def checktoken(token):
#returns if user exists, privilege, and username
try:
payload = jwt.decode(codecs.decode(token, "hex"),
'secret',
algorithms=('HS256'))
except Exception as E:
#couldn't decode, fake token
return (False, None, None)
#check if payload is valid
if not userexists(payload['username']):
return (False, None, None)
#match payload to existing token
rows = DB.query(
'logintokens',
args=
" WHERE logintokens.username = \'{u}\' AND logintokens.spice = \'{s}\'"
.format(u=payload['username'], s=payload['spice']))
if len(rows) == 1:
return (True,
DB.query('users',
columns='privilege',
args="WHERE username = \'{u}\'".format(
u=payload['username']))[0][0],
payload['username'])
return (False, None, None)
def createtoken(username):
spice = os.urandom(10).hex()
token = jwt.encode({
'username': username,
'spice': spice
},
'secret',
algorithm='HS256')
#limit of 5 tokens
preExisting = DB.query('logintokens',
args='WHERE username = \'{u}\''.format(u=username))
if len(preExisting) >= 5:
oldest = datetime.strptime(preExisting[0][2], '%Y-%m-%d %H:%M:%S.%f')
for row in preExisting:
if datetime.strptime(row[2], '%Y-%m-%d %H:%M:%S.%f') < oldest:
oldest = datetime.strptime(row[2], '%Y-%m-%d %H:%M:%S.%f')
DB.delete(
'logintokens',
'username = \'{u}\' AND time = \'{t}\''.format(u=username,
t=str(oldest)))
#store the payload in db
DB.insert("logintokens", ("\'" + username + "\'", "\'" + spice + "\'",
"\'" + str(datetime.now()) + "\'"))
return token.hex()
def createroom():
data = json.loads(request.data)
if AM.checktoken(json.loads(request.data)['token'])[1] != 'admin':
return {
'code': 'failed',
'message': 'Privilege level not high enough.'
}
print(str(data))
if len(
DB.query(
'rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format(
fn=data['update']['floornumber'],
rn=data['update']['roomnumber']))) > 0:
return {'code': 'failed', 'message': 'Room already exists.'}
DB.insert('rooms',
(data['update']['floornumber'], data['update']['roomnumber'],
"\'" + data['update']['isVaccant'] + "\'",
"\'" + data['update']['isReady'] + "\'",
"\'" + data['update']['description'] + "\'",
"\'" + data['update']['price'] + "\'"))
DB.insert(
'room_info',
(data['update']['floornumber'], data['update']['roomnumber'], "\'" +
data['update']['bed'] + "\'", "\'" + data['update']['microwave'] +
"\'", "\'" + data['update']['balcony'] + "\'",
"\'" + data['update']['ethernet'] + "\'",
"\'" + data['update']['TV'] + "\'", data['update']['bedamount']))
return {'code': 'success', 'message': 'Room added to DB.'}
def cancelBooking():
data = json.loads(request.data)
account = AM.checktoken(data['token'])
#does account exist
if account[0] == False:
return {'code': 'failed', 'message': 'Not logged in.'}
booking = DB.query(
'bookings',
args="WHERE username = \'{u}\' AND bookingID = {bi}".format(
u=account[2], bi=data['bookingID']))
if len(booking) < 1:
return {'code': 'failed', 'message': 'No such booking exists.'}
bookingDate = datetime.strptime(booking[0][4], '%Y-%m-%d')
print(bookingDate)
print(datetime.now())
if datetime.now() >= bookingDate:
return {
'code': 'failed',
'message': 'This date of this booking has already passed.'
}
DB.delete('bookings', 'bookingID = {bi}'.format(bi=data['bookingID']))
DB.delete('transactions', 'bookingID = {bi}'.format(bi=data['bookingID']))
return {'code': 'success', 'message': 'Booking has been cancelled.'}
def getClients():
# returns code
data = json.loads(request.data)
account = AM.checktoken(data['token'])
if account[1] != 'agent':
return {
'code': 'failed',
'message': 'This is not an agent account.',
'clients': None
}
return {
'code':
'success',
'message':
'',
'clients':
json.loads(
DB.genjson(
'agent_clients',
DB.query(
'agent_clients',
args='WHERE username = \'{u}\''.format(u=account[2]))))
}
def getbookings():
#returns list of bookings
data = json.loads(request.data)
account = AM.checktoken(data['token'])
#does account exist
if account[0] == False:
return {
'code': 'failed',
'message': 'Not logged in.',
'bookings': None
}
return {
'code':
'success',
'message':
'',
'bookings':
json.loads(
DB.genjson(
'bookings',
DB.query(
'bookings',
args='WHERE username = \'{u}\''.format(u=account[2]))))
}
def register():
# need to sanatize input
DB.initdb()
resp = json.loads(flask.request.data)
username = resp['username']
salt, hashedpass = hashpass(resp['password'])
print("\tfrom client: \n\tregister request:\n\tu: " + username + ", p: " +
resp['password'])
#is username already registered
if (userexists(username)):
return {'message': 'Username already taken', 'code': 'failed'}
#is username already requested
if (len(
DB.query(
"accountrequests",
args="WHERE username = \'{u}\'".format(u=username))) == 1):
return {'message': 'Username already taken', 'code': 'failed'}
#submit account for approval
try:
DB.insert("accountrequests",
("\'" + username + "\'", "\'" + hashedpass + "\'",
"\'" + salt + "\'", "(SELECT datetime())"))
return {
'message': 'registered ' + username +
', pending admin approval. Try logging on later.',
'code': 'success'
}
except sqlite3.IntegrityError as E:
return {'message': 'error, ' + E.__str__(), 'code': 'failed'}
def logout():
token = json.loads(flask.request.data)['token']
payload = jwt.decode(codecs.decode(token, "hex"),
'secret',
algorithms=('HS256'))
#remove user login tokens
DB.delete(
'logintokens',
'logintokens.username = \'{u}\' AND logintokens.spice = \'{s}\''.
format(u=payload['username'], s=payload['spice']))
return {'code': 'success'}
def login():
DB.initdb()
resp = json.loads(flask.request.data)
print("\tfrom client: \nlogin request:\n\tu: " +
str(resp['username'] + ", p: " + resp['password']))
#check if user exists
if (not userexists(resp['username'])):
#check if user awaiting approval
if (len(
DB.query("accountrequests",
args="WHERE username = \'{u}\'".format(
u=resp['username']))) == 1):
return {
'code': 'failed',
'reason':
'Account pending admin aporoval. Please try again later.',
'token': ''
}
#user does not exist, deny
return {
'code': 'failed',
'reason': 'Incorrect username or password. Please try again.',
'token': ''
}
#verify password
if checkpass(resp['username'], resp['password']):
#check account for ban
if (DB.query("users", "banned", "WHERE username = \'{u}\'".format(
u=resp['username']))[0][0] == 'true'):
print("Banned user " + resp['username'] + " tried to log on.")
return {
'code': 'failed',
'reason': 'Banned from server.',
'token': ''
}
#log user in, give user token
return {
'code': 'success',
'reason': 'You are now logged in',
'token': createtoken(resp['username']).__str__()
}
else:
#incorrect password
return {
'code': 'failed',
'reason': 'Incorrect username or password. Please try again.',
'token': ''
}
def approveuser():
data = json.loads(request.data)
username = data['username']
if (AM.checktoken(data['token'])[1] == 'admin'):
row = DB.query('accountrequests',
args='WHERE username = \'{u}\''.format(u=username))
DB.delete('accountrequests',
args='username = \'{u}\''.format(u=username))
DB.insert(
'users',
('\'' + row[0][0] + '\'', '\'' + row[0][1] + '\'', '\'' +
row[0][2] + '\'', '\'user\'', '\'false\'', '(SELECT datetime())'))
return {'code': 'success'}
return {'code': 'failed'}
def setuserpriv():
data = json.loads(request.data)
if (AM.checktoken(data['token'])[1] == 'admin'):
try:
DB.update(
'users',
'SET privilege = \'{p}\' WHERE username = \'{u}\''.format(
u=data['username'], p=data['priv']))
except sqlite3.IntegrityError as e:
return {'code': 'failed', 'message': 'Incorrect privilege level.'}
return {'code': 'success', 'message': 'Done.'}
return {
'code': 'failed',
'message': 'You do not have high enough privilege to do that.'
}
def serveroom(room):
roomrow = DB.query(
'rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format(
fn=room[:2], rn=room[2:]))
if len(roomrow) == 1:
return render_template(
'room.html',
r=DB.genjson(
'rooms',
DB.query('rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.
format(fn=room[:2], rn=room[2:]))))
else:
return "404"
def userexists(username):
if (len(
DB.query(
'users',
args="WHERE username = \'{u}\'".format(u=username))) == 1):
return True
return False
def addClient():
# returns code
data = json.loads(request.data)
account = AM.checktoken(data['token'])
if account[1] != 'agent':
return {'code': 'failed', 'message': 'This is not an agent account.'}
try:
DB.insert('agent_clients',
('\'' + account[2] + '\'', '\'' + data['client_name'] + '\'',
'\'' + data['client_email'] + '\''))
return {'code': 'success', 'message': 'Client added.'}
except sqlite3.IntegrityError as E:
return {'code': 'failed', 'message': 'Client already exists.'}
def deleteRoom():
data = json.loads(request.data)
account = AM.checktoken(data['token'])
if account[1] != 'admin':
return {
'code': 'failed',
'message': 'TYou do not have high enough privilege to do that.'
}
DB.delete(
'rooms', 'floornumber = {fn} AND roomnumber = {rn}'.format(
fn=data['roomid'][:2], rn=data['roomid'][2:]))
DB.delete(
'room_info', 'floornumber = {fn} AND roomnumber = {rn}'.format(
fn=data['roomid'][:2], rn=data['roomid'][2:]))
return {'code': 'success', 'message': 'Room deleted.'}
def banuser():
data = json.loads(request.data)
if (AM.checktoken(data['token'])[1] == 'admin'):
if DB.query('users', 'banned', 'WHERE username = \'{u}\''.format(
u=data['username']))[0][0] == 'false':
DB.update(
'users',
'SET banned = \'true\' WHERE username = \'{u}\''.format(
u=data['username']))
else:
DB.update(
'users',
'SET banned = \'false\' WHERE username = \'{u}\''.format(
u=data['username']))
return {'code': 'success'}
return {'code': 'failed'}
def changePassword():
data = json.loads(flask.request.data)
account = checktoken(data['token'])
#does account exist
if account[0] == False:
return {'code': 'failed', 'message': 'Not logged in.'}
if not checkpass(account[2], data['oldpass']):
return {'code': 'failed', 'message': 'Incorrect password.'}
newhash = hashpass(data['newpass'])
DB.update(
'users',
'SET hashpass = \'{h}\', salt = \'{s}\' WHERE username = \'{u}\''.
format(u=account[2], s=newhash[0], h=newhash[1]))
DB.delete('logintokens', 'username = \'{u}\''.format(u=account[2]))
return {'code': 'success', 'message': 'Password changed.'}
def getreciept():
# returns code, message, reciept
data = json.loads(request.data)
account = AM.checktoken(data['token'])
#does account exist
if account[0] == False:
return {'code': 'failed', 'message': 'Not logged in.', 'reciept': None}
booking = DB.query(
'bookings', args='WHERE bookingID = {bi}'.format(bi=data['bookingID']))
transaction = DB.query(
'transactions',
args='WHERE bookingID = {bi}'.format(bi=data['bookingID']))
#does the booking exist
if len(booking) != 1:
return {
'code': 'failed',
'message': 'No such booking exists.',
'reciept': None
}
#is this the correct account
if booking[0][3] != account[2]:
return {
'code': 'failed',
'message': 'Incorrect account.',
'reciept': None
}
return {
'code':
'success',
'message':
'',
'reciept':
json.loads(
str({
**json.loads(DB.genjson('bookings', booking))[0],
**json.loads(DB.genjson('transactions', transaction))[0]
}).replace('\'', '"'))
}
def removeClient():
# returns code
data = json.loads(request.data)
account = AM.checktoken(data['token'])
print(str(data))
if account[1] != 'agent':
return {'code': 'failed', 'message': 'This is not an agent account.'}
if len(
DB.query('agent_clients',
args="WHERE username = \'{u}\' AND client_email = \'{e}\'"
.format(u=account[2], e=data['client_email']))) != 1:
return {'code': 'failed', 'message': 'Not your client.'}
DB.delete('agent_clients',
'client_email = \'{e}\''.format(e=data['client_email']))
return {'code': 'success', 'message': 'Client removed.'}
def getroom():
data = json.loads(request.data)
print(data)
roomrow = DB.query(
'rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format(
fn=data['roomid'][:2],
rn=data['roomid'][2:],
))
if len(roomrow) < 1:
return {'code': 'failed', 'message': 'No such room exists.'}
roomfeatures = DB.query(
'room_info',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format(
fn=data['roomid'][:2],
rn=data['roomid'][2:],
))
return str({
**json.loads(DB.genjson('rooms', roomrow))[0],
**json.loads(DB.genjson('room_info', roomfeatures))[0]
}).replace('\'', '"')
def editroom():
data = json.loads(request.data)
if AM.checktoken(json.loads(request.data)['token'])[1] != 'admin':
return {
'code': 'failed',
'message': 'Privilege level not high enough.'
}
if len(
DB.query(
'rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format(
fn=data['update']['floornumber'],
rn=data['update']['roomnumber']))) < 1:
return {'code': 'failed', 'message': 'No such room exists.'}
DB.update(
'rooms',
'SET isVaccant = \'{isVaccant}\', isReady = \'{isReady}\', description = \'{description}\', price = \'{price}\' WHERE floornumber = {fn} AND roomnumber = {rn}'
.format(isVaccant=data['update']['isVaccant'],
isReady=data['update']['isReady'],
description=data['update']['description'],
price=data['update']['price'],
fn=data['update']['floornumber'],
rn=data['update']['roomnumber']))
DB.update(
'room_info',
'SET bed = \'{bed}\', microwave =\'{microwave}\', balcony=\'{balcony}\', ethernet=\'{ethernet}\', TV=\'{TV}\', bedamount={bedamount} WHERE floornumber = {fn} AND roomnumber = {rn}'
.format(bed=data['update']['bed'],
microwave=data['update']['microwave'],
balcony=data['update']['balcony'],
ethernet=data['update']['ethernet'],
TV=data['update']['TV'],
bedamount=data['update']['bedamount'],
fn=data['update']['floornumber'],
rn=data['update']['roomnumber']))
return {'code': 'success', 'message': 'Update saved.'}
def bookroom():
#room id, token, date
data = json.loads(request.data)
floornumber = data['roomid'][:2]
roomnumber = data['roomid'][2:]
print(str(data))
rows = DB.query(
'bookings',
args='WHERE floornumber = {fn} AND roomnumber = {rn} AND date = \"{d}\"'
.format(fn=floornumber, rn=roomnumber, d=data['date']))
if len(rows) > 0:
return {
'code': 'failed',
'message': 'Room already booked for that date.'
}
userdata = AM.checktoken(data['token'])
if userdata[0] == False:
return {'code': 'failed', 'message': 'Invalid user token.'}
try:
price = DB.query(
'rooms',
columns='price',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.format(
fn=floornumber, rn=roomnumber))[0][0]
except IndexError as E:
return {'code': 'failed', 'message': 'No such room exists.'}
transID = random.randint(100000, 999999)
bookingID = random.randint(100000, 999999)
while True:
try:
DB.insert('bookings',
(str(bookingID), "\'" + str(floornumber) + "\'",
"\'" + str(roomnumber) + "\'",
"\'" + userdata[2] + "\'", "\'" + data['date'] + "\'",
"\'" + data['customer_name'] + "\'"))
break
except sqlite3.InterfaceError as E:
bookingID = random.randint(100000, 999999)
while True:
try:
DB.insert(
'transactions',
(str(transID), "\'" + userdata[2] + "\'", "\'" + price + "\'",
str(bookingID), "\'" + data['customer_name'] + "\'"))
break
except sqlite3.IntegrityError as E:
transID = random.randint(100000, 999999)
return {
'code': 'success',
'message': 'Room booked.',
'bookingID': bookingID,
'transactionID': transID
}
def searchrooms():
#this can all be changed to a single test case
print(json.loads(request.data))
data = json.loads(request.data)
if data['all']:
return DB.genjson('rooms', DB.query('rooms'))
available = list()
if data['bed-type'] != None or data['microwave'] != None or data[
'balcony'] != None or data['ethernet'] != None or data[
'TV'] != None or data['bed-amount'] != None:
feature_args = 'WHERE 1 {be} {mi} {ba} {et} {tv} {be_a}'.format(
be='AND bed = \'' + data['bed-type'] +
'\'' if data['bed-type'] != 'null' else '',
mi='AND microwave = \'' + str(data['microwave']).lower() +
'\'' if data['microwave'] != False else '',
ba='AND balcony = \'' + str(data['balcony']).lower() +
'\'' if data['balcony'] != False else '',
et='AND ethernet = \'' + str(data['ethernet']).lower() +
'\'' if data['ethernet'] != False else '',
tv='AND TV = \'' + str(data['TV']).lower() +
'\'' if data['TV'] != False else '',
be_a='AND bedamount =' +
data['bed-amount'] if data['bed-amount'] != 'null' else '')
print(feature_args)
rooms_wf = DB.query('room_info', 'floornumber, roomnumber',
feature_args)
if data['date'] != '':
for room in rooms_wf:
if (len(
DB.query(
'bookings',
args=
'WHERE roomnumber={rn} AND floornumber={fn} AND date = \'{d}\''
.format(fn=room[0], rn=room[1],
d=data['date']))) == 0):
available.append(
DB.query(
'rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'
.format(fn=room[0], rn=room[1]))[0])
return DB.genjson('rooms', available)
else:
for room in rooms_wf:
available.append(
DB.query(
'rooms',
args='WHERE floornumber = {fn} AND roomnumber = {rn}'.
format(fn=room[0], rn=room[1]))[0])
return DB.genjson('rooms', available)
elif data['date'] != '':
rooms = DB.query('rooms')
for room in rooms:
if (len(
DB.query(
'bookings',
args=
'WHERE roomnumber={rn} AND floornumber={fn} AND date = \'{d}\''
.format(fn=room[0], rn=room[1],
d=data['date']))) == 0):
available.append(room)
return DB.genjson('rooms', available)
else:
return DB.genjson('rooms', DB.query('rooms'))
def getlog():
if AM.checktoken(json.loads(request.data)['token'])[1] == 'admin':
return json.dumps(
DB.genjson('dblog', DB.query('dblog', args='ORDER BY time DESC')))
def table(table):
return str(DB.query(table)).replace("(", "<br>").replace(")", "<br>")
def getrooms():
if AM.checktoken(json.loads(request.data)['token'])[1] == 'admin':
return json.dumps(DB.genjson('rooms', DB.query('rooms')))
def getusers():
if AM.checktoken(json.loads(request.data)['token'])[1] == 'admin':
return json.dumps(
DB.genjson('users',
DB.query('users'),
exceptfor=('hashpass', 'salt')))
return render_template("index.html")
@app.route("/listings")
def serverlistings():
return render_template("listings.html")
@app.route("/register")
def servehome():
return render_template("register.html")
@app.route("/login")
def servelogin():
return render_template("login.html")
@app.route("/admin")
def serveadmin():
return render_template("admincheck.html")
@app.route("/account")
def serveaccount():
return render_template("account.html")
if __name__ == "__main__":
DB.initdb()
app.run(host='0.0.0.0', port=5000, debug=False) #192.168.2.21
