def register():
if not Config.get().register_open:
return error("Registration is closed")
username = request.json.get("username", "").strip()
if not username:
return error("Username is required")
user = User.query.filter(User.name == username).first()
if user:
return error("The user `{}` already exists".format(username))
email = request.json.get("email", "").strip()
if not email:
return error("Email address is required")
user = User.query.filter(User.email == email).first()
if user:
return error("The email address is already used")
# TODO: check email format
# TODO check the number of teammates
password = request.json.get("password", "").strip()
if not password:
return error("Password is required")
if request.json.get("teamtoken"):
token = request.json.get("teamtoken").strip()
team = Team.query.filter(Team.token == token, Team.valid == True).first()
if not team:
return error("Team token is invalid")
elif request.json.get("teamname"):
teamname = request.json.get("teamname").strip()
team = Team.query.filter(Team.name == teamname).first()
if team and team.valid:
return error("The team `{}` already exists".format(teamname))
team = Team(name=teamname)
team.valid = True
team.renewToken()
db.session.add(team)
db.session.commit()
else:
return error("Either team token or team name is required")
user = User()
user.name = username
user.password = password
user.email = email
user.team_id = team.id
user.verified = False
user.issueResetToken()
db.session.add(user)
db.session.commit()
logger.log(":heavy_plus_sign: `{}@{}` registered".format(user.name, user.team.name))
send_verification_mail(user)
return jsonify({"id": user.id, "name": user.name})
def upload_icon(user):
icon = request.json.get("icon", "").strip()
if not icon:
return error("Icon required")
path = current_app.uploader.upload_icon(icon)
if not path:
return error("Failed to upload the icon")
user.icon = path
db.session.add(user)
db.session.commit()
return "", 204
def password_update(user):
cur = request.json.get("current_password", "").strip()
if not cur:
return error("Current password required")
new = request.json.get("new_password", "").strip()
if not new:
return error("New password required")
if not user.check_password(cur):
return error("Current password is invalid")
user.password = new
db.session.add(user)
db.session.commit()
return "", 204
def login():
username = request.json.get("username", "").strip()
if not username:
return error("Username is required")
password = request.json.get("password", "").strip()
if not password:
return error("Password is required")
user = User.query.filter(User.name == username).first()
if not user:
return error("The user `{}` doesn't exist".format(username))
if not user.check_password(password):
return error("Invalid password")
session["user_id"] = user.id
return "", 204
def resend(user):
email = request.json.get("email", "").strip()
if not email:
return error("Email address is required")
if user.verified:
return error("You're already verified")
u2 = User.query.filter(User.email == email).first()
if u2 and u2.id != user.id:
return error("The email address is already used")
user.email = email
user.issueResetToken()
db.session.add(user)
db.session.commit()
send_verification_mail(user)
return "", 204
def register():
teamname = request.json.get("teamname", None)
if not teamname:
return error("Team name is required")
if not Config.get().register_open:
return error("Registration is closed")
team = Team.query.filter(Team.name == teamname).first()
if team and team.valid:
return error("The team `{}` already exists".format(teamname))
if not team:
team = Team()
team.name = teamname
team.renewToken()
db.session.add(team)
db.session.commit()
return jsonify({"id": team.id, "name": teamname, "token": team.token})
def reset():
token = request.json.get("token", "").strip()
if not token:
return error("Reset token is required")
password = request.json.get("password", "").strip()
if not password:
return error("Password is required")
user = User.query.filter(User.reset_token == token).first()
if not user:
return error("Team token is invalid")
if not user.checkToken(token):
return error("Team token is invalid or outdated")
user.revokeToken()
user.password = password
db.session.add(user)
db.session.commit()
return "", 204
def resetRequest():
username = request.json.get("username", "").strip()
if not username:
return error("Username is required")
email = request.json.get("email", "").strip()
if not email:
return error("Email address is required")
user = User.query.filter(User.name == username, User.email == email).first()
if not user:
return error("Username and/or email address is mismatching")
if not user.verified:
return error("Your email address is not verified")
user.issueResetToken()
db.session.add(user)
db.session.commit()
send_passwordreset_mail(user)
return "", 204
def confirm():
token = request.json.get("token", "").strip()
if not token:
return error("Team token is required")
user = User.query.filter(User.reset_token == token).first()
if not user:
return error("Team token is invalid")
if not user.checkToken(token):
return error("Team token is invalid or outdated")
user.verified = True
if not user.team.valid:
user.team.valid = True
user.team.renewToken()
user.revokeToken()
db.session.add(user)
db.session.add(user.team)
db.session.commit()
return "", 204
def submit(user):
challenge_id = request.json.get("id", None)
if not challenge_id:
return error("challenge id required")
flag = request.json.get("flag", "").strip()
if not challenge_id:
return error("flag required")
c = Challenge.query.filter(Challenge.id == challenge_id,
Challenge.is_open == True).first()
if c is None:
return error("invalid challenge id")
if user.team:
solves = user.team.getSolves(valid_only=False)
team = user.team
else:
solves = user.getSolves(valid_only=False)
team = Team()
team.name = ""
ids = [solved.id for solved in solves]
already_solved = bool(c.id in ids)
s = Submission()
s.flag = flag
s.challenge_id = c.id
s.user_id = user.id
if user.team:
s.team_id = user.team.id
if "survey" in c.tags:
s.created_at = Config.get().start_at
if c.flag == flag and already_solved:
logger.log(
":heavy_check_mark: `{}@{}` has submitted flag `{}` to `{}`. It has already solved."
.format(user.name, team.name, c.name, flag))
return jsonify({
"message":
"Correct, and you or your team already has solved `{}`".format(
c.name)
})
elif c.flag == flag and not already_solved:
config = Config.get()
if not config.ctf_frozen:
s.is_valid = True
s.is_correct = True
db.session.add(s)
db.session.commit()
c.recalc_score(config.score_expr)
db.session.add(c)
db.session.commit()
else:
s.is_valid = False
s.is_correct = True
db.session.add(s)
db.session.commit()
logger.log(
":heavy_check_mark: `{}@{}` has submitted flag `{}` to `{}`. :100:"
.format(user.name, team.name, c.name, flag))
return jsonify({"message": "Correct! You solved `{}`.".format(c.name)})
elif c.flag != flag and already_solved:
logger.log(
":x: `{}@{}` has submitted flag `{}` to `{}`. The correct flag is `{}`. This team already solved this challenges."
.format(user.name, team.name, c.name, flag, c.flag))
return error(
"Wrong flag, but you or your team already has solved `{}`".format(
c.name))
else:
s.is_valid = False
s.is_correct = False
db.session.add(s)
db.session.commit()
logger.log(
":x: `{}@{}` has submitted flag `{}` to `{}`. The correct flag is `{}`"
.format(user.name, team.name, c.name, flag, c.flag))
return error("Wrong flag")