def login(): errors = get_errors() if request.method == "POST": name = request.form["name"] user = Users.query.filter_by(name=name).first() if user: if user and verify_password(request.form["password"], user.password): session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next") ): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user exists but the password is wrong log("logins", "[{date}] {ip} - submitted invalid password for {name}") errors.append("Your username or password is incorrect") db.session.close() return render_template("login.html", errors=errors) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("Your username or password is incorrect") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def login(): errors = get_errors() if request.method == "POST": name = request.form["name"] # Check if the user submitted an email address or a team name if validators.validate_email(name) is True: user = Users.query.filter_by(email=name).first() else: user = Users.query.filter_by(name=name).first() if user: if user.password is None: errors.append( "Your account was registered with a 3rd party authentication provider. " "Please try logging in with a configured authentication provider." ) return render_template("login.html", errors=errors) if user and verify_password(request.form["password"], user.password): session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in", name=user.name) db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next")): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user exists but the password is wrong log( "logins", "[{date}] {ip} - submitted invalid password for {name}", name=user.name, ) errors.append("用户名或密码错误") db.session.close() return render_template("login.html", errors=errors) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("用户名或密码错误") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def login(): errors = get_errors() if request.method == 'POST': name = request.form['name'] # Check if the user submitted an email address or a team name if validators.validate_email(name) is True: user = Users.query.filter_by(email=name).first() else: user = Users.query.filter_by(name=name).first() if user: if user and check_password(request.form['password'], user.password): session.regenerate() login_user(user) log('logins', "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get('next') and validators.is_safe_url( request.args.get('next')): return redirect(request.args.get('next')) return redirect(url_for('challenges.listing')) else: # This user exists but the password is wrong log('logins', "[{date}] {ip} - submitted invalid password for {name}") errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: # This user just doesn't exist log('logins', "[{date}] {ip} - submitted invalid account information") errors.append("Your username or password is incorrect") db.session.close() return render_template('login.html', errors=errors) else: db.session.close() return render_template('login.html', errors=errors)
def login(): errors = get_errors() if request.method == "POST": name = request.form["name"] # Check if the user submitted an email address or a team name if validators.validate_email(name) is True: user = Users.query.filter_by(email=name).first() else: user = Users.query.filter_by(name=name).first() if user: if user and verify_password(request.form["password"], user.password): session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next")): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user exists but the password is wrong log("logins", "[{date}] {ip} - submitted invalid password for {name}") errors.append("Неверное имя пользователя или пароль") db.session.close() return render_template("login.html", errors=errors) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("Неверное имя пользователя или пароль") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def login(): errors = get_errors() if request.method == "POST": email = request.form["name"] url = "https://api.hackru.org/dev" content = { "email": email, "password": request.form["password"] } response = requests.post(url + "/authorize", data=json.dumps(content)) if response.json()["statusCode"] == 200: token = (response.json()["body"]["token"]) content = { "email": email, "token": token, "query": { "email": email } } response = requests.post(url + "/read", data=json.dumps(content)) print(response.json()) if (response.json()["body"][0]["registration_status"] not in ["confirmed"]): errors.append("your registration status has not been confirmed. please go to hackru.org and confirm it, if issues continue contact [email protected]") db.session.close() return render_template("login.html", errors=errors) name = response.json()["body"][0].get("first_name", "") + " " + response.json()["body"][0].get("last_name", ""); #get name email_address = email password = request.form["password"] website = None affiliation = response.json()["body"][0].get("school", "") #maybe do school? country = None try: with app.app_context(): user = Users(name=name, email=email_address, password=password) if website: user.website = website if affiliation: user.affiliation = affiliation if country: user.country = country db.session.add(user) db.session.commit() db.session.flush() login_user(user) log("registrations", "[{date}] {ip} - {name} registered with {email}") db.session.close() return redirect(url_for("challenges.listing")) except: print("ALREADY A USER") user = Users.query.filter_by(email=email_address).first() session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get("next") and validators.is_safe_url( request.args.get("next") ): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # This user just doesn't exist log("logins", "[{date}] {ip} - submitted invalid account information") errors.append("Your username or password is incorrect") db.session.close() return render_template("login.html", errors=errors) else: db.session.close() return render_template("login.html", errors=errors)
def register(): errors = get_errors() if current_user.authed(): return redirect(url_for("challenges.listing")) if request.method == "POST": name = request.form.get("name", "").strip() email_address = request.form.get("email", "").strip().lower() password = request.form.get("password", "").strip() website = request.form.get("website") affiliation = request.form.get("affiliation") country = request.form.get("country") registration_code = request.form.get("registration_code", "") name_len = len(name) == 0 names = Users.query.add_columns("name", "id").filter_by(name=name).first() emails = (Users.query.add_columns( "email", "id").filter_by(email=email_address).first()) pass_short = len(password) == 0 pass_long = len(password) > 128 valid_email = validators.validate_email(email_address) team_name_email_check = validators.validate_email(name) if get_config("registration_code"): if (registration_code.lower() != get_config("registration_code", default="").lower()): errors.append( "The registration code you entered was incorrect") # Process additional user fields fields = {} for field in UserFields.query.all(): fields[field.id] = field entries = {} for field_id, field in fields.items(): value = request.form.get(f"fields[{field_id}]", "").strip() if field.required is True and (value is None or value == ""): errors.append("Please provide all required fields") break # Handle special casing of existing profile fields if field.name.lower() == "affiliation": affiliation = value break elif field.name.lower() == "website": website = value break if field.field_type == "boolean": entries[field_id] = bool(value) else: entries[field_id] = value if country: try: validators.validate_country_code(country) valid_country = True except ValidationError: valid_country = False else: valid_country = True if website: valid_website = validators.validate_url(website) else: valid_website = True if affiliation: valid_affiliation = len(affiliation) < 128 else: valid_affiliation = True if not valid_email: errors.append("Please enter a valid email address") if email.check_email_is_whitelisted(email_address) is False: errors.append( "Only email addresses under {domains} may register".format( domains=get_config("domain_whitelist"))) if names: errors.append("该用户名已被使用") if team_name_email_check is True: errors.append("您的用户名不能是电子邮件地址") if emails: errors.append("电子邮件地址已被使用") if pass_short: errors.append("密码长度不够") if pass_long: errors.append("密码过长") if name_len: errors.append("用户名长度不够") if valid_website is False: errors.append("Blog/网站 必须是以http或https开头的正确URL") if valid_country is False: errors.append("无效的地区") if valid_affiliation is False: errors.append("单位/组织 过长") if len(errors) > 0: return render_template( "register.html", errors=errors, name=request.form["name"], email=request.form["email"], password=request.form["password"], ) else: with app.app_context(): user = Users(name=name, email=email_address, password=password) if website: user.website = website if affiliation: user.affiliation = affiliation if country: user.country = country db.session.add(user) db.session.commit() db.session.flush() for field_id, value in entries.items(): entry = UserFieldEntries(field_id=field_id, value=value, user_id=user.id) db.session.add(entry) db.session.commit() login_user(user) if request.args.get("next") and validators.is_safe_url( request.args.get("next")): return redirect(request.args.get("next")) if config.can_send_mail() and get_config( "verify_emails" ): # Confirming users is enabled and we can send email. log( "registrations", format= "[{date}] {ip} - {name} registered (UNCONFIRMED) with {email}", name=user.name, email=user.email, ) email.verify_email_address(user.email) db.session.close() return redirect(url_for("auth.confirm")) else: # Don't care about confirming users if ( config.can_send_mail() ): # We want to notify the user that they have registered. email.successful_registration_notification(user.email) log( "registrations", format="[{date}] {ip} - {name} registered with {email}", name=user.name, email=user.email, ) db.session.close() if is_teams_mode(): return redirect(url_for("teams.private")) return redirect(url_for("challenges.listing")) else: return render_template("register.html", errors=errors)
def login(): errors = get_errors() if request.method == "POST": login_info = { 'username': request.form["name"], 'password': request.form["password"] } # Check if the user submitted an email address or username if validators.validate_email(login_info['username']) is True: user = Users.query.filter_by(email=login_info['username']).first() # If this is the first time logging inn you need to use your username errors.append("Use your username instead of email for first login") else: user = Users.query.filter_by(name=login_info['username']).first() # Ldap credentials prep login = login_info["username"].strip().lower() login_dn = 'uid=' + login + ',' + settings['type_dn'] + ',' + settings['base_dn'] password = login_info["password"] if password.rstrip() == "": errors.append("Empty passwordfield") db.session.close() return render_template("login.html", errors=errors) try: # Connect to the ldap print("connection to ldap") server = ldap3.Server(settings['host'], port=settings['port'], use_ssl=settings["encryption"] == 'ssl', get_info=ldap3.ALL) conn = ldap3.Connection(server, user=login_dn, password=password, auto_bind='NONE', version=3, authentication='SIMPLE', client_strategy='SYNC', auto_referrals=True, check_names=True, read_only=False, lazy=False, raise_exceptions=False) # Start tls for confidentiality conn.start_tls() # Check authenticity of credentials if not conn.bind(): # I'll leave this print for troubleshooting with login. Tip: if login isn't working check 'type_dn' in settings. I assume all people are registered as 'ou=people' in the system # print("ERROR ", conn.result) errors.append("Your username or password is incorrect") log("logins", "[{date}] {ip} - submitted invalid password for {name}") db.session.close() return render_template("login.html", errors=errors) print("Connected") except Exception as e: errors.append("Can't initialze connection to " + settings['host'] + ': ' + str(e)) db.session.close() return render_template("login.html", errors=errors) # If we have gotten to this point it means that the user credentials matched an entry in ldap # Check if user has logged inn before if user: session.regenerate() login_user(user) log("logins", "[{date}] {ip} - {name} logged in") db.session.close() if request.args.get("next") and validators.is_safe_url(request.args.get("next")): return redirect(request.args.get("next")) return redirect(url_for("challenges.listing")) else: # Register the user in our system # First we get email from ldap try: ldap_request = settings["request"].format(login) conn.search(settings["base_dn"], ldap_request, attributes=["cn", "mail"]) response = conn.response except Exception as ex: errors.append("Can't get user data : " + str(ex)) conn.unbind() db.session.close() return render_template("login.html", errors=errors) try: # In some systems users have multiple entries on the same username, we search for one that has an email attribute. for entry in response: if entry["attributes"]["mail"] != []: email = entry["attributes"]["mail"][0] break conn.unbind() except KeyError as e: errors.append("Can't get field " + str(e) + " from your LDAP server") db.session.close() return render_template("login.html", errors=errors) except Exception as e: errors.append("Can't get some user fields", e) db.session.close() return render_template("login.html", errors=errors) # Add the new user to the DB with app.app_context(): # We create a random password, this won't be used and is simply here because it is required in CTFd # It is random so the account cannot be accessed by conventional loggin dummy_password = randomString(28) user = Users(name=login, email=email, password=dummy_password) db.session.add(user) db.session.commit() db.session.flush() login_user(user) log("registrations", "[{date}] {ip} - {name} registered with {email}") db.session.close() if is_teams_mode(): return redirect(url_for("teams.private")) return redirect(url_for("challenges.listing")) else: db.session.close() return render_template("login.html", errors=errors)