def checktoken(token): #returns if user exists, privilege, and username try: payload = jwt.decode(codecs.decode(token, "hex"), 'secret', algorithms=('HS256')) except Exception as E: #couldn't decode, fake token return (False, None, None) #check if payload is valid if not userexists(payload['username']): return (False, None, None) #match payload to existing token rows = DB.query( 'logintokens', args= " WHERE logintokens.username = \'{u}\' AND logintokens.spice = \'{s}\'" .format(u=payload['username'], s=payload['spice'])) if len(rows) == 1: return (True, DB.query('users', columns='privilege', args="WHERE username = \'{u}\'".format( u=payload['username']))[0][0], payload['username']) return (False, None, None)
def bookroom(): #room id, token, date data = json.loads(request.data) floornumber = data['roomid'][:2] roomnumber = data['roomid'][2:] print(str(data)) rows = DB.query( 'bookings', args='WHERE floornumber = {fn} AND roomnumber = {rn} AND date = \"{d}\"' .format(fn=floornumber, rn=roomnumber, d=data['date'])) if len(rows) > 0: return { 'code': 'failed', 'message': 'Room already booked for that date.' } userdata = AM.checktoken(data['token']) if userdata[0] == False: return {'code': 'failed', 'message': 'Invalid user token.'} try: price = DB.query( 'rooms', columns='price', args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format( fn=floornumber, rn=roomnumber))[0][0] except IndexError as E: return {'code': 'failed', 'message': 'No such room exists.'} transID = random.randint(100000, 999999) bookingID = random.randint(100000, 999999) while True: try: DB.insert('bookings', (str(bookingID), "\'" + str(floornumber) + "\'", "\'" + str(roomnumber) + "\'", "\'" + userdata[2] + "\'", "\'" + data['date'] + "\'", "\'" + data['customer_name'] + "\'")) break except sqlite3.InterfaceError as E: bookingID = random.randint(100000, 999999) while True: try: DB.insert( 'transactions', (str(transID), "\'" + userdata[2] + "\'", "\'" + price + "\'", str(bookingID), "\'" + data['customer_name'] + "\'")) break except sqlite3.IntegrityError as E: transID = random.randint(100000, 999999) return { 'code': 'success', 'message': 'Room booked.', 'bookingID': bookingID, 'transactionID': transID }
def login(): DB.initdb() resp = json.loads(flask.request.data) print("\tfrom client: \nlogin request:\n\tu: " + str(resp['username'] + ", p: " + resp['password'])) #check if user exists if (not userexists(resp['username'])): #check if user awaiting approval if (len( DB.query("accountrequests", args="WHERE username = \'{u}\'".format( u=resp['username']))) == 1): return { 'code': 'failed', 'reason': 'Account pending admin aporoval. Please try again later.', 'token': '' } #user does not exist, deny return { 'code': 'failed', 'reason': 'Incorrect username or password. Please try again.', 'token': '' } #verify password if checkpass(resp['username'], resp['password']): #check account for ban if (DB.query("users", "banned", "WHERE username = \'{u}\'".format( u=resp['username']))[0][0] == 'true'): print("Banned user " + resp['username'] + " tried to log on.") return { 'code': 'failed', 'reason': 'Banned from server.', 'token': '' } #log user in, give user token return { 'code': 'success', 'reason': 'You are now logged in', 'token': createtoken(resp['username']).__str__() } else: #incorrect password return { 'code': 'failed', 'reason': 'Incorrect username or password. Please try again.', 'token': '' }
def serveroom(room): roomrow = DB.query( 'rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format( fn=room[:2], rn=room[2:])) if len(roomrow) == 1: return render_template( 'room.html', r=DB.genjson( 'rooms', DB.query('rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}'. format(fn=room[:2], rn=room[2:])))) else: return "404"
def getClients(): # returns code data = json.loads(request.data) account = AM.checktoken(data['token']) if account[1] != 'agent': return { 'code': 'failed', 'message': 'This is not an agent account.', 'clients': None } return { 'code': 'success', 'message': '', 'clients': json.loads( DB.genjson( 'agent_clients', DB.query( 'agent_clients', args='WHERE username = \'{u}\''.format(u=account[2])))) }
def createtoken(username): spice = os.urandom(10).hex() token = jwt.encode({ 'username': username, 'spice': spice }, 'secret', algorithm='HS256') #limit of 5 tokens preExisting = DB.query('logintokens', args='WHERE username = \'{u}\''.format(u=username)) if len(preExisting) >= 5: oldest = datetime.strptime(preExisting[0][2], '%Y-%m-%d %H:%M:%S.%f') for row in preExisting: if datetime.strptime(row[2], '%Y-%m-%d %H:%M:%S.%f') < oldest: oldest = datetime.strptime(row[2], '%Y-%m-%d %H:%M:%S.%f') DB.delete( 'logintokens', 'username = \'{u}\' AND time = \'{t}\''.format(u=username, t=str(oldest))) #store the payload in db DB.insert("logintokens", ("\'" + username + "\'", "\'" + spice + "\'", "\'" + str(datetime.now()) + "\'")) return token.hex()
def createroom(): data = json.loads(request.data) if AM.checktoken(json.loads(request.data)['token'])[1] != 'admin': return { 'code': 'failed', 'message': 'Privilege level not high enough.' } print(str(data)) if len( DB.query( 'rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format( fn=data['update']['floornumber'], rn=data['update']['roomnumber']))) > 0: return {'code': 'failed', 'message': 'Room already exists.'} DB.insert('rooms', (data['update']['floornumber'], data['update']['roomnumber'], "\'" + data['update']['isVaccant'] + "\'", "\'" + data['update']['isReady'] + "\'", "\'" + data['update']['description'] + "\'", "\'" + data['update']['price'] + "\'")) DB.insert( 'room_info', (data['update']['floornumber'], data['update']['roomnumber'], "\'" + data['update']['bed'] + "\'", "\'" + data['update']['microwave'] + "\'", "\'" + data['update']['balcony'] + "\'", "\'" + data['update']['ethernet'] + "\'", "\'" + data['update']['TV'] + "\'", data['update']['bedamount'])) return {'code': 'success', 'message': 'Room added to DB.'}
def userexists(username): if (len( DB.query( 'users', args="WHERE username = \'{u}\'".format(u=username))) == 1): return True return False
def cancelBooking(): data = json.loads(request.data) account = AM.checktoken(data['token']) #does account exist if account[0] == False: return {'code': 'failed', 'message': 'Not logged in.'} booking = DB.query( 'bookings', args="WHERE username = \'{u}\' AND bookingID = {bi}".format( u=account[2], bi=data['bookingID'])) if len(booking) < 1: return {'code': 'failed', 'message': 'No such booking exists.'} bookingDate = datetime.strptime(booking[0][4], '%Y-%m-%d') print(bookingDate) print(datetime.now()) if datetime.now() >= bookingDate: return { 'code': 'failed', 'message': 'This date of this booking has already passed.' } DB.delete('bookings', 'bookingID = {bi}'.format(bi=data['bookingID'])) DB.delete('transactions', 'bookingID = {bi}'.format(bi=data['bookingID'])) return {'code': 'success', 'message': 'Booking has been cancelled.'}
def getbookings(): #returns list of bookings data = json.loads(request.data) account = AM.checktoken(data['token']) #does account exist if account[0] == False: return { 'code': 'failed', 'message': 'Not logged in.', 'bookings': None } return { 'code': 'success', 'message': '', 'bookings': json.loads( DB.genjson( 'bookings', DB.query( 'bookings', args='WHERE username = \'{u}\''.format(u=account[2])))) }
def register(): # need to sanatize input DB.initdb() resp = json.loads(flask.request.data) username = resp['username'] salt, hashedpass = hashpass(resp['password']) print("\tfrom client: \n\tregister request:\n\tu: " + username + ", p: " + resp['password']) #is username already registered if (userexists(username)): return {'message': 'Username already taken', 'code': 'failed'} #is username already requested if (len( DB.query( "accountrequests", args="WHERE username = \'{u}\'".format(u=username))) == 1): return {'message': 'Username already taken', 'code': 'failed'} #submit account for approval try: DB.insert("accountrequests", ("\'" + username + "\'", "\'" + hashedpass + "\'", "\'" + salt + "\'", "(SELECT datetime())")) return { 'message': 'registered ' + username + ', pending admin approval. Try logging on later.', 'code': 'success' } except sqlite3.IntegrityError as E: return {'message': 'error, ' + E.__str__(), 'code': 'failed'}
def getreciept(): # returns code, message, reciept data = json.loads(request.data) account = AM.checktoken(data['token']) #does account exist if account[0] == False: return {'code': 'failed', 'message': 'Not logged in.', 'reciept': None} booking = DB.query( 'bookings', args='WHERE bookingID = {bi}'.format(bi=data['bookingID'])) transaction = DB.query( 'transactions', args='WHERE bookingID = {bi}'.format(bi=data['bookingID'])) #does the booking exist if len(booking) != 1: return { 'code': 'failed', 'message': 'No such booking exists.', 'reciept': None } #is this the correct account if booking[0][3] != account[2]: return { 'code': 'failed', 'message': 'Incorrect account.', 'reciept': None } return { 'code': 'success', 'message': '', 'reciept': json.loads( str({ **json.loads(DB.genjson('bookings', booking))[0], **json.loads(DB.genjson('transactions', transaction))[0] }).replace('\'', '"')) }
def getroom(): data = json.loads(request.data) print(data) roomrow = DB.query( 'rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format( fn=data['roomid'][:2], rn=data['roomid'][2:], )) if len(roomrow) < 1: return {'code': 'failed', 'message': 'No such room exists.'} roomfeatures = DB.query( 'room_info', args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format( fn=data['roomid'][:2], rn=data['roomid'][2:], )) return str({ **json.loads(DB.genjson('rooms', roomrow))[0], **json.loads(DB.genjson('room_info', roomfeatures))[0] }).replace('\'', '"')
def approveuser(): data = json.loads(request.data) username = data['username'] if (AM.checktoken(data['token'])[1] == 'admin'): row = DB.query('accountrequests', args='WHERE username = \'{u}\''.format(u=username)) DB.delete('accountrequests', args='username = \'{u}\''.format(u=username)) DB.insert( 'users', ('\'' + row[0][0] + '\'', '\'' + row[0][1] + '\'', '\'' + row[0][2] + '\'', '\'user\'', '\'false\'', '(SELECT datetime())')) return {'code': 'success'} return {'code': 'failed'}
def banuser(): data = json.loads(request.data) if (AM.checktoken(data['token'])[1] == 'admin'): if DB.query('users', 'banned', 'WHERE username = \'{u}\''.format( u=data['username']))[0][0] == 'false': DB.update( 'users', 'SET banned = \'true\' WHERE username = \'{u}\''.format( u=data['username'])) else: DB.update( 'users', 'SET banned = \'false\' WHERE username = \'{u}\''.format( u=data['username'])) return {'code': 'success'} return {'code': 'failed'}
def removeClient(): # returns code data = json.loads(request.data) account = AM.checktoken(data['token']) print(str(data)) if account[1] != 'agent': return {'code': 'failed', 'message': 'This is not an agent account.'} if len( DB.query('agent_clients', args="WHERE username = \'{u}\' AND client_email = \'{e}\'" .format(u=account[2], e=data['client_email']))) != 1: return {'code': 'failed', 'message': 'Not your client.'} DB.delete('agent_clients', 'client_email = \'{e}\''.format(e=data['client_email'])) return {'code': 'success', 'message': 'Client removed.'}
def editroom(): data = json.loads(request.data) if AM.checktoken(json.loads(request.data)['token'])[1] != 'admin': return { 'code': 'failed', 'message': 'Privilege level not high enough.' } if len( DB.query( 'rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format( fn=data['update']['floornumber'], rn=data['update']['roomnumber']))) < 1: return {'code': 'failed', 'message': 'No such room exists.'} DB.update( 'rooms', 'SET isVaccant = \'{isVaccant}\', isReady = \'{isReady}\', description = \'{description}\', price = \'{price}\' WHERE floornumber = {fn} AND roomnumber = {rn}' .format(isVaccant=data['update']['isVaccant'], isReady=data['update']['isReady'], description=data['update']['description'], price=data['update']['price'], fn=data['update']['floornumber'], rn=data['update']['roomnumber'])) DB.update( 'room_info', 'SET bed = \'{bed}\', microwave =\'{microwave}\', balcony=\'{balcony}\', ethernet=\'{ethernet}\', TV=\'{TV}\', bedamount={bedamount} WHERE floornumber = {fn} AND roomnumber = {rn}' .format(bed=data['update']['bed'], microwave=data['update']['microwave'], balcony=data['update']['balcony'], ethernet=data['update']['ethernet'], TV=data['update']['TV'], bedamount=data['update']['bedamount'], fn=data['update']['floornumber'], rn=data['update']['roomnumber'])) return {'code': 'success', 'message': 'Update saved.'}
def getlog(): if AM.checktoken(json.loads(request.data)['token'])[1] == 'admin': return json.dumps( DB.genjson('dblog', DB.query('dblog', args='ORDER BY time DESC')))
def getrooms(): if AM.checktoken(json.loads(request.data)['token'])[1] == 'admin': return json.dumps(DB.genjson('rooms', DB.query('rooms')))
def getusers(): if AM.checktoken(json.loads(request.data)['token'])[1] == 'admin': return json.dumps( DB.genjson('users', DB.query('users'), exceptfor=('hashpass', 'salt')))
def searchrooms(): #this can all be changed to a single test case print(json.loads(request.data)) data = json.loads(request.data) if data['all']: return DB.genjson('rooms', DB.query('rooms')) available = list() if data['bed-type'] != None or data['microwave'] != None or data[ 'balcony'] != None or data['ethernet'] != None or data[ 'TV'] != None or data['bed-amount'] != None: feature_args = 'WHERE 1 {be} {mi} {ba} {et} {tv} {be_a}'.format( be='AND bed = \'' + data['bed-type'] + '\'' if data['bed-type'] != 'null' else '', mi='AND microwave = \'' + str(data['microwave']).lower() + '\'' if data['microwave'] != False else '', ba='AND balcony = \'' + str(data['balcony']).lower() + '\'' if data['balcony'] != False else '', et='AND ethernet = \'' + str(data['ethernet']).lower() + '\'' if data['ethernet'] != False else '', tv='AND TV = \'' + str(data['TV']).lower() + '\'' if data['TV'] != False else '', be_a='AND bedamount =' + data['bed-amount'] if data['bed-amount'] != 'null' else '') print(feature_args) rooms_wf = DB.query('room_info', 'floornumber, roomnumber', feature_args) if data['date'] != '': for room in rooms_wf: if (len( DB.query( 'bookings', args= 'WHERE roomnumber={rn} AND floornumber={fn} AND date = \'{d}\'' .format(fn=room[0], rn=room[1], d=data['date']))) == 0): available.append( DB.query( 'rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}' .format(fn=room[0], rn=room[1]))[0]) return DB.genjson('rooms', available) else: for room in rooms_wf: available.append( DB.query( 'rooms', args='WHERE floornumber = {fn} AND roomnumber = {rn}'. format(fn=room[0], rn=room[1]))[0]) return DB.genjson('rooms', available) elif data['date'] != '': rooms = DB.query('rooms') for room in rooms: if (len( DB.query( 'bookings', args= 'WHERE roomnumber={rn} AND floornumber={fn} AND date = \'{d}\'' .format(fn=room[0], rn=room[1], d=data['date']))) == 0): available.append(room) return DB.genjson('rooms', available) else: return DB.genjson('rooms', DB.query('rooms'))
def table(table): return str(DB.query(table)).replace("(", "<br>").replace(")", "<br>")