def authenticate(): """ Authenticates the user using username and password found in submitted JSON document """ try: data = json.loads(request.stream.read()) except: return Utils.make_response( { "status": "failure", "reason": "Unable to decode the JSON payload" }, 400) username = data.get("username") or "" password = data.get("password") or "" if not re.match("^[a-z0-9]{5,100}$", username): return Utils.make_response( { "status": "failure", "reason": "Invalid username" }, 403) if not re.match( "^(?=.*[A-Z]+)(?=.*[a-z]+)(?=.*[0-9]+)", password) or not re.match( "^[a-zA-Z0-9]{10,100}$", password): return Utils.make_response( { "status": "failure", "reason": "Invalid password" }, 403) random_token = Utils.token_hex() query = "SELECT u.id AS user_id FROM users u WHERE u.username = %s AND u.password = SHA2((%s), 256);" g.cur.execute(query, [username, password + config["PASSWORD_SALT"]]) row = g.cur.fetchone() if not row: return Utils.make_response( { "status": "failure", "reason": "Invalid username or password" }, 403) user_id = row["user_id"] expire_date = datetime.datetime.utcnow() + datetime.timedelta( seconds=config["MAX_SESSION_DURATION_IN_SECONDS"]) response = Utils.make_response({"status": "success"}, 200) """ Create encrypted cookie using server master secret """ response.set_cookie( "token", Token.encode(user_id, random_token, config["SERVER_NONCE"], config["MAX_SESSION_DURATION_IN_SECONDS"]), secure=False, httponly=True, expires=expire_date, samesite="Strict") return response
def change_password(): """ Changes the password of the user """ cookie = request.cookies.get("token", None) token = Utils.get_token(cookie) if not token: return Utils.make_response( { 'status': 'failure', 'reason': 'unauthorized' }, 403) try: data = json.loads(request.stream.read()) except: return Utils.make_response( { "status": "failure", "reason": "Unable to decode the JSON payload" }, 400) username = data.get("username") or "" old_password = data.get("old_password") or "" if not re.match("^(?=.*[A-Z]+)(?=.*[a-z]+)(?=.*[0-9]+)", old_password) or not re.match("^[a-zA-Z0-9]{10,100}$", old_password): return Utils.make_response( { "status": "failure", "reason": "Invalid old password" }, 403) new_password = data.get("new_password") or "" if not re.match("^(?=.*[A-Z]+)(?=.*[a-z]+)(?=.*[0-9]+)", new_password) or not re.match("^[a-zA-Z0-9]{10,100}$", new_password): return Utils.make_response( { "status": "failure", "reason": "Invalid new password" }, 403) query = "SELECT u.id AS user_id FROM users u WHERE u.username = %s AND u.password = SHA2((%s), 256);" g.cur.execute(query, [username, old_password + config["PASSWORD_SALT"]]) row = g.cur.fetchone() if not row: return Utils.make_response( { "status": "failure", "reason": "Invalid old password" }, 403) user_id = Token.get_user_id(token) if user_id != row["user_id"]: return Utils.make_response( { "status": "failure", "reason": "Invalid username" }, 403) query = "UPDATE users SET password = SHA2((%s), 256) WHERE id = %s;" g.cur.execute(query, [new_password + config["PASSWORD_SALT"], user_id]) g.db.commit() random_token = Utils.token_hex() expire_date = datetime.datetime.utcnow() + datetime.timedelta( seconds=config["MAX_SESSION_DURATION_IN_SECONDS"]) response = Utils.make_response({"status": "success"}, 200) response.set_cookie( "token", Token.encode(user_id, random_token, config["SERVER_NONCE"], config["MAX_SESSION_DURATION_IN_SECONDS"]), secure=False, httponly=True, expires=expire_date, samesite="Strict") return response