def post(self): if self.user: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Get user input input_current_password = self.request.get('current_password') input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') # Check input and set error messages. error_current_password="" error_password="" error_verify_password="" have_error = False if not valid_pw(self.user.email, input_current_password, self.user.pw_hash): # Set the error-message: incorrect password. error_current_password = True have_error = True if not valid_password(input_password): # Set the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Set the error-message: passwords do not match. error_verify_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('change_password.html', user = self.user, error_current_password = error_current_password, error_password = error_password, error_verify_password = error_verify_password, state = state) else: # Generate password-hash and store in DB pw_hash = make_pw_hash(self.user.email, input_password) self.user.pw_hash = pw_hash self.user.put() # Update memcache User.update_user_cache(self.user) state = self.make_state() # Render page with success message. self.render('change_password.html', user = self.user, success_message = True, state = state) else: # Prompt user to login. self.render('message.html', message_user_settings_1 = True)
def post(self): if self.user: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Get user input input_username = self.request.get('username') # Check input and set error messages. error_username="" error_username_exists="" have_error = False if not valid_username(input_username): # Set the error-message: not a valid username. error_username = True have_error = True if have_error == False: u = User.by_name(input_username) if u: # Set the error-message: username already taken. error_username_exists = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('change_username.html', user = self.user, username = input_username, error_username = error_username, error_username_exists = error_username_exists, state = state) else: # Store new username in DB self.user.name = input_username self.user.put() # Update memcache User.update_user_cache(self.user) # Render page success message state = self.make_state() self.render('change_username.html', user = self.user, success_message = True, state = state) else: # Prompt user to login. self.render('message.html', message_user_settings_1 = True)
def post(self): user_query = User.query().filter( User.first_name == self.request.get('fname') and User.last_name == self.request.get('lname')).fetch() if not len(user_query) == 0 and user_query[0].is_doctor == False: doctor = User.query().filter( User.id == str(users.get_current_user().user_id())).fetch()[0] doctor.list.append(user_query[0].id) doctor.put() self.redirect('/doctor-homepage')
def post(self): if self.user: if not self.check_state(): self.redirect("/") return # Get user input input_username = self.request.get('username') # Check input and set error messages. error_username="" error_username_exists="" have_error = False if not valid_username(input_username): # Set the error-message: not a valid username. error_username = True have_error = True if have_error == False: u = User.by_name(input_username) if u: # Set the error-message: username already taken. error_username_exists = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('change_username.html', user = self.user, username = input_username, error_username = error_username, error_username_exists = error_username_exists, state = state) else: # Update user object in DB and memcache User.update(self.user, name=input_username) # Render page success message state = self.make_state() self.render('change_username.html', user = self.user, success_message = True, state = state) else: # Prompt user to login. self.session.add_flash('message_user_settings_1', key='homepage_flashes') self.redirect("/")
def post(self): if self.user: if not self.check_state(): self.redirect("/") return # Deactivate account by deleting from User database and # adding to the DeactAccounts database. d = DeactAccounts.create(self.user.key().id(), self.user.name, self.user.email) # Delete user User.remove(self.user.key().id()) # Genrate list of article-keys for the deleted user. article_key_list = Article.keys_by_author(self.user.key().id()) for key in article_key_list: # Store article in DeletdArticle DB article = Article.by_id(key.id()) del_art = DeletdArticle.create(article.title, article.body, article.author) del_art.put() # Delete article from Article DB Article.remove(key.id()) # Logout (delete coockie) self.logout() # Send email notification self.send_email(d.email, 'email_subject.html', 'email_account_deleted.html', subject_type = 'account_deleted') # Render page with message that account was deleted self.session.add_flash('message_delete_account_1', key='homepage_flashes') self.session.add_flash(d.email, key='deleted_email') self.redirect("/") else: # Prompt user to login. self.session.add_flash('message_user_settings_1', key='homepage_flashes') self.redirect("/")
def get(self): template_vars = {} doctor = User.query().filter( User.id == str(users.get_current_user().user_id())).fetch()[0] code = "" for id in doctor.list: patient = User.query().filter(User.id == str(id)).fetch()[0] code += "<option value='" + patient.id + "'>" + patient.first_name + " " + patient.last_name + "</option>" template_vars['code'] = code template_vars['name'] = doctor.first_name + " " + doctor.last_name home_template = current_jinja_environment.get_template( 'templates/send-message.html') self.response.write(home_template.render(template_vars))
def post(self): if self.user: if not self.check_state(): self.redirect("/") return # Get user input input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') # Check input and set error messages. error_password="" error_verify_password="" have_error = False if not valid_password(input_password): # Set the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Set the error-message: passwords do not match. error_verify_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('change_password.html', user = self.user, error_password = error_password, error_verify_password = error_verify_password, state = state) else: # Update user object in DB and memcache User.update(self.user, pw=input_password) state = self.make_state() # Render page with success message. self.render('change_password.html', user = self.user, success_message = True, state = state) else: # Prompt user to login. self.session.add_flash('message_user_settings_1', key='homepage_flashes') self.redirect("/")
def post(self): if self.user: # Prompt user to log out. self.render('message.html', user = self.user, message_login_1 = True) else: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return input_email = self.request.get('email').lower() input_password = self.request.get('password') error="" u = User.login_by_email(input_email, input_password) if u: self.login(u) self.redirect('/') else: state = self.make_state() # Render page with error-messages. self.render('login.html', error = True, email_form = input_email, state = state)
def fbconnect(): print(request) name = request.json.get("name") id = request.json.get("id") email = request.json.get("email") gender = request.json.get("gender") auth_token = request.json.get("auth_token") print(name) print(id) print(email) print(gender) print(auth_token) url = ( 'https://graph.facebook.com/oauth/access_token?client_id=%s&client_secret=%s&grant_type=fb_exchange_token&fb_exchange_token=%s' % ( appid, appsecret, auth_token)) h = httplib2.Http() header, result = h.request(url, 'GET') token = json.loads(result)['access_token'] UserEntry = User(userid=id, displayname=name, emailid=email, photouri="", gender=gender, accesstoken=token) session.add(UserEntry) session.commit() return 'SUCCESS'
def get(self): article_list = Article.recent(100) for article in article_list: t = article.created.isoformat() article.time = t author = User.by_id(article.author) if author: article.author_name = author.name else: article.author_name = 'Unknown' flashes = self.session.get_flashes('homepage_flashes') input_email = self.session.get_flashes('input_email') if input_email: input_email = input_email.pop()[0] deleted_email = self.session.get_flashes('deleted_email') if deleted_email: deleted_email = deleted_email.pop()[0] if self.user: self.render('homepage.html', user = self.user, article_list = article_list, flashes = flashes, input_email = input_email, deleted_email = deleted_email) else: self.render('homepage.html', article_list = article_list, flashes = flashes, input_email = input_email, deleted_email = deleted_email)
def scan_tickets(binary='zbarcam', signer=None): import subprocess, sys process = subprocess.Popen(binary, bufsize=1, stdout=subprocess.PIPE) if signer is None: signer = ticket_security.TicketSigner() while True: stdout = process.stdout.readline().strip() if stdout.startswith('QR-Code:'): data = stdout[8:] # Ticket of doom if sha256(data).hexdigest( ) == '6640cc0c536901fbc7c9f0fbe508a09c80be74656cb3ab915ec668503d54f91d': import webbrowser webbrowser.open('http://nyan.cat') continue try: user = signer.verify(data) un = User.get(user) if un is None: yield False, "user not found in DB" continue if not un.media_consent: yield False, "user has not signed media consent" continue if un.checked_in: yield False, "user already granted entry" continue un.mark_checked_in() yield True, "{0} - {1} ({2})".format(un.organisation, un.fullname, un.username) except ValueError: yield False, "ticket is not valid"
def _get_user_fields(self): user_details = User.get(self.username) if not user_details: raise KeyError("username is unknown") elif not user_details.media_consent: raise ValueError("user has not signed a media consent form") self.name = user_details.fullname self.school = user_details.organisation
def get(self): template_vars = {} template_vars['logout_link'] = users.create_logout_url('/') template_vars['username'] = User.query().filter(User.id == str( users.get_current_user().user_id())).fetch()[0].last_name home_template = current_jinja_environment.get_template( 'templates/doctor-homepage.html') self.response.write(home_template.render(template_vars))
def post(self): user = User.query().filter( User.id == str(self.request.get('patient-id'))).fetch()[0] user.list.append( self.request.get('doctor-name') + " - " + self.request.get('message')) user.put() self.redirect('/doctor-homepage')
def get(self): if self.user: # Prompt user to logout self.session.add_flash('message_reset_password_1', key='homepage_flashes') self.redirect("/") else: # Get token from URL input_token = self.request.get('token') # Check if format of token is valid TOKEN_RE = re.compile(r"^([0-9]{1,30})\-.{3,20}$") if not TOKEN_RE.match(input_token): # Set invalid reset_id so that a normal error message is sent reset_id = 1 else: # Split token to obtain reset_id and temp_pw. reset_id = int(input_token.split('-')[0]) temp_pw = input_token.split('-')[1] # Use reset_id to find entry in ResetPasswordRequest DB. self.r = ResetPasswordRequest.by_id(reset_id) # Check if entry exists if not self.r: # Show message that link is not valid. self.session.add_flash('message_reset_password_2', key='homepage_flashes') self.redirect("/") # Check if entry is not older than one hour. elif datetime.datetime.now() - datetime.timedelta(hours = 1) > self.r.created: # Show message that too much time has passed. self.session.add_flash('message_reset_password_3', key='homepage_flashes') self.redirect("/") # Check if temp_pw is valid elif not ResetPasswordRequest.check_for_valid_request(self.r.email, temp_pw): # Show message that the link is not valid. self.session.add_flash('message_reset_password_4', key='homepage_flashes') self.redirect("/") # If no error, get user by_email, # log in and render reset_password.html else: email = self.r.email self.user = User.by_email(email) self.login(self.user) state = self.make_state() self.render('reset_password.html', user = self.user, token = input_token, state = state)
def post(self): if self.user: # Prompt user to log out. self.render('message.html', user = self.user, message_forgot_password_1 = True) else: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Receive input from web-page: eamil input_email = self.request.get('email').lower() error = '' self.user = User.by_email(input_email) if not self.user: state = self.make_state() # Render page with error-message. self.render('forgot_password.html', form_email = input_email, error = True, state = state) else: # Generate new temporary random password length = 10 temp_pw = ''.join(random.choice(ascii_letters)for x in xrange(length)) # Create entry in ResetPasswordRequest DB u = ResetPasswordRequest.create_request(input_email, temp_pw) u.put() # Send email with a link to the ResetPassword page. # The link includes email and temporary password to # authenticate the user. # ADAPT LINK TO GAE URL resetToken = str(u.key().id())+"-"+temp_pw link = "http://PROJECT_ID.appspot.com/reset_pw/?token=%s" %(resetToken) self.send_email(self.user.email, 'email_subject.html', 'email_forgot_password.html', subject_type = 'forgot_password', username = self.user.name, link = link) # Render message-page with message that email was sent self.render('message.html', input_email = input_email, message_forgot_password_2 = True)
def get(self): if User.query().filter(User.id == str( users.get_current_user().user_id())).fetch()[0].is_doctor: self.redirect('/doctor-homepage') template_vars = {} template_vars['logout_link'] = users.create_logout_url('/') template_vars['username'] = User.query().filter(User.id == str( users.get_current_user().user_id())).fetch()[0].first_name print(User.query().filter(User.id == str( users.get_current_user().user_id())).fetch()[0].first_name) html = "" message_query = User.query().filter( User.id == str(users.get_current_user().user_id())).fetch()[0].list logging.info(len(message_query)) for message in message_query: html += "<tr>" html += "<td><i class='fa fa-user w3-text-blue w3-large'></i></td>" html += "<td>" + message + "</td>" html += "</tr>" template_vars['code'] = html home_template = current_jinja_environment.get_template( 'templates/home.html') self.response.write(home_template.render(template_vars))
def dispatch(self): # Get a session store for this request. self.session_store = sessions.get_store(request=self.request) # Check if user is logged in uid = self.session.get('user_id') self.user = uid and User.by_id(int(uid)) # self.user is either set to None (if there is no user_id-cookie) # or to the entity returned from the Datastore (possibly None) try: # Dispatch the request. webapp2.RequestHandler.dispatch(self) finally: # Save all sessions. self.session_store.save_sessions(self.response)
def get(self): article_list = Article.recent(100) for article in article_list: t = article.created.isoformat() article.time = t author = User.by_id(article.author) if author: article.author_name = author.name else: article.author_name = 'Unknown' if self.user: self.render('homepage.html', user = self.user, article_list = article_list) else: self.render('homepage.html', article_list = article_list)
def post(self): if self.user: # Prompt user to log out. self.session.add_flash('message_login_1', key='homepage_flashes') self.redirect("/") else: if not self.check_state(): self.redirect("/") return input_email = self.request.get('email').lower() input_password = self.request.get('password') input_captcha = self.request.get('g-recaptcha-response') have_error = False if not valid_captcha(input_captcha): # Show generic login error-message. have_error = True if not valid_email(input_email): # Show generic login error-message. have_error = True if not valid_password(input_password): # Show generic login error-message. have_error = True if have_error == False: u = User.login_by_email(input_email, input_password) if not u: # Show generic login error-message. have_error = True if have_error == False: # Start session and add welcome flash for homepage self.session['provider'] = 'blog' self.login(u) self.session.add_flash('message_login_2', key='homepage_flashes') self.redirect('/') else: state = self.make_state() # Render page with error-messages. self.render('login.html', error = True, email_form = input_email, state = state)
def get(self): loggedin_user = users.get_current_user() if loggedin_user: current_users = User.query().filter( User.id == str(loggedin_user.user_id())).fetch() x = [] if current_users == x: template = current_jinja_environment.get_template( 'templates/signup.html') self.response.write(template.render()) else: #template = current_jinja_environment.get_template('templates/home.html') #self.response.write(template.render({'logout_link': users.create_logout_url('/')})) self.redirect('/homepage') else: login_prompt_template = current_jinja_environment.get_template( 'templates/login.html') self.response.write( login_prompt_template.render( {'login_link': users.create_login_url('/login-page')}))
def post(self): if self.request.get('person') == "patient": user = User(id=str(users.get_current_user().user_id()), first_name=self.request.get('fname'), last_name=self.request.get('lname'), is_doctor=False, list=[], exit_date=datetime.utcnow()) else: user = User(id=str(users.get_current_user().user_id()), first_name=self.request.get('fname'), last_name=self.request.get('lname'), is_doctor=True, list=[]) user.put() time.sleep(4) self.redirect('/homepage')
def _check_user(self, username, id_confirm): """Checks user details, moving into the wristbanding state on success""" try: user = User.get(username) self.current_username = username self.current_user = user if user is None: self._error_state("User '{}' not found".format(username)) elif not user.media_consent: self._error_state("User '{}' ({}) has no media consent " "{}".format( user.fullname, username, "or doesn't exist" if user.fullname == username else "")) elif user.checked_in: self._error_state("User '{}' ({}) already checked-in".format( user.fullname, username)) else: if id_confirm: self._set_message("Waiting for identity confirmation...", GOOD) self._can_scan = False if not self._confirm_identity_dialog(): self._ready_state() return self._wristband_state( "\nUser '{}' ({}) can be wristbanded".format( user.fullname, username)) except ValueError as e: self._error_state(str(e))
def post(self): if self.user: if not self.check_state(): self.redirect("/") return # Get user input input_email = self.request.get('email').lower() input_verify_email = self.request.get('verify_email').lower() # Check input and set error messages. error_email="" error_verify_email="" error_user_exists="" have_error = False if not valid_email(input_email): # Set the error-message: not a valid email. error_email = True have_error = True if not valid_verify(input_email, input_verify_email): # Set the error-message: emails do not match. error_verify_email = True have_error = True if have_error == False: u = User.by_email(input_email) if u: # Set the error-message: email already assigned. error_user_exists = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('change_email.html', user = self.user, email = input_email, error_email = error_email, error_verify_email = error_verify_email, error_user_exists = error_user_exists, state = state) else: # Update user object in DB and memcache User.update(self.user, email=input_email) # Send email notification to new address self.send_email(self.user.email, 'email_subject.html', 'email_email_changed.html', subject_type = 'email_changed', username = self.user.name, user_email = self.user.email) # Render page with message that email was sent state = self.make_state() self.render('change_email.html', user = self.user, success_message = True, state = state) else: # Prompt user to login. self.session.add_flash('message_user_settings_1', key='homepage_flashes') self.redirect("/")
def initialize(self, *a, **kw): webapp2.RequestHandler.initialize(self, *a, **kw) uid = self.read_secure_cookie('user_id') self.user = uid and User.by_id(int(uid))
def post(self): if self.user: if not self.check_state(): self.redirect("/") return # Get user input: password and verify_password input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') # Get token from web page input_token = self.request.get('token') # Check if token is valid TOKEN_RE = re.compile(r"^([0-9]{1,30})\-.{3,20}$") if not TOKEN_RE.match(input_token): # Set invalid reset_id so that a normal error message is sent reset_id = 1 else: reset_id = int(input_token.split('-')[0]) temp_pw = input_token.split('-')[1] # Use reset_id to find entry in ResetPasswordRequest DB. self.r = ResetPasswordRequest.by_id(reset_id) # Check if entry exists if not self.r: # Show message to contact via email self.session.add_flash('message_reset_password_5', key='homepage_flashes') self.redirect("/") #Check if entry is not older than one hour. elif datetime.datetime.now() - datetime.timedelta(hours = 1) > self.r.created: # Show message that too much time has passed. self.session.add_flash('message_reset_password_3', key='homepage_flashes') self.redirect("/") #Check if temp_pw is valid elif not ResetPasswordRequest.check_for_valid_request(self.r.email, temp_pw): # Show message to contact via email self.session.add_flash('message_reset_password_5', key='homepage_flashes') self.redirect("/") else: # Check if password and verify_password are valid. # Set error-messages. error_password="" error_verify_password="" have_error = False if not valid_password(input_password): # Show the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Show the error-message: passwords do not match. error_verify_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('reset_password.html', user = self.user, token = input_token, error_password = error_password, error_verify_password = error_verify_password, state = state) else: # Update user object in DB and memcache User.update(self.user, pw=input_password) # Invalidate entity in ResetPasswordRequest db ResetPasswordRequest.update(self.r, temp_pw_hash = "deactivated") # Show message that the password has been changed. self.session.add_flash('message_reset_password_7', key='homepage_flashes') self.redirect("/") else: # Show message to use the link in the email. self.session.add_flash('message_reset_password_6', key='homepage_flashes') self.redirect("/")
def post(self): if self.user: # Prompt user to log out. self.session.add_flash('message_forgot_password_1', key='homepage_flashes') self.redirect("/") else: if not self.check_state(): self.redirect("/") return # Receive input from web-page: eamil input_email = self.request.get('email').lower() have_error = False if not valid_email(input_email): # Show the error-message: not a valid email. have_error = True if have_error: state = self.make_state() # Render page with error-message. self.render('forgot_password.html', form_email = input_email, error = True, state = state) return self.user = User.by_email(input_email) if not self.user: logging.warning('Unknown email from forgot password page received!') # Redirect to "/". Flash message that email was sent. self.session.add_flash('message_forgot_password_2', key='homepage_flashes') self.session.add_flash(input_email, key='input_email') self.redirect("/") else: # Generate new temporary random password length = 10 temp_pw = ''.join(random.choice(ascii_letters)for x in xrange(length)) # Create entry in ResetPasswordRequest DB r = ResetPasswordRequest.create(input_email, temp_pw) # Send email with a link to the ResetPassword page. # The link includes email and temporary password to # authenticate the user. # ADAPT LINK TO GAE URL resetToken = str(r.key().id())+"-"+temp_pw link = "http://YOUR_APP_ID.appspot.com/reset_pw/?token=%s" %(resetToken) self.send_email(self.user.email, 'email_subject.html', 'email_forgot_password.html', subject_type = 'forgot_password', username = self.user.name, link = link) # Redirect to "/". Flash message that email was sent. self.session.add_flash('message_forgot_password_2', key='homepage_flashes') self.session.add_flash(input_email, key='input_email') self.redirect("/")
def get(self): # Step 3: Once the consumer has redirected the user back to the oauth_callback # URL you can request the access token the user has approved. You use the # request token to sign this request. After this is done you throw away the # request token and use the access token returned. You should store this # access token somewhere safe, like a database, for future use. access_token_url = 'https://api.twitter.com/oauth/access_token' consumer_key = json.loads(open('twitter_client_secrets.json', 'r').read())['web']['consumer_key'] consumer_secret = json.loads(open('twitter_client_secrets.json', 'r').read())['web']['consumer_secret'] consumer = oauth.Consumer(consumer_key, consumer_secret) input_oauth_token = self.request.get('oauth_token') input_oauth_verifier = self.request.get('oauth_verifier') if not input_oauth_verifier: raise Exception("No oauth_verifier received.") request_token = self.session.get('request_token') logging.error(request_token['oauth_token']) if not input_oauth_token == request_token['oauth_token']: raise Exception("Invalid request_token.") token = oauth.Token(request_token['oauth_token'], request_token['oauth_token_secret']) token.set_verifier(input_oauth_verifier) client = oauth.Client(consumer, token) resp, content = client.request(access_token_url, "POST") if resp['status'] != '200': raise Exception("Invalid response %s." % resp['status']) access_token = dict(urlparse.parse_qsl(content)) logging.error('TWITTER ACCESS TOKEN:') logging.error(access_token) # Set the API endpoint url = "https://api.twitter.com/1.1/account/verify_credentials.json?include_email=true&skip_status=true&include_entities=false" token = oauth.Token(access_token['oauth_token'], access_token['oauth_token_secret']) client = oauth.Client(consumer, token) resp, content = client.request(url, "GET") if resp['status'] != '200': raise Exception("Invalid response %s." % resp['status']) user_credentials = json.loads(content) self.session['twitter_id'] = user_credentials["id"] self.session['provider'] = 'twitter' # The access_token must be stored in the login_session in order to properly logout self.session['access_token'] = access_token logging.error('TWITTER CREDENTIALS:') logging.error(content) logging.error(user_credentials['email']) # see if user exists, if it doesn't make a new one u = User.by_email(user_credentials['email']) if not u: # turn name from Twitter into a unique username # replace spaces with underscores u_name = str(user_credentials['name'].replace(" ","_")) # check if username exists # add a random number while User.by_name(u_name): u_name = u_name + str(randint(0,9)) u = User.register(u_name, None, user_credentials['email']) #Send confirmation email self.send_email(u.email, 'email_subject.html', 'email_welcome_fb.html', subject_type = 'welcome', username = u.name, user_email = u.email) #Set session and add a flash welcome message self.login(u) self.session.add_flash('message_signup_2', key='homepage_flashes') else: self.login(u) self.session.add_flash('message_login_2', key='homepage_flashes') self.redirect('/')
def post(self): if self.user: # Prompt user to log out. self.session.add_flash('message_signup_1', key='homepage_flashes') self.redirect("/") else: if not self.check_state(): self.redirect("/") return input_username = self.request.get('username') input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') input_email = self.request.get('email').lower() input_verify_email = self.request.get('verify_email').lower() input_captcha = self.request.get('g-recaptcha-response') error_username="" error_password="" error_verify_password="" error_email="" error_verify_email="" error_username_exists="" error_user_exists="" error_captcha="" have_error = False if not valid_captcha(input_captcha): # Show the error-message: captcha not resolved. error_captcha = True have_error = True if not valid_username(input_username): # Show the error-message: not a valid username. error_username = True have_error = True if not valid_password(input_password): # Show the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Show the error-message: passwords do not match. error_verify_password = True have_error = True if not valid_email(input_email): # Show the error-message: not a valid email. error_email = True have_error = True if not valid_verify(input_email, input_verify_email): # Show the error-message: emails do not match. error_verify_email = True have_error = True if have_error == False: u = User.by_name(input_username) if u: # Show the error-message: username is already taken. error_username_exists = True have_error = True u = User.by_email(input_email) if u: # Show the error-message: email already used. error_user_exists = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('signup.html', error_username = error_username, error_username_exists = error_username_exists, error_password = error_password, error_verify_password = error_verify_password, error_email = error_email, error_verify_email = error_verify_email, error_user_exists = error_user_exists, error_captcha = error_captcha, username_form = input_username, email_form = input_email, verify_email_form = input_verify_email, state = state) else: #Create new entry in the User-DB. u = User.register(input_username, input_password, input_email) #Send confirmation email self.send_email(u.email, 'email_subject.html', 'email_welcome.html', subject_type = 'welcome', username = u.name, user_email = u.email) # Start session and add welcome flash for homepage self.session['provider'] = 'blog' self.login(u) self.session.add_flash('message_signup_2', key='homepage_flashes') self.redirect("/")
def post(self): # Validate state token if not self.check_state(): self.response.set_status(401) self.response.headers["Content-Type"] = 'text/html' self.response.out.write('Invalid state parameter.') return # Obtain fb_exchange_token fb_exchange_token = self.request.body logging.error('Request data from Facebook (fb_exchange_token):') logging.error(fb_exchange_token) # Upgrade the fb_exchange_token into an access_token to get user info from API app_id = json.loads(open('fb_client_secrets.json', 'r').read())[ 'web']['app_id'] app_secret = json.loads( open('fb_client_secrets.json', 'r').read())['web']['app_secret'] url = 'https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=%s&client_secret=%s&fb_exchange_token=%s' % ( app_id, app_secret, fb_exchange_token) h = httplib2.Http() result = h.request(url, 'GET')[1] # Use access_token to get user info from API # strip expire tag from access_token access_token = result.split("&")[0] url = 'https://graph.facebook.com/v2.4/me?%s&fields=name,id,email' % access_token h = httplib2.Http() result = h.request(url, 'GET')[1] data_profile = json.loads(result) self.session['facebook_id'] = data_profile["id"] self.session['provider'] = 'facebook' # The access_token must be stored in the login_session in order to properly logout, let's strip out the information before the equals sign in our access_token stored_access_token = access_token.split("=")[1] self.session['access_token'] = stored_access_token # Get user picture url = 'https://graph.facebook.com/v2.4/me/picture?%s&redirect=0&height=200&width=200' % access_token h = httplib2.Http() result = h.request(url, 'GET')[1] data_picture = json.loads(result) # see if user exists, if it doesn't make a new one u = User.by_email(data_profile['email']) if not u: # turn name from FB into a unique username # replace spaces with underscores u_name = str(data_profile['name'].replace(" ","_")) # check if username exists # add a random number while User.by_name(u_name): u_name = u_name + str(randint(0,9)) u = User.register(u_name, None, data_profile['email']) #Send confirmation email self.send_email(u.email, 'email_subject.html', 'email_welcome_fb.html', subject_type = 'welcome', username = u.name, user_email = u.email) #Set session and add a flash welcome message self.login(u) self.session.add_flash('message_signup_2', key='homepage_flashes') else: self.login(u) self.session.add_flash('message_login_2', key='homepage_flashes') output = '' output += '<h1>Welcome, ' output += data_profile["name"] output += '!</h1>' output += '<img src="' output += data_picture["data"]["url"] output += ' " style = "width: 300px; height: 300px;border-radius: 150px;-webkit-border-radius: 150px;-moz-border-radius: 150px;"> ' self.response.set_status(200) self.response.headers["Content-Type"] = 'text/html' self.response.out.write(output)
def post(self): # Validate state token if not self.check_state(): self.response.set_status(401) self.response.headers["Content-Type"] = 'text/html' self.response.out.write('Invalid state parameter.') return # Obtain authorization code code = self.request.body logging.error('Request data from Google (Authorization code):') logging.error(code) try: # Upgrade the authorization code into a credentials object oauth_flow = flow_from_clientsecrets('client_secrets.json', scope='') oauth_flow.redirect_uri = 'postmessage' credentials = oauth_flow.step2_exchange(code) logging.error('User credentials recieved from Google (Access token, ...):') for attr in dir(credentials): logging.error("obj.%s = %s" % (attr, getattr(credentials, attr))) except FlowExchangeError: self.response.set_status(401) self.response.headers["Content-Type"] = 'text/html' self.response.out.write('Failed to upgrade the authorization code.') return # Check that the access token is valid. access_token = credentials.access_token logging.error('In gconnect access token is %s', access_token) url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s' % access_token) h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1]) logging.error('Check Access token. Result: ') logging.error(result) # If there was an error in the access token info, abort. if result.get('error') is not None: self.response.set_status(500) self.response.headers["Content-Type"] = 'text/html' self.response.out.write(result.get('error')) return # Verify that the access token is used for the intended user. gplus_id = credentials.id_token['sub'] if result['user_id'] != gplus_id: self.response.set_status(401) self.response.headers["Content-Type"] = 'text/html' self.response.out.write("Token's user ID doesn't match given user ID.") return # Verify that the access token is valid for this app. if result['issued_to'] != self.CLIENT_ID: logging.error("Token's client ID does not match app's.") self.response.set_status(401) self.response.headers["Content-Type"] = 'text/html' self.response.out.write("Token's client ID does not match app's.") return # Store the access token in the session for later use. self.session['access_token'] = credentials.access_token self.session['gplus_id'] = gplus_id # Get user info url_userinfo = ('https://www.googleapis.com/oauth2/v1/userinfo?access_token=%s&alt=json' % access_token) h = httplib2.Http() data = json.loads(h.request(url_userinfo, 'GET')[1]) # ADD PROVIDER TO LOGIN SESSION self.session['provider'] = 'google' # see if user exists, if it doesn't make a new one u = User.by_email(data['email']) if not u: # turn name from Google+ into a unique username # replace spaces with underscores u_name = str(data['name'].replace(" ","_")) # check if username exists # add a random number while User.by_name(u_name): u_name = u_name + str(randint(0,9)) # SET FLASH MESSAGE THAT USERNAME CAN BE EDITED. u = User.register(u_name, None, data['email']) #Send confirmation email self.send_email(u.email, 'email_subject.html', 'email_welcome_gplus.html', subject_type = 'welcome', username = u.name, user_email = u.email) #Set session and add a flash welcome message self.login(u) self.session.add_flash('message_signup_2', key='homepage_flashes') else: self.login(u) self.session.add_flash('message_login_2', key='homepage_flashes') output = '' output += '<h1>Welcome, ' output += data['name'] output += '!</h1>' output += '<img src="' output += data['picture'] output += ' " style = "width: 300px; height: 300px;border-radius: 150px;-webkit-border-radius: 150px;-moz-border-radius: 150px;"> ' self.response.set_status(200) self.response.headers["Content-Type"] = 'text/html' self.response.out.write(output)
def post(self): if self.user: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Get user input: password and verify_password input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') # Get token from web page input_token = self.request.get('token') # Check if token is valid TOKEN_RE = re.compile(r"^([0-9]{1,30})\-.{3,20}$") if not TOKEN_RE.match(input_token): # Set invalid reset_id so that a normal error message is sent reset_id = 1 else: reset_id = int(input_token.split('-')[0]) temp_pw = input_token.split('-')[1] # Use reset_id to find entry in ResetPasswordRequest DB. self.p = ResetPasswordRequest.by_id(reset_id) # Check if entry exists if not self.p: # Show message to contact via email self.render('message.html', user = self.user, message_reset_password_5 = True) #Check if entry is not older than one hour. elif datetime.datetime.now() - datetime.timedelta(hours = 1) > self.p.created: # Show message that too much time has passed. self.render('message.html', user = self.user, message_reset_password_3 = True) #Check if temp_pw is valid elif not ResetPasswordRequest.check_for_valid_request(self.p.email, temp_pw): # Show message to contact via email self.render('message.html', user = self.user, message_reset_password_5 = True) else: # Check if password and verify_password are valid. # Set error-messages. error_password="" error_verify_password="" have_error = False if not valid_password(input_password): # Show the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Show the error-message: passwords do not match. error_verify_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('reset_password.html', user = self.user, token = input_token, error_password = error_password, error_verify_password = error_verify_password, state = state) else: # Generate password-hash and store in DB pw_hash = make_pw_hash(self.user.email, input_password) self.user.pw_hash = pw_hash self.user.put() # Update memcache User.update_user_cache(self.user) # Invalidate entity in ResetPasswordRequest db self.p = ResetPasswordRequest.by_email(self.user.email) self.p.temp_pw_hash = "deactivated" self.p.put() # Show message that the password has been changed. self.render('message.html', user = self.user, message_reset_password_7 = True) else: # Show message to use the linke in the email. self.render('message.html', user = self.user, message_reset_password_6 = True)
def post(self): if self.user: # Prompt user to log out. self.render('message.html', user = self.user, message_signup_1 = True) else: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return input_username = self.request.get('username') input_password = self.request.get('password') input_verify_password = self.request.get('verify_password') input_email = self.request.get('email').lower() input_verify_email = self.request.get('verify_email').lower() error_username="" error_password="" error_verify_password="" error_email="" error_verify_email="" error_username_exists="" error_user_exists="" have_error = False if not valid_username(input_username): # Show the error-message: not a valid username. error_username = True have_error = True if not valid_password(input_password): # Show the error-message: not a valid password. error_password = True have_error = True if not valid_verify(input_password, input_verify_password): # Show the error-message: passwords do not match. error_verify_password = True have_error = True if not valid_email(input_email): # Show the error-message: not a valid email. error_email = True have_error = True if not valid_verify(input_email, input_verify_email): # Show the error-message: emails do not match. error_verify_email = True have_error = True if have_error == False: u = User.by_name(input_username) if u: # Show the error-message: username is already taken. error_username_exists = True have_error = True u = User.by_email(input_email) if u: # Show the error-message: email already used. error_user_exists = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('signup.html', error_username = error_username, error_username_exists = error_username_exists, error_password = error_password, error_verify_password = error_verify_password, error_email = error_email, error_verify_email = error_verify_email, error_user_exists = error_user_exists, username_form = input_username, email_form = input_email, verify_email_form = input_verify_email, state = state) else: #Create new entry in the User-DB. u = User.register(input_username, input_password, input_email) u.put() #update memcache User.update_user_cache(u) #Send confirmation email self.send_email(u.email, 'email_subject.html', 'email_welcome.html', subject_type = 'welcome', username = u.name, user_email = u.email) #Set cookie and render message page with welcome self.login(u) self.render('message.html', user = u, message_signup_2 = True)
def post(self): if self.user: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Get user input input_current_password = self.request.get('current_password') input_email = self.request.get('email').lower() input_verify_email = self.request.get('verify_email').lower() # Check input and set error messages. error_current_password="" error_email="" error_verify_email="" error_user_exists="" have_error = False if not valid_pw(self.user.email, input_current_password, self.user.pw_hash): # Set the error-message: incorrect password. error_current_password = True have_error = True if not valid_email(input_email): # Set the error-message: not a valid email. error_email = True have_error = True if not valid_verify(input_email, input_verify_email): # Set the error-message: emails do not match. error_verify_email = True have_error = True if have_error == False: u = User.by_email(input_email) if u: # Set the error-message: email already assigned. error_user_exists = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('change_email.html', user = self.user, email = input_email, error_current_password = error_current_password, error_email = error_email, error_verify_email = error_verify_email, error_user_exists = error_user_exists, state = state) else: # Generate password-hash # Store new email and password-hash in DB pw_hash = make_pw_hash(input_email, input_current_password) self.user.pw_hash = pw_hash self.user.email = input_email self.user.put() # Update memcache User.update_user_cache(self.user) # Send email notification to new address self.send_email(self.user.email, 'email_subject.html', 'email_email_changed.html', subject_type = 'email_changed', username = self.user.name, user_email = self.user.email) # Render page with message that email was sent state = self.make_state() self.render('change_email.html', user = self.user, success_message = True, state = state) else: # Prompt user to login. self.render('message.html', message_user_settings_1 = True)
def post(self): if self.user: if not self.check_state(): logging.warning("Possible CSRF attack detected!") self.redirect("/") return # Get user input input_password = self.request.get('password') # Check input and set error messages. error_password="" have_error = False if not valid_pw(self.user.email, input_password, self.user.pw_hash): # Set the error-message: incorrect password. error_password = True have_error = True if have_error: state = self.make_state() # Render page with error-messages. self.render('delete_account.html', user = self.user, error_password = error_password, state = state) else: # Deactivate account by deleting from User database and # adding to the DeactAccounts database. d = DeactAccounts.create(self.user.key().id(), self.user.name, self.user.email) d.put() # Delete user User.remove(self.user.key().id()) # Genrate list of article-keys for the deleted user. article_key_list = Article.keys_by_author(self.user.key().id()) for key in article_key_list: # Store article in DeletdArticle DB article = Article.by_id(key.id()) del_art = DeletdArticle.create(article.title, article.body, article.author) del_art.put() # Delete article from Article DB Article.remove(key.id()) # Logout (delete coockie) self.logout() # Send email notification self.send_email(d.email, 'email_subject.html', 'email_account_deleted.html', subject_type = 'account_deleted') # Render page with message that account was deleted self.render('message.html', message_delete_account_1 = True, deleted_email = d.email) else: # Prompt user to login. self.render('message.html', message_user_settings_1 = True)