def login(self,payload):
email = payload['userName']
pword = payload['password']
type = payload['account-type']
if type == 'admin':
admin = self.Admin.query.filter_by(email=email).first()
if admin is None:
return {'status':404,'account':admin,'message':'The provided email is not linked to an existing account.'}
else:
password = argon2.verify(pword,admin.account.pword)
if password == True:
return {'status':200,'account':admin.account,'message':'Login successful.'}
else:
return {'status':404,'account':admin.account,'message':'An incorrect password was provided.'}
if type == 'user':
user = self.Manager.query.filter_by(email=email).first()
if user is None:
return {'status':404,'account':user,'message':'The provided email is not linked to an existing account.'}
else:
password = argon2.verify(pword,user.account.pword)
if password == True:
return {'status':200,'account':user.account,'message':'Login successful.'}
else:
return {'status':404,'account':user.account,'message':'An incorrect password was provided.'}
return {'status':400,'account':None,'message':'An invalid account type was given.'}
def generate_delete_token(sql_cursor, email, comment_id, thread_id):
"""
Generates a delete token and stores it within the database.
ASSUMES comment_id, and thread_id ARE VALID
get this through your dumb skull
"""
# TODO: check if email hashes for that comment and thread_id (and do the sleepy stuff)
email_hash = db.get_delete_email_hash(sql_cursor, email, comment_id, thread_id)
if email_hash is None:
# hash anyway to obscure whether the email exists anyway
res = argon2.verify("dingdong", settings.DUMMY_HASH)
return None, None
# well, looks like they provided the wrong email for the EXISTING hash
if not argon2.verify(email, email_hash):
return None, None
# generate deltoken ID and deltoken secret, SHA256 the secret, and store the two in the DB
del_token_id = secrets.token_urlsafe(settings.ID_BYTES)
del_token_secret = secrets.token_urlsafe(settings.TOKEN_BYTES)
# SHA256 the secret (we'll be storing this)
del_token_secret_hash = hmac.new(settings.HMAC_SECRET,
del_token_secret.encode('utf-8'), 'sha256').digest()
db.store_delete_token(sql_cursor, del_token_id, del_token_secret_hash, comment_id, thread_id)
return del_token_id, del_token_secret
def post(cls):
"""
Getting POST requests on the '/api/users/login' endpoint, and
returning 200 http status code if username and password were correct.
And 400 http status if user was not found or password didn't match.
"""
try:
incoming_user = user_signin_schema.load(request.get_json())
except ValidationError as err:
return err.messages, 400
###
db_session = g.flask_backend_session
db_user = db_session.query(UserModel).filter_by(
username=incoming_user["username"]).first()
db_email_address = db_session.query(UserModel).filter_by(
email_address=incoming_user["email_address"]).first()
###
if db_user:
if argon2.verify(incoming_user["password"], db_user.password):
return make_response(
jsonify({
"message": f"Login succesfull {db_user.username}",
"user_uuid": db_user.user_uuid,
"username": db_user.username,
"origin": db_user.origin,
}),
200,
)
return make_response(
jsonify({"message": "Username or password Incorect!"}), 400)
elif db_email_address:
if argon2.verify(incoming_user["password"],
db_email_address.password):
return make_response(
jsonify({
"message": (f"Login succesfull "
f"{db_email_address.email_address}"),
"user_uuid":
db_email_address.user_uuid,
"username":
db_email_address.username,
"origin":
db_email_address.origin,
}),
200,
)
return make_response(
jsonify({"message": "Email address or password Incorect!"}),
400)
else:
return make_response(
jsonify({"message": "Username or Email address not found."}),
400)
def configure(c, confdir=""):
"Set the configuration"
base_name = os.path.basename(sys.argv[0])
appname = str(base_name).replace(".py", "")
c.config["appname"] = appname
c.config["version"] = VERSION
version = VERSION
if confdir == "":
dirs = AppDirs(appname, AUTHOR)
confdir = dirs.user_data_dir
#print(confdir)
if not os.path.isdir(confdir):
logging.warning("Creating config dir %s" % (confdir))
os.makedirs(confdir)
conffile = os.path.join(confdir, "conf.db")
c.config["confdir"] = confdir
c.config["conffile"] = conffile
with shelve.open(conffile) as app:
vp = ""
app["appname"] = c.config["appname"]
app["version"] = c.config["version"]
if not "app_hash" in app:
logging.warning("Creating config file %s" % (conffile))
logging.warning("Vault Password not set, please set now")
np = getpass.getpass(prompt='Set a vault password: '******'Re-enter vault password: '******'Enter vault password: ')
# verify password
if not argon2.verify(vp, phash):
logging.error("Password verification failed. Try Again")
exit()
c.config["conffile"] = conffile
c.config["passwd"] = vp
def verify_hash2(password, hvalue):
"""
Verify the hashed value
:param val:
:return:
"""
return argon2.verify(password, hvalue)
def home():
if request.method == "POST":
#If no input, redirect back
if ((request.form["user_name"] == "")
or (request.form["password"] == "")):
flash("Enter Credentials!")
return redirect(url_for("home"))
user_name = request.form["user_name"]
password = request.form["password"]
#Checking with database for username and password
cur = mysql.connection.cursor()
cur.execute(
"SELECT user_id,password,role FROM users where user_name = %s ",
[user_name])
row = cur.fetchone()
#If username is found on database,
if row:
#Checking password is correct or not
if (argon2.verify(password, row[1])):
session["user_id"] = row[0]
session["role"] = row[2]
flash("Login Succesful")
return redirect(url_for("driver"))
else:
flash("Login Failed")
return redirect(url_for("home"))
else:
flash("Could not find user")
return redirect(url_for("home"))
else:
return render_template("index.html")
def login():
if session.get('user'):
user = session['user']
return redirect(url_for('index'))
username = str(request.form.get('username'))
password = str(request.form.get('password'))
db = get_db()
cur = db.cursor()
# [0] id, [1] username, [2] password, [3] token, [4] is_admin
cur.execute('SELECT * FROM user WHERE username = %(username)s',
{'username': username})
users = cur.fetchall()
valid_user = False
for user in users:
if argon2.verify(password, user[2]):
valid_user = user
if valid_user:
session['user'] = valid_user
return redirect(url_for('index'))
if request.method == 'POST':
flash("Mauvais identifiants")
return render_template('login.html.j2')
def account():
user_ID = session.get('user_ID')
username = get_username(user_ID)
if request.method == 'POST':
current_password = request.form['current_password']
new_password = request.form['new_password']
repeated_password = request.form['repeated_password']
if not (username and new_password and repeated_password):
flash("Fill in all the fields!", 'error')
elif not (new_password == repeated_password):
flash('Passwords do not match', 'error')
elif new_password == current_password:
flash('Pick a new password', 'error')
else:
record = get_data('SELECT password FROM tbl_users WHERE username = %s', username)
password_correct = argon2.verify(current_password, record[0][0])
if password_correct:
argon_hash = argon2.hash(new_password)
update_password(argon_hash, user_ID)
flash('Password changed', 'success')
else:
flash('Old password is wrong', 'error')
return render_template('account.html', username=username)
def dash_login():
if request.method == 'GET':
return render_template('login.html')
elif request.method == 'POST':
if not request.form.get("username") or not request.form.get(
"password"):
flash("You forgot to enter your username and/or password!")
return redirect(url_for('dash_login'))
user = User.query.filter(
User.username == request.form.get('username')).first()
if not user:
flash("Incorrect username! and/or password!")
return redirect(url_for('dash_login'))
# Check Credentials
if argon2.verify(request.form.get('password'), user.password):
# login success
session['id'] = user.id
session['username'] = user.username
session['access_level'] = user.access_level
return redirect(url_for('portal'))
else:
flash("Incorrect username and/or password!")
return redirect(url_for('dash_login'))
else:
return abort(400)
def login_user(self, data: "LoginData") -> bool:
"""
Logs in the user (through the application's login manager) described by
the given login data if the user exists.
Arguments:
data (LoginData): The login data of the user to log in.
Returns:
`True` if the login data corresponds to an existing user and the
entered password is correct, `False` otherwise.
"""
user = self.get_user(data.username)
if user is None:
return False
from passlib.hash import argon2
try:
if argon2.verify(data.password, self._password_getter(user)) and\
(self._verification_checker is None or self._verification_checker(user)):
from flask_login import login_user
login_user(user, remember=data.remember)
return True
except Exception:
# Catch everything the verify method can raise.
pass
return False
def auth_username():
print('User Authentication.\nPlease type the user name:')
username = input()
assert username, 'Please type the user name.'
try:
cc.execute(select_username, (username,))
data_returned = cc.fetchone()
assert data_returned is not None, 'User not found.'
for _ in data_returned:
print(f'Please type the password for {username}:')
password = input()
assert password, 'Please type a password'
hashed_db_password = data_returned[1]
checkpwd = argon2.verify(password, hashed_db_password)
if checkpwd:
print(f'The user "{username}" has been authenticated.')
conn.close()
callexit()
else:
print(f'Invalid password for "{username}".')
conn.close()
callexit()
except conn.Error as error:
print(f'Error: {error}')
def test_01_write_update_delete_cache(self):
teststart = datetime.datetime.utcnow()
r = add_to_cache(self.username, self.realm, self.resolver,
self.password)
self.assertTrue(r > 0)
auth = AuthCache.query.filter(AuthCache.id == r).first()
self.assertEqual(auth.username, self.username)
self.assertTrue(argon2.verify(self.password, auth.authentication))
self.assertTrue(auth.first_auth > teststart)
self.assertEqual(auth.last_auth, auth.first_auth)
update_cache(r)
auth = AuthCache.query.filter(AuthCache.id == r).first()
self.assertTrue(auth.last_auth > teststart)
r_delete = delete_from_cache(self.username, self.realm, self.resolver,
self.password)
self.assertEqual(r, r_delete)
auth = AuthCache.query.filter(
AuthCache.username == self.username).first()
self.assertEqual(auth, None)
def altera_senha_de_usuario():
global senha
print('--- Alteração das credencias de usuário ---\n')
if checa_se_usuario_existe():
for alt in resultado['hits']['hits']:
alteracoes = alt['_source']['alteracoes_senha'] + 1
senha_antiga = alt['_source']['senha']
senha = getpass(f'Digite a nova senha para o usuário {usuario}: ')
if argon2.verify(senha, alt['_source']['senha']):
callexit('Mesma senha anterior. Digite uma nova senha')
else:
pass
if checa_qualidade_da_senha(senha) is True:
hashedpwd = argon2.using(salt_size=64).hash(senha)
data = datetime.now().strftime("%m/%d/%Y %H:%M:%S UTC−03:00")
credenciais = {'doc':
{'senha': hashedpwd,
'historico_de_senhas': {alteracoes: senha_antiga},
'datas_alteracao_senha': {alteracoes: data},
'alteracoes_senha': alteracoes}}
ESEARCH.update(index="userdb", id=usuario, body=credenciais)
print('Senha alterada com sucesso.')
else:
print(POLITICA_SENHA_VALIDA)
else:
callexit('Usuário inexistente.')
def login_process():
"""Process login."""
# Get form variables
email = request.form["email"]
passwd = request.form["password"]
if not email:
flash("Missing email. Please try again.")
return redirect("/login")
if not passwd:
flash("Missing password. Please try again.")
return redirect("/login")
user = User.query.filter_by(email=email).first()
if not user:
flash("No user found with that email. Please try again.")
return redirect("/login")
else:
# hashed = argon2.hash(passwd)
# del passwd
if (argon2.verify(passwd, user.password)):
session["user_id"] = user.user_id
# TODO: add username or email to flash message.
flash("Logged in successfully.")
return redirect("/profile/%s" % user.user_id)
else:
flash("Password does not match.")
return redirect("/login")
def login():
if session.get("user_id", False):
flash("You're already logged in!", "info")
return redirect(url_for("front.index"))
if request.method == "POST":
username = request.form["user"]
password = request.form["password"]
db_pass = db.query_db(
"SELECT id, password FROM users WHERE username = ?", (username, ),
True)
if db_pass is None:
flash("No such username: {}".format(username), "warn")
return redirect(url_for("front.login"))
if argon2.verify(password, db_pass["password"]):
session.clear()
session["user_id"] = db_pass["id"]
flash("You're logged in as {}.".format(username), "info")
return redirect(url_for("front.index"))
else:
flash("Incorrect password for {}.".format(username), "error")
return redirect(url_for("front.login"))
return render_template("front/login.html")
def login_(totp=False):
req_fields = ['nickname', 'password']
if totp:
req_fields.append('totp')
valid, data, msg = form_data(req_fields)
if valid:
# busca un usuario con ese id (nickname)
r = c.find_one({'_id': data['nickname']})
# Si lo encuentra continua con las comprobaciones
valid = False
if r:
# Verifica la contraseña pasada
if argon2.verify(data['password'], r['password']):
# Si ha entrado por /login y en la BD no tiene el campo totp (login normal)
try:
if not totp and not ('totp' in r.keys()):
valid = True
# Si ha entrado por /login_totp y en la BD existe el campo totp y este es válido (login con totp)
elif totp and ('totp' in r.keys()) and otp.valid_totp(token=data['totp'], secret=r['totp']):
valid = True
except KeyError:
pass
if valid:
msg = "Bienvenido " + r['name']
print(msg)
return msg
else:
msg = "Usuario o contraseña incorrectos"
print(msg)
return msg
else:
msg = "Datos inválidos: " + msg
print(msg)
return msg
def login () :
if session.get('user'):
user = session['user']
else :
user = False
email = str(request.form.get('email'))
password = str(request.form.get('password'))
db = get_db()
cur = db.cursor()
cur.execute('SELECT email, password, is_admin FROM user WHERE email = %(email)s', {'email' : email})
users = cur.fetchall()
valid_user = False
for user in users :
if argon2.verify(password, user[1]) :
valid_user = user
if valid_user :
session['user'] = valid_user
return redirect(url_for('admin'))
return render_template('login.html', user = user)
def login():
session.clear()
error = None
if request.method == "POST":
if not request.form.get("username"):
error = "Username Required"
return render_template("login.html", error=error)
elif not request.form.get("password"):
error = "Password Required"
return render_template("login.html", error=error)
userinfo = User.query.filter_by(
username=request.form.get("username")).first()
if userinfo == None or not argon2.verify(request.form.get("password"),
userinfo.hashword):
error = "Invalid username and/or password"
return render_template("login.html", error=error)
session["user_id"] = userinfo.id
return redirect(url_for("index"))
else:
return render_template("login.html")
def run(self):
while True:
passwordHash = None
try:
passwordHash = self.queue.get(block=True, timeout=1)
if (passwordHash.count(':') != 1):
print("[x]ERROR! Invalid hash format: " + passwordHash)
return
username = passwordHash.split(':')[0]
encryptedPassword = passwordHash.split(':')[1]
except:
return
try:
cracked = 0
for password in passwordList:
passwordCheck = argon2.verify(password, encryptedPassword)
if (passwordCheck == True):
print("[+] Successful Login! Username: "******" Password: "******"(" + passwordHash +
")")
cracked = 1
break
if (cracked == 0):
print("[!] Unable to crack: " + username + " Password: " +
encryptedPassword)
except:
raise
self.queue.task_done()
def login():
'''用户登录
POST /api/login
* 添加Token(建议)和session(不推荐,服务重启出现数据不一致)
* 获取当前用户ID:get_jwt_identity()
* 获取当前用户详情:get_jwt_claims()
* session方式获取用户信息(不推荐):session['user_id']
'''
if not request.is_json:
return jsonify({"msg": "Missing JSON in request"}), 400
schema = UserLoginSchema()
data, errors = schema.load(request.json)
if errors:
return jsonify({"msg": errors}), 400
account = user.findOneByName(data['username'])
if not account:
return jsonify({"msg": {'username': '******'}}), 400
elif argon2.verify(data['password'], account.password):
access_token = create_access_token(identity={
'id': account.id,
'username': account.username,
'email': account.email
},
fresh=True)
resp = jsonify({'access_token': access_token})
set_access_cookies(resp, access_token)
session['user_id'] = account.id
# print(session['user_id'])
return resp
else:
return jsonify({"msg": "用户名或密码错误"}), 403
def login():
if not ('logged_in' in session):
if request.method == 'GET':
return render_template('login.html')
else:
phone = request.form['phone']
password = request.form['password']
conn = sqlconnection()
cursor = conn.execute(
"SELECT PHONENUMBER ,PASSWORD FROM USERS WHERE PHONENUMBER=? ",
(phone, )).fetchone()
conn.close()
if cursor is None:
flash('Invalid Credentials', 'error')
return redirect(url_for('login'))
else:
if argon2.verify(password, cursor[1]):
if phone == "8197056461":
session['admin'] = "admin"
session['phone'] = phone
flash('Welcome Admin')
else:
flash('Logged in successfully')
session['logged_in'] = True
session['phone'] = phone
return redirect(url_for('teamInfo'))
else:
flash('Invalid Credentials', 'error')
return redirect(url_for('login'))
else:
return "already logged in"
def login():
if request.method == 'GET':
if not 'user_id' in session:
return render_template('login.html')
else:
return redirect(url_for('index'))
elif request.method == 'POST':
db = mysqlDB()
username = request.form['username'].strip()
password = request.form['password'].strip()
remember = request.form['remember']
parameters = [username, 0, '']
result = db.callproc('getUser', parameters)
user_id = result[1]
password_db = result[2]
if user_id != None:
if argon2.verify(password, password_db):
if remember == 'on':
session.permanent = True
app.logger.info('session permanent')
else:
session.permanent = False
session['user_id'] = user_id
return redirect(url_for('index'))
else:
return render_template('login.html')
return redirect(url_for('signup'))
def auth_user(self, user: str, password: str) -> Union[UserAccessMeta, None]:
try:
auth = self._auth_collection.find_one({"user": user})
return self._from_db(auth) if argon2.verify(password, auth.get("password", None)) else None
except:
logging.error("Auth Error: %s", sys.exc_info()[1])
return None
def authenticate(username, password):
user = Users.query.filter_by(username=username).first()
if user is None:
return False
username = user.username
password_hash = user.password_hash
return argon2.verify(password, password_hash)
def valid_password(self, passphrase: 'Optional[str]') -> bool:
if not passphrase:
return False
# Avoid hashing passwords that are over the maximum length
if len(passphrase) > self.MAX_PASSWORD_LEN:
raise InvalidPasswordLength(passphrase)
# No check on minimum password length here because some passwords
# may have been set prior to setting the mininum password length.
if self.passphrase_hash:
# default case
is_valid = argon2.verify(passphrase, self.passphrase_hash)
else:
# legacy support
is_valid = pyotp.utils.compare_digest(
self._scrypt_hash(passphrase, self.pw_salt), self.pw_hash)
# migrate new passwords
if is_valid and not self.passphrase_hash:
self.passphrase_hash = \
argon2.using(**ARGON2_PARAMS).hash(passphrase)
# passlib creates one merged field that embeds randomly generated
# salt in the output like $alg$salt$hash
self.pw_salt = None
self.pw_hash = None
db.session.add(self)
db.session.commit()
return is_valid
def is_password_matched(self, raw_password: str) -> bool:
if self.password is None or len(self.password) == 0:
return False
try:
return argon2.verify(raw_password, self.password)
except exc.MalformedHashError:
return False
def login_user(self, body):
'''
User login to retrieve jwt tokens
:param body:
:return:
'''
email, password = body['email'], body['password']
try:
user = Users.objects.get(email=email) # "meta.is_deleted"
if argon2.verify(password, user['password']):
if user['is_active'] is True:
user_id = str(user['_id'])
access_token = create_access_token(identity=user_id)
refresh_token = create_refresh_token(identity=user_id)
access_jti = get_jti(encoded_token=access_token)
refresh_jti = get_jti(encoded_token=refresh_token)
redis_db.set(access_jti, 'false',
app.config['JWT_ACCESS_TOKEN_EXPIRES'])
redis_db.set(refresh_jti, 'false',
app.config['JWT_REFRESH_TOKEN_EXPIRES'])
return {
"status": 202,
"access_token": access_token,
"refresh_token": refresh_token
}, 202
else:
message = "You are missing one step on your activation process, Please check your email for instruction to activate your user"
error_handler(code=401, message=message, ui_status=True)
else:
message = "Your Credentials don't match with our registries"
error_handler(code=401, message=message, ui_status=True)
except DoesNotExist as e:
message = "Your Credentials don't match with our registries"
error_handler(code=401, message=message, ui_status=True)
def login():
if request.method == "GET":
if 'username' in session:
return redirect(url_for("index"))
else:
return render_template("login.html")
if request.method == "POST":
name = request.form['name']
passwd = request.form['pwd']
conn = getconn(dbname[0])
cur = conn.cursor()
cur.execute("""select * from users where emorph='%s'""" % (name))
row = cur.fetchone()
if row == None:
return render_template("login.html",
name=name,
error="Email or Phone does not exist")
if row[2] == name:
if argon2.verify(passwd, row[3]):
session['username'] = row[0]
return redirect(url_for("index"))
else:
return render_template("login.html",
name=name,
error="Incorrect password")
else:
return render_template("login.html",
name=name,
error="Email or Phone does not exist")
conn.close()
def login_process():
"""Process login."""
#Get form variables
email = request.form["email"]
attempt_password = request.form["password"]
user = User.query.filter_by(email=email).first()
if not user:
flash("No such user.")
return redirect("/login")
#Verify if the password matches the hashed password in the db
hashed_password = user.password
if not argon2.verify(attempt_password, hashed_password):
flash("Incorrect password.")
return redirect("/login")
session["user_id"] = user.user_id
session["user_name"] = user.name
flash("Welcome Back!")
return redirect("/dashboard/{}".format(user.user_id))
def check_hashed_password(incoming_password, hashed_password):
"""Checks if password matches encrypted hash"""
if argon2.verify(incoming_password, hashed_password):
return True
else:
return False
def is_password_valid(self, password):
"""
Checks if the password is correct.
:param password: User profile password
:return: (bool) True if valid
:since: v0.2.00
"""
_return = False
with self:
if (self.local.db_instance.type != AbstractProfile.TYPE_EXTERNAL_VERIFIED_MEMBER):
password_type = self.local.db_instance.password_type
if (password_type == PasswordGeneratorsMixin.PASSWORD_TYPE_MCF
and PasswordGeneratorsMixin.PASSWORD_TYPE_MCF in self.password_generators_available
): _return = argon2.verify(password, self.local.db_instance.password)
if (password_type == PasswordGeneratorsMixin.PASSWORD_TYPE_BLAKE2B
and PasswordGeneratorsMixin.PASSWORD_TYPE_BLAKE2B in self.password_generators_available
):
hashed_password = self._get_blake2b_password(password, self.local.db_instance.name)
_return = (hashed_password == self.local.db_instance.password)
#
if (password_type == PasswordGeneratorsMixin.PASSWORD_TYPE_BLAKE2S
and PasswordGeneratorsMixin.PASSWORD_TYPE_BLAKE2S in self.password_generators_available
):
hashed_password = self._get_blake2s_password(password, self.local.db_instance.name)
_return = (hashed_password == self.local.db_instance.password)
#
if (password_type == PasswordGeneratorsMixin.PASSWORD_TYPE_TMD5
and PasswordGeneratorsMixin.PASSWORD_TYPE_TMD5 in self.password_generators_available
):
hashed_password = self._get_tmd5_password(password, self.local.db_instance.name)
_return = (hashed_password == self.local.db_instance.password)
#
#
#
return _return
def pass_matches(self, postPass):
return argon2.verify(postPass, self.password)
