def PasswordResetPost(): if Authorization.isLoggedIn(session.get('user')): return redirect(url_for('Campus.List')) email = request.form.get('email') staff = StaffModel.findby('email', email) if len(staff) != 0: resetToken = str(uuid.uuid4()).replace('-', '') expires = time.time() + 30 * 60 # 30 minutes prm = PasswordResetModel() prm.setToken(resetToken) \ .setUserId(staff.getId()) \ .setUserType('staff') \ .setExpires(expires) \ .save() Email.sendEmail( email, 'password_reset', { 'password_reset_url': Config.getValue('APP_URL') + '/auth/password-reset/' + resetToken }) return render_template('auth/password_reset_sent.html')
def isValid(request): """ Checks if the session is valid (wrapper for isValidToken) """ if 'X-App-Token' not in request.headers: return False ip_address = request.remote_addr if Config.getValue('DEPLOYMENT') == 'heroku': ip_address = request.headers['X-Forwarded-For'] return isValidToken(request.headers['X-App-Token'], ip_address, request.headers['User-Agent'])
def route(): """ Example route, show information about system and current session. """ userId = -1 if 'X-App-Token' in request.headers: userId = ApiSession.getUserId(request.headers['X-App-Token']) return JsonResponse.ok({ 'application': 'A4Scheduler', 'environment': Config.getValue('ENVIRONMENT'), 'userId': userId })
def connect(): """ Connects to the database """ global connection global mode if Config.getValue('SQLITE') == 'yes': mode = 'sqlite' if mode == 'mysql': db = MySQLdb.connect(host=Config.getValue('DB_HOST'), user=Config.getValue('DB_USER'), password=Config.getValue('DB_PASS'), database=Config.getValue('DB_NAME'), cursorclass=MySQLdb.cursors.DictCursor, use_unicode=True, charset="utf8mb4") db.autocommit(True) else: db = sqlite3.connect('system.db') db.row_factory = sqlite3.Row db.isolation_level = None connection = db
def sendEmail(recipient, template, vars={}): # Get template, render it then send it using the Mailgun API # See: http://docs.python-requests.org/en/master/ # See: https://documentation.mailgun.com/en/latest/api-sending.html#sending (ignore mime example) email = renderTemplate(getTemplate(template), vars) apiResponse = requests.post( 'https://api.mailgun.net/v3/mg.a4scheduler.xyz/messages', auth=('api', Config.getValue('MAILGUN_API_KEY')), data={ 'from': 'A4 Scheduler <*****@*****.**>', 'to': recipient, 'subject': email[2], 'text': email[1], 'html': email[0] }) return
def SessionLogin(): if 'X-App-Token' in request.headers and ApiSession.isValid(request): return JsonResponse.ok({'token': request.headers['X-App-Token']}) userEmail = request.form.get('email') userPassword = request.form.get('password') userType = request.form.get('user_type') # Step 1: Verify presence of values and validate them if not userEmail or not userPassword or not userType: return JsonResponse.badRequest({ 'message': 'post_property_missing', 'nice_message': 'Missing POST property.' }) if userType not in ('student', 'teacher'): return JsonResponse.badRequest({ 'message': 'invalid_user_type', 'nice_message': 'Given user type is invalid! Allowable types are: student/teacher.' }) # Step 2: Verify password if userType == 'student': user = StudentModel.findBy('email', userEmail) elif userType == 'teacher': user = TeacherModel.findBy('email', userEmail) else: return JsonResponse.internalServerError({ 'message': 'unexpected_user_type', 'nice_message': 'Unexpected user type. Contact system administrator.' }) if len(user) != 1: return JsonResponse.unauthorized({ 'message': 'invalid_credentials', 'nice_message': 'Supplied credentials (email/password) are invalid.' }) user = user[0] salt = user.getSalt() hashedPassword = Security.hashPassword(userPassword, salt) if hashedPassword != user.getPassword(): return JsonResponse.unauthorized({ 'message': 'invalid_credentials', 'nice_message': 'Supplied credentials (email/password) are invalid.' }) userId = user.getId() # Step 3: Create session ipAddress = request.remote_addr if Config.getValue('DEPLOYMENT') == 'heroku': ipAddress = request.headers['X-Forwarded-For'] token = ApiSession.create(userId, userType, ipAddress, request.headers['User-Agent']) if token: return JsonResponse.ok({'token': token}) return JsonResponse.internalServerError({ 'message': 'session_generation_failed', 'nice_message': 'Session generation failed. Contact system administrator.' })
from dotenv import load_dotenv from core import Config from core import Authorization from core import Database import os # Setup the .env file env_file = os.path.join(os.path.dirname(__file__), '.env') if os.path.isfile( env_file ) == True: #TODO: ONLY try to load the .env file if the environment is dev and NOT production load_dotenv(env_file) # Setup the raven client for Sentry client = Client(dsn=Config.getValue('SENTRY_DSN'), environment=Config.getValue('ENVIRONMENT')) db_file = os.path.join(os.path.dirname(__file__), 'system.db') # Setup database if not exists if Config.getValue('SQLITE') == 'yes': if os.path.isfile(db_file) == False: Database.createSQLite() app = Flask(__name__) app.debug = True if Config.getValue('ENVIRONMENT') == 'local': @app.after_request