Exemple #1
0
def login():
    if request.method == "POST":
        user = request.form['user']
        passw = request.form['passw']
    else:
        return "False"
    # get user collection
    users = util.get_collection('users')
    # find the user in the collection
    user_data = users.find_one({"user": user})
    # if the login details match up
    if user_data and user_data['passw'] == util.sha512(user + passw):
        # create a salt so the same session key is only valid once
        session_salt = util.sha512(os.urandom(512))
        # add the salt to the database so we can verify it later
        util.update_user(user_data['_id'], {"session_salt": session_salt})
        # construct a session key from the salt
        session_key = util.sha512(session_salt + user_data['passw'])
        userID = str(user_data['_id'])
        del user_data['_id']# delete sensitive variables
        del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^
        del user_data['session_salt']# ^^^^^^^^^^^^^^^^^
        # User logged in. Gibbe (session) cookies
        return json.dumps({
            "session": session_key,
            "userID": userID,
            "details": user_data
        })
    else:
        return "False"
Exemple #2
0
def register():
    user = request.form['user']
    passw = request.form['passw']
    if "details" in request.form:
        details = request.form['details']
        details = json.loads(details)
    else:
        details = False
    # get the users collection
    users = util.get_collection('users')
    # construct user model
    userData = {
        "user": user,
        "passw": util.sha512(user + passw),   # Effective permanent salt
        "details": details,
        "session_salt": False
    }
    # make sure user is not already registered
    if users.find({"user": user}).count() > 0:
        return "userTaken"
    # validate the username and password
    elif len(user) < 140 and len(passw) >= 6 and len(passw) < 140:
        # insert the user into the database and return their id
        users.insert(userData)
        # log the user in
        return login()
    else:
        # Only broken clients will recieve this error
        return "error"
Exemple #3
0
def change_password():
    if request.method == "POST":
        userID = request.form['userID']
        session = request.form['session']
        passw = request.form['passw']
        new_passw = request.form['new_passw']
    else:
        return False
    # Make sure the user is legit
    user = util.auth(userID, session)
    if user:
        # check if the old password matches the current password
        # it should be, but just in case they're cookie stealing
        if util.sha512(user['user'] + passw) == user['passw']:
            return util.update_user(
                userID,
                {"passw": util.sha512(user['user'] + new_passw)}
            )
        else:
            return "incorrect password"
    else:
        return "invalid user"