def login():
if request.method == "POST":
user = request.form['user']
passw = request.form['passw']
else:
return "False"
# get user collection
users = util.get_collection('users')
# find the user in the collection
user_data = users.find_one({"user": user})
# if the login details match up
if user_data and user_data['passw'] == util.sha512(user + passw):
# create a salt so the same session key is only valid once
session_salt = util.sha512(os.urandom(512))
# add the salt to the database so we can verify it later
util.update_user(user_data['_id'], {"session_salt": session_salt})
# construct a session key from the salt
session_key = util.sha512(session_salt + user_data['passw'])
userID = str(user_data['_id'])
del user_data['_id']# delete sensitive variables
del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^
del user_data['session_salt']# ^^^^^^^^^^^^^^^^^
# User logged in. Gibbe (session) cookies
return json.dumps({
"session": session_key,
"userID": userID,
"details": user_data
})
else:
return "False"
def register():
user = request.form['user']
passw = request.form['passw']
if "details" in request.form:
details = request.form['details']
details = json.loads(details)
else:
details = False
# get the users collection
users = util.get_collection('users')
# construct user model
userData = {
"user": user,
"passw": util.sha512(user + passw), # Effective permanent salt
"details": details,
"session_salt": False
}
# make sure user is not already registered
if users.find({"user": user}).count() > 0:
return "userTaken"
# validate the username and password
elif len(user) < 140 and len(passw) >= 6 and len(passw) < 140:
# insert the user into the database and return their id
users.insert(userData)
# log the user in
return login()
else:
# Only broken clients will recieve this error
return "error"
def store(self, data, collection, visible=False):
collection = util.get_collection(collection)
# Note: If the user stores data with key='visible', it will be
# overwritten here for security reasons.
# Note: Documents with visible=True can be read by the front end
# which includes the user! So no password hashes. No sensitive info
# unless it's their own.
data['visible'] = visible
collection.insert(data)
def store(self, data, collection, visible=False):
collection = util.get_collection(collection)
# Note: If the user stores data with key='visible', it will be
# overwritten here for security reasons.
# Note: Documents with visible=True can be read by the front end
# which includes the user! So no password hashes. No sensitive info
# unless it's their own.
data['visible'] = visible
collection.insert(data)