def search(): searchForm = SearchForm() if searchForm.validate_on_submit(): if utils.banned_characters(searchForm.search.data): log.logger.critical('Malicious character detected in search') abort(404) if request.content_type != r'application/x-www-form-urlencoded': print('dd') abort(404) query = searchForm.search.data resp = make_response(redirect(url_for('search_result',query=escape(query)))) return resp
def reset_password_link(token): searchForm = SearchForm() email = utils.confirmation_token(token) if not email: message = 'Link is expired please request again' return redirect(url_for('login', errors=message)) form = PasswordResetForm() if form.validate_on_submit(): try: user = Models.Customer.query.filter_by(email=email).first() except: flash('Invalid email') return redirect(url_for('login')) salt = user.generate_salt() user.password_salt = salt user.password_hash = user.generate_hash(form.password.data, salt) Models.database.session.commit() log.logger.info('{0} has succesfully reset his password'.format( user.username)) return redirect(url_for('login')) return render_template('reset_password.html', form=form, token=token, searchForm=searchForm)
def catalog(): searchForm = SearchForm() products = Models.database.session.query(Models.Product).all() return render_template('shop.html', products=products, itemCount=len(products), searchForm=searchForm)
def support(): searchForm = SearchForm() form = SupportForm() if form.validate_on_submit(): if request.content_type != r'application/x-www-form-urlencoded': log.logger.error('Incorrect request content format at /support route') abort(404) if utils.banned_characters(form.subject.data) or utils.banned_characters(form.message.data,matches='[/\\<>%=]') or utils.banned_characters(form.name.data) or utils.banned_characters(form.email.data): log.logger.critical('Malicious character detected in support route') abort(404) try: if os.environ.get('IS_PROD', None): utils.mailgun_send_messageV2('*****@*****.**', form.subject.data, form.message.data,form.email.data) else: mail = Mail(current_app) msg = Message( subject=form.subject.data, recipients=['*****@*****.**'], body=form.message.data, sender=form.name.data, reply_to=form.email.data ) mail.send(msg) flash('Email has sent to u') resp = make_response(redirect(request.url)) if resp.headers['Location'] == '/support': return resp except Exception as message: print(message) #log.logger.exception(message) return render_template('support.html',searchForm=searchForm,form=form)
def transfer(username): searchForm = SearchForm() if current_user.username == username: transfer = TransferForm() return render_template('Transfer.html',searchForm=searchForm,form=transfer) else: abort(404)
def deposit(username): searchForm =SearchForm() if username == current_user.username: deposit = DepositForm() return render_template('Deposit.html',searchForm=searchForm, form=deposit), 200 else: pass #log
def account(username): searchForm = SearchForm() print(current_user.account.accountid) if current_user.is_authenticated and current_user.username == username: return render_template('account.html', searchForm=searchForm) else: abort(404)
def current_password(): searchForm = SearchForm() if current_user.is_authenticated: form = ChangePasswordForm() return render_template('current_password.html',form=form, searchForm=searchForm) else: abort(404)
def reset_link(): if current_user.is_authenticated: abort(404) searchForm = SearchForm() errors='' form = EmailForm() return render_template('reset.html',form=form,errors=errors,searchForm=searchForm)
def accountUpdate(username): if current_user.is_authenticated and current_user.username == username: form = AccountForm() searchForm = SearchForm() if form.validate_on_submit(): key_vault = vault.Vault() try: key_vault.key_client.get_key(username) except: key_vault.set_key(username, 4096, key_vault.key_ops) user = Models.Customer.query.filter_by(username=username).first() user.account.payment_method = form.payment_method.data user.account.credit_card = key_vault.encrypt( username, form.credit_card.data) user.account.address = form.address.data Models.database.session.commit() key_vault.key_client.close() key_vault.secret_client.close() log.logger.info('{0} successfuly updated his/her account'.format( user.username)) return redirect(url_for('account', username=username)) else: log.logger.exception(form.errors) print(form.errors) return render_template('accountUpdate.html', form=form, searchForm=searchForm) else: abort(404)
def reset_password_link(token): if current_user.is_authenticated: abort(404) searchForm = SearchForm() email = utils.confirmation_token(token) print(email) if not email: flash('This link has expired!') resp = make_response(redirect(url_for('login'))) if resp.headers['Location'] == '/login': return resp else: abort(404) form = PasswordResetForm() if form.validate_on_submit(): if request.content_type != 'application/x-www-form-urlencoded': log.logger.error('Incorrect content format found!') abort(404) try: user = Models.Customer.query.filter_by(email=email).first() except: flash('Invalid email') return redirect(url_for('login')) salt = user.generate_salt() user.password_salt = salt user.password_hash = user.generate_hash(form.password.data,salt) Models.database.session.commit() log.logger.info('{0} has succesfully reset his password'.format(user.username)) resp = make_response(redirect(url_for('login'))) if resp.headers['Location'] == '/login': return resp else: abort(404) return render_template('reset_password.html',form=form,token=token,searchForm=searchForm)
def reset_link(): searchForm = SearchForm() error = '' form = EmailForm() if form.validate_on_submit(): if request.content_type != r'application/x-www-form-urlencoded': log.logger.error('Incorrect content format sent detected in /reset route') abort(404) if Models.Customer.query.filter_by(email=str(escape(form.email.data))).first(): token = utils.generate_token(form.email.data) password_reset_url = url_for('users.reset_password_link',token=token,_external=True) html = render_template('reset_email.html',password_reset_url=password_reset_url) if os.environ.get('IS_PROD',None): utils.mailgun_send_message(form.email.data,'Password Recovery',html) else: utils.send_email(form.email.data,'Password Recovery',html) flash('WE have emailed you the password link to reset!') resp = make_response(redirect(url_for('reset_link'))) if resp.headers['Location'] == '/reset': return resp else: abort(404) else: error = 'This email is not registered with us!' return render_template('reset.html',form=form,errors=error,searchForm=searchForm)
def search_result(): searchForm = SearchForm() query = request.args.get('query') search = "%{}%".format(query) result = Models.database.session.query(Models.Product).filter(or_(Models.Product.Name.ilike(search),Models.Product.Description.ilike(search),Models.Product.model.ilike(search))).all() print(result) return render_template('search.html',product=result,itemCount=len(result),query=query,searchForm=searchForm), 201
def account_update_page(username): searchForm = SearchForm() if current_user.is_authenticated and current_user.username == username: form = AccountForm() return render_template('accountUpdate.html',form=form,searchForm=searchForm) else: log.logger.warning('An attempt to access to this page without authenticcation was deny') abort(404)
def profile(username): searchForm = SearchForm() print(current_user.is_active) if current_user.is_authenticated and current_user.username == username: return render_template('profile.html', active='profile',searchForm=searchForm) else: abort(404) log.logger.warning('An attempt to access to this page without authenticcation was deny')
def reset_link(): searchForm = SearchForm() errors = '' form = EmailForm() return render_template('reset.html', form=form, errors=errors, searchForm=searchForm)
def profile(username): searchForm = SearchForm() print(current_user.is_active) if current_user.is_authenticated and current_user.username == username: return render_template('profile.html', active='profile', searchForm=searchForm) else: abort(404)
def account_update_page(username): searchForm = SearchForm() if current_user.is_authenticated and current_user.username == username: form = AccountForm() return render_template('accountUpdate.html', form=form, searchForm=searchForm) else: abort(404)
def unconfirmed(): if current_user.is_authenticated: if current_user.verified == 0: searchForm = SearchForm() return render_template('unconfirm.html',searchForm=searchForm) else: abort(404) else: abort(404)
def verify_token(): searchForm = SearchForm() if session.get('username'): confirm2faForm = Confirm2faForm() return render_template('VerifyToken.html',searchForm=searchForm,form=confirm2faForm),200 ,{ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0'} else: abort(404)
def login(): searchForm = SearchForm() errors = '' if current_user.is_authenticated: return redirect(url_for('home_page')) form = LoginForm() return render_template('login.html', form=form, errors=errors, searchForm=searchForm)
def current(): searchForm = SearchForm() if current_user.is_authenticated: form = ChangePasswordForm() if form.validate_on_submit(): if request.content_type != r'application/x-www-form-urlencoded': log.logger.error('Incorrect request content format at /current route') abort(404) if utils.banned_characters(form.currentPassword.data): log.logger.critical('Malicious character detected in support route. An attempt to inject is possible') abort(404) user = Models.Customer.query.filter_by(username=current_user.username).first() saved_hash= user.password_hash password_hashed = utils.generate_hash(form.currentPassword.data,user.password_salt) if saved_hash == password_hashed: if utils.banned_characters(form.confirm.data.upper(),matches='({0})'.format(str(escape(current_user.username.upper())))): flash('Password should not contain anything related to your username. Please try again!') resp = make_response(redirect(url_for('current_password'))) if resp.headers['Location'] == '/current': return resp elif utils.read_common_password(form.confirm.data) or utils.banned_characters(form.confirm.data.upper(),matches='(PASSWORD)') or utils.banned_characters(form.confirm.data.upper(), matches='(PASSWORD)') or utils.banned_characters(form.confirm.data.upper(), matches='(ADMIN)'): flash('This password is either too common and subsceptiple to hackers or password contain words like \"username\" or \"password\" or \"admin\"') resp = make_response(redirect(url_for('current_password'))) if resp.headers['Location'] == '/current_password': return resp else: try: user = Models.Customer.query.filter_by(username=current_user.username).first() new_salt = utils.generate_salt() new_hash = utils.generate_hash(form.confirm.data,new_salt) user.password_salt = new_salt user.password_hash = new_hash Models.database.session.commit() logout_user() session.destroy() flash('Password has changed,please try to login with new credential') resp = make_response(redirect(url_for('login'))) if resp.headers['Location'] == '/login': return resp except: Models.database.session.rollback() else: flash('Invalid current password') resp = make_response(redirect(url_for('current_password'))) if resp.headers['Location'] == '/current': return resp else: abort(404)
def login(): searchForm = SearchForm() if current_user.is_authenticated: # print(current_user.username) abort(404) errors = '' form = LoginForm() if form.validate_on_submit(): if utils.banned_characters( form.username.data) or utils.banned_characters( form.password.data): log.logger.critical( 'Malicious characters such as \'\"<>#/ detected') errors = 'Invalid username or password' return redirect(url_for('login')) user = Models.Customer.query.filter_by( username=str(escape(form.username.data))).first() if user != None: saved_password_hash = user.password_hash saved_password_salt = user.password_salt password_hash = utils.generate_hash( str(escape(form.password.data)), saved_password_salt) if password_hash == saved_password_hash: if user.verified == 1: print('verified authen') u = Models.Customer.query.get(user.userid) login_user(u) response = make_response(redirect(url_for('home_page'))) log.logger.info( '{0} successfully logs into his account'.format( u.username)) return redirect(url_for('home_page')) else: u = Models.Customer.query.get(user.userid) login_user(u) log.logger.warning( '{0} successfully logs into his account without activating it' .format(u.username)) return redirect(url_for('users.unconfirmed')) else: errors = 'Invalid username or password' else: errors = 'Invalid username or password' else: print(form.errors) return render_template('login.html', form=form, errors=errors, searchForm=searchForm)
def home_page(): searchForm = SearchForm() # print(request.headers.get('X-Forwarded-For', request.remote_addr)) # print(paranoid._get_remote_addr()) # print(test.session) # # for key in red.scan_iter(): # # print(json.loads(red.get(key))) # d = socket.gethostname() # print(socket.gethostbyname(d)) if request.remote_addr in ['127.0.0.1']: return render_template('index.html', searchForm=searchForm)
def support(): searchForm = SearchForm() form = SupportForm() if form.validate_on_submit(): mail = Mail(current_app) msg = Message(subject=form.subject.data, recipients=['*****@*****.**'], body=form.message.data, sender=form.name.data, reply_to=form.email.data) mail.send(msg) flash('Email has sent to u') redirect(request.url) return render_template('support.html', searchForm=searchForm, form=form)
def login(): print(session) searchForm = SearchForm() errors = '' if current_user.is_authenticated: resp = make_response(redirect(url_for('home_page'))) if resp.headers['Location'] == '/': return resp elif session.get('username'): resp = make_response(redirect(url_for('verify_token'))) if resp.headers['Location'] == '/VerifyToken': return resp form = LoginForm() if_prod = os.environ.get('IS_PROD') return render_template('login.html',form=form,errors=errors,searchForm=searchForm,if_prod=if_prod)
def account(username): searchForm = SearchForm() if current_user.is_authenticated and current_user.username == username: print(current_user.account.credit_card) credit_card = current_user.account.credit_card if current_user.account.credit_card != None: key_vault = vault.Vault() credit_card = credit_card.decode('utf-8') #key_vault.decrypt(current_user.account.credit_card,username) key_vault.close_all_connections() return render_template('account.html', searchForm=searchForm, credit_card=credit_card) else: return render_template('account.html', searchForm=searchForm, credit_card=credit_card) else: log.logger.warning('An attempt to access to this page without authenticcation was deny') abort(404)
def home_page(): print(current_user.is_authenticated) print(session.get('username')) if 'created' not in session: session['created'] = datetime.datetime.now() print(session['created']) searchForm = SearchForm() print(request.headers.get('X-Forwarded-For', request.remote_addr)) twst = request.headers.get('X-Forwarded-For', request.remote_addr) print(paranoid._get_remote_addr()) # print(test.session) # # for key in red.scan_iter(): # # print(json.loads(red.get(key))) # d = socket.gethostname() # print(socket.gethostbyname(d)) # allowed_content_type = print(session) response = make_response(render_template('index.html',searchForm=searchForm,ip=twst)) return response
def reset_link(): searchForm = SearchForm() error = '' form = EmailForm() if form.validate_on_submit(): if Models.Customer.query.filter_by( email=str(escape(form.email.data))).first(): token = utils.generate_token(form.email.data) password_reset_url = url_for('users.reset_password_link', token=token, _external=True) html = render_template('reset_email.html', password_reset_url=password_reset_url) utils.send_email(form.email.data, 'Password Recovery', html) errors = 'We have emailed youthe password link to reset!' return redirect(url_for('reset_link', errors=errors)) else: error = 'This email is not registered with us!' return render_template('reset.html', form=form, errors=error, searchForm=searchForm)
def accountUpdate(username): if current_user.is_authenticated and current_user.username == username: form = AccountForm() searchForm = SearchForm() if form.validate_on_submit(): if utils.banned_characters(form.credit_card.data): log.logger.critical('Malicious Character detected in /profile/{0}/account/update'.format(username)) logout_user() abort(404) if request.content_type != 'application/x-www-form-urlencoded': log.logger.error('Incorrect content type format found in /profile/{0}/account/update'.format(username)) abort(404) key_vault = vault.Vault() # try: # key_vault.key_client.get_key(username) # except: # key_vault.set_key(username,4096,key_vault.key_ops) user = Models.Customer.query.filter_by(username=username).first() user.account.payment_method = form.payment_method.data user.account.credit_card = bytes(form.credit_card.data,'utf-8') #key_vault.encrypt(username,form.credit_card.data) user.account.address = form.address.data log.logger.info(f'{user.username} has changed his account information.') Models.database.session.commit() key_vault.key_client.close() key_vault.secret_client.close() log.logger.info('{0} successfuly updated his/her account'.format(user.username)) resp = make_response(redirect(url_for('account',username=username))) print(resp.headers['Location']) if resp.headers['Location'] == '/profile/'+current_user.username+'/account': return resp else: log.logger.exception(form.errors) print(form.errors) return render_template('accountUpdate.html', form=form,searchForm=searchForm) else: abort(404)