_token="'+log_token[0:len(log_token)-3]+'"' return cookie def create_with_wrong_ip_login(self): stat = json.dumps(self.s) c = self.sig.sign(str(stat)) last_elem = len(c.split('.')) signature = c.split('.')[last_elem-1] log_token = self.gen_token('andrii',['admin'],86400) cookie = 'stat="'+stat+'";stat_signature='+signature+';log_token="'+log_token+'"' return cookie
def _generate_session_id(self): signer = Signer(self.secure_key) tmp = sha1("%s%s" % (time.time(), uuid.uuid4())).hexdigest() return signer.sign(tmp)
#!/usr/bin/env python3 # imports go here from itsdangerous import Signer, BadSignature, TimestampSigner, SignatureExpired, JSONWebSignatureSerializer import time # # Free Coding session for 2015-03-09 # Written by Matt Warren # if __name__ == '__main__': s = Signer('secret-password') signed_string = s.sign(b'data to sign') print(signed_string) # HMAC SHA1 signed string # tamper with string signed_string = b'my ' + signed_string try: s.unsign(signed_string) except BadSignature as e: print("failed to unsign the modified data") s = TimestampSigner('secret-password', salt='signup') # adds current time to data signed_string = s.sign(b'data to sign') print(signed_string) s.unsign(signed_string, max_age=5) # would only unsign if signed less than 5 seconds ago time.sleep(2) try: s.unsign(signed_string, max_age=1) # would only unsign if signed less than 1 seconds ago except SignatureExpired as e:
def sign(s, config): signer = Signer(config['SIGNING_KEY']) try: return signer.sign(s) except BadSignature: raise BadRequestError()
def get_auth_token(self): s = Signer(current_app.config['SECRET_KEY']) return s.sign(self.auth_token)
class User(): def __init__(self,secret_key): #initialize signer self.s = Signer(secret_key) def deserialize(self,request): #it runs in framework BEFORE_REQUEST function self.cookies = request.cookies #check stat in cookie and verify it stat_str = str(self.cookies.get('stat')) stat_signature = str(self.cookies.get('stat_signature')) stat_token = stat_str+'.'+stat_signature if stat_str=='None' or self.s.validate(stat_token)==False: self._create_new_stat(request) #if validation success else: self.stat = json.loads(stat_str) #increase kolvo_visits self._increase_kolvo_visits() #add actual IP for checking log_token self.stat['ip'] = request.environ['REMOTE_ADDR'] self.log_token = str(self.cookies.get('log_token')) #initialize DB self._db_init() def serialize(self,response): #it runs in framework AFTER_REQUEST function stat_str = json.dumps(self.stat) sign_str = self.s.sign(stat_str) last_elem = len(sign_str.split('.')) #because dots in IP self.stat_signature = sign_str.split('.')[last_elem-1] response.set_cookie('stat',value=stat_str) response.set_cookie('stat_signature',value=self.stat_signature) if self.log_token!='None': response.set_cookie('log_token',value=self.log_token) else: response.set_cookie('log_token','',expires=0) #increase visits return response def _create_new_stat(self,request): self.stat = {} self.stat['ip'] = request.environ['REMOTE_ADDR'] self.stat['first_reg'] = int(time.time()) self.stat['kolvo_visits'] = 1 self.stat['_id'] = 'yap'+str(int(time.time())) self.stat['last_visit'] = int(time.time()/86400) def _increase_kolvo_visits(self): new_day = int(time.time()/86400) if self.stat.get('last_visit')==None: self.stat['last_visit'] = int(time.time()/86400) if int(self.stat.get('last_visit'))<new_day: self.stat['kolvo_visits'] = self.stat['kolvo_visits']+1 self.stat['last_visit'] = new_day def check_auth(self,roles): if self.log_token=='None': return 'Error User:Not Login, Please Log IN' if self.s.validate(self.log_token)!=True: return 'Error User:Not Valid Login Token. Please, Log IN' self.session = self._get_json(self.log_token) if self.session['ip']!=self.stat['ip']: return 'Error User:Not valid IP. Please, log IN' if (int(time.time()) - int(self.session['ts']))>int(self.session['live_time']): return 'Error User:Session nor fresh, please Log IN' #check permission for each in self.session['roles']: if each in roles: return True return 'Error User:Not enough permission' def _gen_token(self,user_id,u_doc): self.session = {} self.session['_id'] = user_id self.session['name'] = u_doc['name'] self.session['ts'] = int(time.time()) self.session['roles'] = u_doc['roles'] self.session['live_time'] = u_doc.get('token_live_time') self.session['ip'] = self.stat['ip'] #create JSON from dict and compress j = json.dumps(self.session) j64 = base64.b64encode(j) #create signature j64_sign = self.s.sign(j64) return j64_sign def _get_json(self,token): if self.s.validate(token)!=True: return 'Error User: not valid Log Token' jb64 = self.s.unsign(token) j = base64.b64decode(jb64) j = json.loads(j) return j def login(self,user_name,user_pass): #if user id in db and pass is equal md5 with secret #check user name and get user doc u_doc,u_id = self._db_check_in(user_name) if u_doc==False: return 'Error User:No such User' #check pass if self._md5_trans(user_pass)!=u_doc['pass']: return 'Error User:Wrong Pass' self.log_token = self._gen_token(u_id, u_doc) return True def registr(self,u_doc): user_id = 'yap'+str(int(time.time())) if self._db_check_in(u_doc['name'])!=[False,False]: return 'Error User:There is user with the name '+u_doc['name'] u_doc['pass'] = self._md5_trans(u_doc['pass']) self._db_add(user_id,u_doc) return True def drop_log_token(self): self.log_token = 'None' return True def _md5_trans(self,rec): m = md5.new() m.update(rec) return m.hexdigest() ########## DB ################# def _db_init(self): cl = MongoClient('localhost',27017) _db = cl['users'] self.db = _db['users'] def _db_check_in(self,u_name): u_doc = self.db.find_one({'name':u_name}) if u_doc==None: return [False,False] return u_doc,u_doc['_id'] def _db_add(self,u_id,user_d): user_d['_id'] = u_id self.db.insert_one(user_d)