def register_by_password_status(): """AJAX 刷新教务验证状态""" if not request.args.get("request", None) or not isinstance( request.args["request"], str): return "Invalid request" req = IdentityVerification.get_request_by_id(request.args.get("request")) if not req: return "Invalid request" if req["verification_method"] != "password": logger.warn( "Non-password verification request is trying get status from password interface" ) return "Invalid request" # fetch status from everyclass-auth with tracer.trace('get_result'): try: rpc_result = Auth.get_result(str(request.args.get("request"))) except Exception as e: return handle_exception_with_error_page(e) logger.info(f"RPC result: {rpc_result}") if rpc_result.success: # 密码验证通过,设置请求状态并新增用户 IdentityVerification.set_request_status( str(request.args.get("request")), ID_STATUS_PWD_SUCCESS) verification_req = IdentityVerification.get_request_by_id( str(request.args.get("request"))) # 从 api-server 查询学生基本信息 try: student = Entity.get_student(verification_req["sid_orig"]) except Exception as e: return handle_exception_with_error_page(e) # 添加用户 try: User.add_user(sid_orig=verification_req["sid_orig"], password=verification_req["password"], password_encrypted=True) except ValueError: pass # 已经注册成功,但不知为何进入了中间状态,没有执行下面的删除 session 的代码,并且用户刷新页面 # write login state to session flash(MSG_REGISTER_SUCCESS) if SESSION_PWD_VER_REQ_ID in session: del session[SESSION_PWD_VER_REQ_ID] session[SESSION_CURRENT_USER] = StudentSession( sid_orig=student.student_id, sid=student.student_id_encoded, name=student.name) return jsonify({"message": "SUCCESS"}) elif rpc_result.message in ("PASSWORD_WRONG", "INTERNAL_ERROR", "INVALID_REQUEST_ID"): return jsonify({"message": rpc_result.message}) else: return jsonify({"message": "NEXT_TIME"})
def email_verification(): """注册:邮箱验证""" if request.method == 'POST': # 设置密码表单提交 if not session.get(SESSION_EMAIL_VER_REQ_ID, None): return render_template("common/error.html", message=MSG_400) req = IdentityVerification.get_request_by_id( session[SESSION_EMAIL_VER_REQ_ID]) if not req: return render_template("common/error.html", message=MSG_TOKEN_INVALID) # 此处不是一定需要验证状态,但是为了保险还是判断一下 if req["status"] != ID_STATUS_TKN_PASSED: return render_template("common/error.html", message=MSG_TOKEN_INVALID) if any( map(lambda x: not request.form.get(x, None), ("password", "password2"))): # check if empty password flash(MSG_EMPTY_PASSWORD) return redirect(url_for("user.email_verification")) if request.form["password"] != request.form["password2"]: flash(MSG_PWD_DIFFERENT) return redirect(url_for("user.email_verification")) sid_orig = req['sid_orig'] # 密码强度检查 pwd_strength_report = zxcvbn(password=request.form["password"]) if pwd_strength_report['score'] < 2: SimplePassword.new(password=request.form["password"], sid_orig=sid_orig) flash(MSG_WEAK_PASSWORD) return redirect(url_for("user.email_verification")) try: User.add_user(sid_orig=sid_orig, password=request.form['password']) except ValueError: flash(MSG_ALREADY_REGISTERED) logger.info( f"User {sid_orig} try to register again by email token. Filtered when posting." ) return redirect(url_for("user.email_verification")) del session[SESSION_EMAIL_VER_REQ_ID] IdentityVerification.set_request_status(str(req["request_id"]), ID_STATUS_PASSWORD_SET) flash(MSG_REGISTER_SUCCESS) # 查询 api-server 获得学生基本信息 try: student = Entity.get_student(sid_orig) except Exception as e: return handle_exception_with_error_page(e) # 登录态写入 session session[SESSION_CURRENT_USER] = StudentSession( sid_orig=student.student_id, sid=student.student_id_encoded, name=student.name) return redirect(url_for("user.main")) else: # 设置密码页面 if not session.get(SESSION_EMAIL_VER_REQ_ID, None): if not request.args.get("token", None): return render_template("common/error.html", message=MSG_400) with tracer.trace('verify_email_token'): try: rpc_result = Auth.verify_email_token( token=request.args.get("token", None)) except Exception as e: return handle_exception_with_error_page(e) if rpc_result.success: session[SESSION_EMAIL_VER_REQ_ID] = rpc_result.request_id IdentityVerification.set_request_status( rpc_result.request_id, ID_STATUS_TKN_PASSED) req = IdentityVerification.get_request_by_id( rpc_result.request_id) student_id = req["sid_orig"] if User.exist(student_id): flash(MSG_ALREADY_REGISTERED) logger.info( f"User {student_id} try to register again by email token. Request filtered." ) return redirect(url_for("main.main")) return render_template('user/emailVerificationProceed.html') else: return render_template("common/error.html", message=MSG_TOKEN_INVALID) else: # have session return render_template('user/emailVerificationProceed.html')
def email_verification(): """注册:邮箱验证""" if request.method == 'POST': # 设置密码表单提交 if not session.get(SESSION_VER_REQ_ID, None): return render_template("common/error.html", message=MSG_400) req = IdentityVerification.get_request_by_id(session[SESSION_VER_REQ_ID]) if not req: return render_template("common/error.html", message=MSG_TOKEN_INVALID) # 由于 SESSION_VER_REQ_ID 在密码验证和邮件验证两个验证方式中共享,当使用密码验证写入了 session 之后,如果马上在邮件验证页面 # POST,并且此处不做请求状态的判断,将会绕过验证过程直接设置密码 if req["status"] != ID_STATUS_TKN_PASSED: return render_template("common/error.html", message=MSG_TOKEN_INVALID) if any(map(lambda x: not request.form.get(x, None), ("password", "password2"))): # check if empty password flash(MSG_EMPTY_PASSWORD) return redirect(url_for("user.email_verification")) if request.form["password"] != request.form["password2"]: flash(MSG_PWD_DIFFERENT) return redirect(url_for("user.email_verification")) sid_orig = req['sid_orig'] # 密码强度检查 pwd_strength_report = zxcvbn(password=request.form["password"]) if pwd_strength_report['score'] < 2: SimplePassword.new(password=request.form["password"], sid_orig=sid_orig) flash(MSG_WEAK_PASSWORD) return redirect(url_for("user.email_verification")) User.add_user(sid_orig=sid_orig, password=request.form['password']) del session[SESSION_VER_REQ_ID] IdentityVerification.set_request_status(str(req["request_id"]), ID_STATUS_PASSWORD_SET) flash(MSG_REGISTER_SUCCESS) # 查询 api-server 获得学生基本信息 try: student = APIServer.get_student(sid_orig) except Exception as e: return handle_exception_with_error_page(e) # 登录态写入 session session[SESSION_CURRENT_USER] = StudentSession(sid_orig=student.student_id, sid=student.student_id_encoded, name=student.name) return redirect(url_for("user.main")) else: # 设置密码页面 if not session.get(SESSION_VER_REQ_ID, None): if not request.args.get("token", None): return render_template("common/error.html", message=MSG_400) with elasticapm.capture_span('verify_email_token'): try: rpc_result = Auth.verify_email_token(token=request.args.get("token", None)) except Exception as e: return handle_exception_with_error_page(e) if rpc_result['success']: session[SESSION_VER_REQ_ID] = rpc_result['request_id'] IdentityVerification.set_request_status(rpc_result['request_id'], ID_STATUS_TKN_PASSED) return render_template('user/emailVerificationProceed.html') else: return render_template("common/error.html", message=MSG_TOKEN_INVALID) else: # have session return render_template('user/emailVerificationProceed.html')