def profile_password():
if not config.CONFIG_DB.has_email_authentication:
flask.abort(418)
user_db = auth.current_user_db()
form = ProfilePasswordForm(obj=user_db)
if form.validate_on_submit():
errors = False
old_password = form.old_password.data
new_password = form.new_password.data
if new_password or old_password:
if user_db.password_hash:
if util.password_hash(user_db, old_password) != user_db.password_hash:
form.old_password.errors.append('Invalid current password')
errors = True
if not errors and old_password and not new_password:
form.new_password.errors.append('This field is required.')
errors = True
if not (form.errors or errors):
user_db.password_hash = util.password_hash(user_db, new_password)
flask.flash('Your password has been changed.', category='success')
if not (form.errors or errors):
user_db.put()
return flask.redirect(flask.url_for('profile'))
return flask.render_template(
'profile/profile_password.html',
title=user_db.name,
html_class='profile-password',
form=form,
user_db=user_db,
)
def create_admin(cls):
"""Creates mock admin user"""
cls(username='******',
password_hash=util.password_hash('123456'),
admin=True,
verified=True,
active=True)
def user_activate(token):
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
user_db = model.User.get_by('token', token)
if not user_db:
flask.flash(u'Холбоос буруу эсвэл хугацаа нь дууссан байна.',
category='danger')
return flask.redirect(flask.url_for('welcome'))
form = UserActivateForm(obj=user_db)
if form.validate_on_submit():
form.populate_obj(user_db)
user_db.password_hash = util.password_hash(user_db, form.password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
return auth.signin_user_db(user_db)
return flask.render_template(
'user/user_activate.html',
title=u'Дансаа идэвхижүүлэх',
html_class='user-activate',
user_db=user_db,
form=form,
)
def user_reset(token=None):
user_db = model.User.get_by('token', token)
if not user_db:
flask.flash(u'Холбоос буруу эсвэл хугацаа нь дууссан байна.',
category='danger')
return flask.redirect(flask.url_for('welcome'))
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
form = UserResetForm()
if form.validate_on_submit():
user_db.password_hash = util.password_hash(user_db,
form.new_password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
flask.flash(u'Таны нууц үг амжилттай солигдлоо.', category='success')
return auth.signin_user_db(user_db)
return flask.render_template(
'user/user_reset.html',
title=u'Нууц үгээ солих',
html_class='user-reset',
form=form,
user_db=user_db,
)
def user_activate(token):
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
user_db = model.User.get_by('token', token)
if not user_db:
flask.flash('That link is either invalid or expired.',
category='danger')
return flask.redirect(flask.url_for('welcome'))
form = UserActivateForm(obj=user_db)
if form.validate_on_submit():
form.populate_obj(user_db)
user_db.password_hash = util.password_hash(user_db, form.password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
return auth.signin_user_db(user_db)
return flask.render_template(
'user/user_activate.html',
title='Activate Account',
html_class='user-activate',
user_db=user_db,
form=form,
)
def activate_user(self, id, code):
with self.__create_db_connection__() as conn:
with conn.enter_scope() as scope:
# find request id & test code:
if not self.__user_db.user_request_id_exists(scope, id):
raise exception.NotFoundException("Request not found.")
request = self.__user_db.get_user_request(scope, id)
if request["request_code"] != code:
raise exception.InvalidRequestCodeException()
# activate user account:
password = util.generate_junk(config.DEFAULT_PASSWORD_LENGTH, secure=True)
salt = util.generate_junk(config.PASSWORD_SALT_LENGTH, secure=True)
user_id = self.__user_db.activate_user(scope, id, code, util.password_hash(password, salt), salt)
# generate mail:
tpl = template.AccountActivatedMail(config.DEFAULT_LANGUAGE)
tpl.bind(username=request["username"], password=password)
subject, body = tpl.render()
self.__mail_db.push_user_mail(scope, subject, body, user_id)
mailer.ping(config.MAILER_HOST, config.MAILER_PORT)
scope.complete()
return request["username"], request["email"], password
def user_reset(token=None):
user_db = model.User.get_by('token', token)
if not user_db:
flask.flash(__('That link is either invalid or expired.'), category='danger')
return flask.redirect(flask.url_for('welcome'))
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
form = UserResetForm()
if form.validate_on_submit():
user_db.password_hash = util.password_hash(user_db, form.new_password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
flask.flash(__('Your password was changed succesfully.'), category='success')
return auth.signin_user_db(user_db)
return flask.render_template(
'user/user_reset.html',
title='Reset Password',
html_class='user-reset',
form=form,
user_db=user_db,
)
def change_password(self, username, old_password, new_password1, new_password2):
# validate passwords:
if not validate_password(new_password1):
raise exception.InvalidParameterException("new_password1")
if new_password1 != new_password2:
raise exception.InvalidParameterException("new_password2")
# change password:
with self.__create_db_connection__() as conn:
with conn.enter_scope() as scope:
self.__test_active_user__(scope, username)
if self.__validate_password__(scope, username, old_password):
# change password:
salt = util.generate_junk(config.PASSWORD_SALT_LENGTH, secure=True)
hash = util.password_hash(new_password1, salt)
self.__user_db.update_user_password(scope, username, hash, salt)
# generate mail:
user = self.__user_db.get_user(scope, username)
tpl = template.PasswordChangedMail(self.__get_language__(user))
tpl.bind(username=username)
subject, body = tpl.render()
self.__mail_db.push_user_mail(scope, subject, body, user["id"])
mailer.ping(config.MAILER_HOST, config.MAILER_PORT)
scope.complete()
else:
raise exception.WrongPasswordException()
def user_activate(token):
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
user_db = model.User.get_by('token', token)
if not user_db:
flask.flash(__('That link is either invalid or expired.'), category='danger')
return flask.redirect(flask.url_for('welcome'))
form = UserActivateForm(obj=user_db)
if form.validate_on_submit():
form.populate_obj(user_db)
user_db.password_hash = util.password_hash(user_db, form.password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
return auth.signin_user_db(user_db)
return flask.render_template(
'user/user_activate.html',
title='Activate Account',
html_class='user-activate',
user_db=user_db,
form=form,
)
def user_reset(token=None):
user_db = model.User.get_by('token', token)
if not user_db:
flask.flash('That link is either invalid or expired.',
category='danger')
return flask.redirect(flask.url_for('welcome'))
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
form = UserResetForm()
if form.validate_on_submit():
user_db.password_hash = util.password_hash(user_db,
form.new_password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
flask.flash('Your password was changed succesfully.',
category='success')
return auth.signin_user_db(user_db)
return flask.render_template(
'user/user_reset.html',
title='Reset Password',
html_class='user-reset',
form=form,
user_db=user_db,
)
def create_user_db(auth_id, username, email, verified, password, **props):
"""Saves new user into datastore
Args:
auth_id:
username:
email:
verified:
password:
**props:
"""
if password:
password = util.password_hash(password)
email = email.lower()
username = username.lower()
user_db = model.User(email=email,
username=username,
auth_ids=[auth_id] if auth_id else [],
verified=verified,
token=util.uuid(),
password_hash=password,
**props)
user_db.put()
task.new_user_notification(user_db)
return user_db
def appRequest(environ, start_response):
start_response('200 OK', HEADERS_CORS, HEADERS_TEXT)
credentials = util.get_raw_post(environ).split(b"|")
username = base64.b64decode(credentials[0]).decode("utf-8")
password = util.password_hash(base64.b64decode(credentials[1]).decode("utf-8"))
q = storage.sql("select id from users where username=? and password=?", (username, password))
if q:
sessid = util.new_session_key()
storage.sql("update users set sessid=? where id=?", (sessid, q[0]["id"]))
return [bytes(sessid, "ascii")]
else:
return [b"INVAL"]
def post(self, key):
"""Changes user's password"""
parser = reqparse.RequestParser()
parser.add_argument('currentPassword', type=UserValidator.create('password', required=False), dest='current_password')
parser.add_argument('newPassword', type=UserValidator.create('password'), dest='new_password')
args = parser.parse_args()
# Users, who signed up via social networks have empty password_hash, so they have to be allowed
# to change it as well
if g.model_db.password_hash != '' and not g.model_db.has_password(args.current_password):
raise ValueError('Given password is incorrect.')
g.model_db.password_hash = util.password_hash(args.new_password)
g.model_db.put()
return make_empty_ok_response()
def get_by_credentials(cls, email_or_username, password):
"""Gets user model instance by email or username with given password"""
try:
email_or_username == User.email
except ValueError:
cond = email_or_username == User.username
else:
cond = email_or_username == User.email
user_db = User.query(cond).get()
if user_db and user_db.password_hash == util.password_hash(password):
return user_db
return None
def get_by_credentials(cls, email_or_username, password):
"""Gets user model instance by email or username with given password"""
try:
email_or_username == User.email
except ValueError:
cond = email_or_username == User.username
else:
cond = email_or_username == User.email
user_db = User.query(cond).get()
if user_db and user_db.password_hash == util.password_hash(password):
return user_db
return None
def profile_password():
if not config.CONFIG_DB.has_email_authentication:
flask.abort(418)
user_db = auth.current_user_db()
form = ProfilePasswordForm(obj=user_db)
if not user_db.password_hash:
del form.old_password
if form.validate_on_submit():
errors = False
old_password = form.old_password.data if form.old_password else None
new_password = form.new_password.data
if new_password or old_password:
if user_db.password_hash:
if util.password_hash(user_db,
old_password) != user_db.password_hash:
form.old_password.errors.append(
_('Invalid current password'))
errors = True
if not (form.errors or errors):
user_db.password_hash = util.password_hash(
user_db, new_password)
flask.flash(__('Your password has been changed.'),
category='success')
if not (form.errors or errors):
user_db.put()
return flask.redirect(flask.url_for('profile'))
return flask.render_template(
'profile/profile_password.html',
title=user_db.name,
html_class='profile-password',
form=form,
user_db=user_db,
)
def profile_password():
if not config.CONFIG_DB.has_email_authentication:
flask.abort(418)
user_db = auth.current_user_db()
form = ProfilePasswordForm(obj=user_db)
if form.validate_on_submit():
errors = False
old_password = form.old_password.data
new_password = form.new_password.data
if new_password or old_password:
if user_db.password_hash:
if util.password_hash(user_db,
old_password) != user_db.password_hash:
form.old_password.errors.append(
u'Одоо ашиглагдаж буй нууц үг буруу байна')
errors = True
if not errors and old_password and not new_password:
form.new_password.errors.append('This field is required.')
errors = True
if not (form.errors or errors):
user_db.password_hash = util.password_hash(
user_db, new_password)
flask.flash(u'Таны нууц үг солигдсон.', category='success')
if not (form.errors or errors):
user_db.put()
return flask.redirect(flask.url_for('profile'))
return flask.render_template(
'profile/profile_password.html',
title=user_db.name,
html_class='profile-password',
form=form,
user_db=user_db,
)
def get_user_db_from_email(email, password):
user_dbs, cursors = model.User.get_dbs(email=email, active=True, limit=2)
if not user_dbs:
return None
if len(user_dbs) > 1:
flask.flash('''We are sorry but it looks like there is a conflict with
your account. Our support team is already informed and we will get
back to you as soon as possible.''', category='danger')
task.email_conflict_notification(email)
return False
user_db = user_dbs[0]
if user_db.password_hash == util.password_hash(user_db, password):
return user_db
return None
def post(self):
username = util.param('username') or util.param('email')
password = util.param('password')
if not username or not password:
return flask.abort(400)
if username.find('@') > 0:
user_db = model.User.get_by('email', username.lower())
else:
user_db = model.User.get_by('username', username.lower())
if user_db and user_db.password_hash == util.password_hash(user_db, password):
auth.signin_user_db(user_db)
return helpers.make_response(user_db, model.User.FIELDS)
return flask.abort(401)
def get_user_db_from_email(email, password):
user_dbs, cursors = model.User.get_dbs(email=email, active=True, limit=2)
if not user_dbs:
return None
if len(user_dbs) > 1:
flask.flash('''We are sorry but it looks like there is a conflict with
your account. Our support team is already informed and we will get
back to you as soon as possible.''', category='danger')
task.email_conflict_notification(email)
return False
user_db = user_dbs[0]
if user_db.password_hash == util.password_hash(user_db, password):
return user_db
return None
def post(self):
"""Sets new password given by user if he provided valid token
Notice ndb.toplevel decorator here, so we can perform asynchronous put
and signing in in parallel
"""
parser = reqparse.RequestParser()
parser.add_argument('token', type=UserValidator.create('token'))
parser.add_argument('newPassword', type=UserValidator.create('password'), dest='new_password')
args = parser.parse_args()
user_db = User.get_by('token', args.token)
user_db.password_hash = util.password_hash(args.new_password)
user_db.token = util.uuid()
user_db.verified = True
user_db.put_async()
auth.signin_user_db(user_db)
return user_db.to_dict(include=User.get_private_properties())
def post(self):
username = util.param('username') or util.param('email')
password = util.param('password')
if not username or not password:
return flask.abort(400)
if username.find('@') > 0:
user_db = model.User.get_by('email', username.lower())
else:
user_db = model.User.get_by('username', username.lower())
if user_db and user_db.password_hash == util.password_hash(
user_db, password):
auth.signin_user_db(user_db)
return helpers.make_response(user_db, model.User.FIELDS)
return flask.abort(401)
def post(self):
"""Sets new password given by user if he provided valid token
Notice ndb.toplevel decorator here, so we can perform asynchronous put
and signing in in parallel
"""
parser = reqparse.RequestParser()
parser.add_argument('token', type=UserValidator.create('token'))
parser.add_argument('newPassword', type=UserValidator.create('password'), dest='new_password')
args = parser.parse_args()
user_db = User.get_by('token', args.token)
user_db.password_hash = util.password_hash(args.new_password)
user_db.token = util.uuid()
user_db.verified = True
user_db.put_async()
auth.signin_user_db(user_db)
return user_db.to_dict(include=User.get_private_properties())
def post(self):
args = parser.parse({
'username': wf.Str(missing=None),
'email': wf.Str(missing=None),
'password': wf.Str(missing=None),
})
handler = args['username'] or args['email']
password = args['password']
if not handler or not password:
return flask.abort(400)
user_db = model.User.get_by('email' if '@' in handler else 'username',
handler.lower())
if user_db and user_db.password_hash == util.password_hash(
user_db, password):
auth.signin_user_db(user_db)
return helpers.make_response(user_db, model.User.FIELDS)
return flask.abort(401)
def reset_password(self, id, code, new_password1, new_password2):
# validate passwords:
if not validate_password(new_password1):
raise exception.InvalidParameterException("new_password1")
if new_password1 != new_password2:
raise exception.InvalidParameterException("new_password2")
# reset password:
with self.__create_db_connection__() as conn:
with conn.enter_scope() as scope:
# find request id & test code:
if not self.__user_db.password_request_id_exists(scope, id):
raise exception.NotFoundException("Request not found.")
request = self.__user_db.get_password_request(scope, id)
username = request["user"]["username"]
self.__test_active_user__(scope, username)
if request["request_code"] != code:
raise exception.InvalidRequestCodeException()
# change password:
salt = util.generate_junk(config.PASSWORD_SALT_LENGTH, secure=True)
hash = util.password_hash(new_password1, salt)
self.__user_db.reset_password(scope, id, code, hash, salt)
# generate mail:
user = self.__user_db.get_user(scope, username)
tpl = template.PasswordChangedMail(self.__get_language__(user))
tpl.bind(username=username)
subject, body = tpl.render()
self.__mail_db.push_user_mail(scope, subject, body, user["id"])
mailer.ping(config.MAILER_HOST, config.MAILER_PORT)
scope.complete()
return username, new_password1
def create_user_db(auth_id, name, username, email='', verified=False, password='', **props):
"""Saves new user into datastore"""
if password:
password = util.password_hash(password)
email = email.lower()
user_db = model.User(
name=name,
email=email,
username=username,
auth_ids=[auth_id] if auth_id else [],
verified=verified,
token=util.uuid(),
password_hash=password,
**props
)
user_db.put()
task.new_user_notification(user_db)
return user_db
def post(self):
args = parser.parse({
'username': wf.Str(missing=None),
'email': wf.Str(missing=None),
'password': wf.Str(missing=None),
})
handler = args['username'] or args['email']
password = args['password']
if not handler or not password:
return flask.abort(400)
user_db = model.User.get_by(
'email' if '@' in handler else 'username', handler.lower()
)
if user_db and user_db.password_hash == util.password_hash(user_db, password):
auth.signin_user_db(user_db)
return helpers.make_response(user_db, model.User.FIELDS)
return flask.abort(401)
def post(self, key):
"""Changes user's password"""
parser = reqparse.RequestParser()
parser.add_argument('currentPassword',
type=UserValidator.create('password',
required=False),
dest='current_password')
parser.add_argument('newPassword',
type=UserValidator.create('password'),
dest='new_password')
args = parser.parse_args()
# Users, who signed up via social networks have empty password_hash, so they have to be allowed
# to change it as well
if g.model_db.password_hash != '' and not g.model_db.has_password(
args.current_password):
raise ValueError('Given password is incorrect.')
g.model_db.password_hash = util.password_hash(args.new_password)
g.model_db.put()
return make_empty_ok_response()
def user_activate(token):
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
user_db = models.User.get_by("token", token)
if not user_db:
flask.flash("That link is either invalid or expired.", category="danger")
return flask.redirect(flask.url_for("welcome"))
form = forms.UserActivateForm(obj=user_db)
if form.validate_on_submit():
form.populate_obj(user_db)
user_db.password_hash = util.password_hash(user_db, form.password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
return auth.signin_user_db(user_db)
return flask.render_template(
"user/user_activate.html", title="Activate Account", html_class="user-activate", user_db=user_db, form=form
)
def user_reset(token=None):
user_db = models.User.get_by("token", token)
if not user_db:
flask.flash("That link is either invalid or expired.", category="danger")
return flask.redirect(flask.url_for("welcome"))
if auth.is_logged_in():
login.logout_user()
return flask.redirect(flask.request.path)
form = forms.UserResetForm()
if form.validate_on_submit():
user_db.password_hash = util.password_hash(user_db, form.new_password.data)
user_db.token = util.uuid()
user_db.verified = True
user_db.put()
flask.flash("Your password was changed succesfully.", category="success")
return auth.signin_user_db(user_db)
return flask.render_template(
"user/user_reset.html", title="Reset Password", html_class="user-reset", form=form, user_db=user_db
)
def appLogin(environ, start_response):
data = util.get_json_post(environ)
username = data.username
password = util.password_hash(data.password)
q = storage.sql(
"""
SELECT id FROM users
WHERE username = ? AND password = ?
""", (username, password))
if not q:
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.err_json("Invalid username and/or password.")]
uid = q[0].id
sessid = util.new_session_key()
logger.log(
TAG, "uid %i logged in from ip %s" % (uid, util.get_real_ip(environ)))
storage.sql(
"""
UPDATE users
SET sessid = ?
WHERE id = ?
""", (sessid, uid))
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.json_bytes({"success": True, "sessid": sessid})]
def __validate_password__(self, scope, username, password): current_password, salt = self.__db.get_user_password(scope, username) return util.password_hash(password, salt) == current_password
def on_accepted(self):
password = self.passwordField.text()
hashed_password = util.password_hash(password)
login = self.loginField.text().strip()
self.accept()
self.finished.emit(login, hashed_password)
def appRegister(environ, start_response):
data = util.get_json_post(environ)
q = storage.sql(
"""
SELECT id FROM users WHERE username = ?
""", (data.username, ))
if q:
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [
util.err_json(
"That username already exists. Please choose a different one.")
]
if not (data.username.strip() and data.password.strip()):
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.err_json("Username and password may not be empty.")]
if len(data.username) > 20:
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.err_json("Username is too long.")]
if len(data.message) > 150:
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.err_json("Message is too long.")]
if data.password != data.password2:
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.err_json("Your passwords do not match.")]
if data.starter not in ("CYNDAQUIL", "TOTODILE", "CHIKORITA"):
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.err_json("Invalid starter choice. You dirty hacker.")]
if not util.recaptcha_verify(data.recaptcha):
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [
util.err_json(
"Bot verification failed. Please complete the reCAPTCHA challenge. Refresh the page if you encounter any problems."
)
]
sessid = util.new_session_key()
storage.sql(
"""
INSERT INTO users
(username, password, sessid, message, fun, rtc, registered_ip)
VALUES
(?, ?, ?, ?, ?, 1, ?)
""", [
data.username,
util.password_hash(data.password), sessid, data.message,
util.new_fun_value(),
util.get_real_ip(environ)
])
user_id = storage.get_user_id_by_username(data.username)
if user_id is None:
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [
util.err_json(
"An unknown error occured (17). Try again in a few minutes.")
]
save_data = util.create_starter_save()
storage.sql(
"""
INSERT INTO progress
(user_id, tokens_got, tokens_used, cur_kingdom, cur_visit_started, save_blob, visited_kingdoms, starter, laylah_blessing, save_uid)
VALUES
(?, 0, 0, 'none', 0, ?, '[]', ?, 0, '')
""", (user_id, json.dumps(save_data), data.starter))
monsters = '[{"nick":"%s","species":"%s","level":20}]' % (data.starter,
data.starter)
storage.sql(
"""
INSERT INTO leaderboard
(user_id, score, achievements, highest_rank, monsters, last_update)
VALUES
(?, 0, '{}', (SELECT COUNT(1)+1 FROM leaderboard WHERE score >= 0), ?, ?)
""", (user_id, monsters, util.unix_time()))
start_response('200 OK', HEADERS_JSON + HEADERS_CORS)
return [util.json_bytes({"success": True, "sessid": sessid})]
def has_password(self, password):
"""Tests if user has given password"""
return self.password_hash == util.password_hash(password)
def has_password(self, password):
"""Tests if user has given password"""
return self.password_hash == util.password_hash(password)
def create_admin(cls):
"""Creates mock admin user"""
cls(username='******', password_hash=util.password_hash('123456'), admin=True, verified=True, active=True)
