def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
'''
if request.method == 'POST':
account = Account()
if request.form:
# local variables
username = request.form.getlist('user[login]')[0]
password = request.form.getlist('user[password]')[0]
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# set session: uid corresponds to primary key, from the
# user database table, and a unique integer
# representing the username.
session['uid'] = uid
# return user status
if session['uid']:
return json.dumps({'status': 0})
else:
return json.dumps({'status': 4})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
'''
if request.method == 'POST':
account = Account()
if request.form:
# local variables
username = request.form.getlist('user[login]')[0]
password = request.form.getlist('user[password]')[0]
# validate: check username exists
if (account.check_username(username)['result']
and account.get_uid(username)['result']):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# set session: uid corresponds to primary key, from the
# user database table, and a unique integer
# representing the username.
session['uid'] = uid
# return user status
if session['uid']:
return json.dumps({'status': 0})
else:
return json.dumps({'status': 4})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def test_registration(client, live_server):
'''
This method tests the user registration process.
'''
live_server.start()
# local variables
username = '******'
email = '*****@*****.**'
password = '******'
authenticate = Account()
# verify requirements: one letter, one number, and ten characters.
if (password and validate_password(password)):
# validate: unique username
if (
username and
not authenticate.check_username(username)['result']
):
# validate: unique email
if (
email and
isValidEmail(email) and
not authenticate.check_email(email)['result']
):
# database query: save username, and password
hashed = hash_pass(str(password))
result = Account().save_account(username, email, hashed)
# notification: attempt to store account
assert result['status']
assert result['id']
assert not result['error']
# notification: email already exists
else:
assert False
# notification: account already exists
else:
assert False
# notification: password doesn't meet criteria
else:
assert False
def test_login(client, live_server):
'''
This method tests the user login process. Specifically, the tests include
verifying the user credentials (i.e. username, and password). Then, it
checks, if the flask session has successfully stored the userid (i.e. uid),
into flask's session implementation.
'''
live_server.start()
# local variables
username = '******'
password = '******'
authenticate = Account()
# validate: username exists
if authenticate.check_username(username)['result']:
# database query: get hashed password
hashed_password = authenticate.get_password(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# post requests: login response
payload = {'user[login]': username, 'user[password]': password}
login = client.post(
'/login',
headers={'Content-Type': 'application/json'},
data=json.dumps(payload)
)
assert login.status_code == 200
assert login.json['status'] == 0
assert login.json['access_token']
else:
assert False
# notification: user does not have a password
else:
assert False
# notification: username does not exist
else:
assert False
def test_login(client, live_server):
'''
This method tests the user login process. Specifically, the tests include
verifying the user credentials (i.e. username, and password). Then, it
checks, if the flask session has successfully stored the userid (i.e. uid),
into flask's session implementation.
'''
live_server.start()
# local variables
username = '******'
password = '******'
authenticate = Account()
# validate: username exists
if authenticate.check_username(username)['result']:
# database query: get hashed password
hashed_password = authenticate.get_password(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# post requests: login response
payload = {'user[login]': username, 'user[password]': password}
login = client.post(
'/login',
headers={'Content-Type': 'application/json'},
data=json.dumps(payload)
)
assert login.status_code == 200
assert login.json['status'] == 0
else:
assert False
# notification: user does not have a password
else:
assert False
# notification: username does not exist
else:
assert False
def test_registration(client, live_server):
'''
This method tests the user registration process.
'''
live_server.start()
# local variables
username = '******'
email = '*****@*****.**'
password = '******'
authenticate = Account()
# verify requirements: one letter, one number, and ten characters.
if (password and validate_password(password)):
# validate: unique username
if (username and not authenticate.check_username(username)['result']):
# validate: unique email
if (email and isValidEmail(email)
and not authenticate.check_email(email)['result']):
# database query: save username, and password
hashed = hash_pass(str(password))
result = Account().save_account(username, email, hashed)
# notification: attempt to store account
assert result['status']
assert result['id']
assert not result['error']
# notification: email already exists
else:
assert False
# notification: account already exists
else:
assert False
# notification: password doesn't meet criteria
else:
assert False
def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Note: token authentication is stateless, since it doesn't require anything
to be queried from the server, to verify the user. The token is setup,
in such a way, where it is known, if the token is valid or not, and if
the token has been tampered with.
Note: more information on basic flask-jwt token authentication:
http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html
'''
if request.method == 'POST':
account = Account()
# programmatic-interface: implement flask-jwt token
if request.get_json():
results = request.get_json()
username = results['user[login]']
password = results['user[password]']
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# create and serialize uid token
access_token = create_access_token(identity=uid)
# return status
return json.dumps({'status': 0, 'access_token': access_token})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def register():
'''
This router function attempts to register a new username. During its
attempt, it returns a json string, with three possible values:
- integer, codified indicator of registration attempt:
- 0, successful account creation
- 1, password doesn't meet minimum requirements
- 2, username already exists in the database
- 3, email already exists in the database
- 4, internal database error
- username, string value of the user
- email, is returned if the value already exists in the database, or
the registration process was successful
'''
if request.method == 'POST':
# local variables
username = request.form.getlist('user[login]')[0]
email = request.form.getlist('user[email]')[0]
password = request.form.getlist('user[password]')[0]
account = Account()
# validate requirements: one letter, one number, and ten characters.
if (validate_password(password)):
# validate: unique username
if not account.check_username(username)['result']:
# validate: unique email
if not account.check_email(email)['result']:
# database query: save username, and password
hashed = hash_pass(str(password))
result = Account().save_account(username, email, hashed)
# notification: attempt to store account
if result:
return json.dumps({
'status': 0,
'username': username,
'email': email
})
else:
return json.dumps({
'status': 4,
'username': username,
})
# notification: email already exists
else:
return json.dumps({
'status': 3,
'username': username,
'email': email
})
# notification: account already exists
else:
return json.dumps({'status': 2, 'username': username})
# notification: password doesn't meet criteria
else:
return json.dumps({'status': 1, 'username': username})
def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Note: token authentication is stateless, since it doesn't require anything
to be queried from the server, to verify the user. The token is setup,
in such a way, where it is known, if the token is valid or not, and if
the token has been tampered with.
Note: more information on basic flask-jwt token authentication:
http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html
'''
if request.method == 'POST':
account = Account()
# programmatic-interface: implement flask-jwt token
if request.get_json():
results = request.get_json()
username = results['user[login]']
password = results['user[password]']
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# create and serialize uid token
access_token = create_access_token(identity=uid)
# return status
return json.dumps({'status': 0, 'access_token': access_token})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
# web-interface: store user session in redis
elif request.form:
# local variables
username = request.form.getlist('user[login]')[0]
password = request.form.getlist('user[password]')[0]
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# set session: uid corresponds to primary key, from the
# user database table, and a unique integer
# representing the username.
session['uid'] = uid
# return user status
if session['uid']:
return json.dumps({'status': 0})
else:
return json.dumps({'status': 4})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def register():
'''
This router function attempts to register a new username. During its
attempt, it returns a json string, with three possible values:
- integer, codified indicator of registration attempt:
- 0, successful account creation
- 1, password doesn't meet minimum requirements
- 2, username already exists in the database
- 3, email already exists in the database
- 4, internal database errors
- username, string value of the user
- email, is returned if the value already exists in the database, or
the registration process was successful
'''
if request.method == 'POST':
# local variables
username = request.form.getlist('user[login]')[0]
email = request.form.getlist('user[email]')[0]
password = request.form.getlist('user[password]')[0]
account = Account()
# validate requirements: one letter, one number, and ten characters.
if (password and validate_password(password)):
# validate: unique username
if (
username and
not account.check_username(username)['result']
):
# validate: unique email
if (
email and
isValidEmail(email) and
not account.check_email(email)['result']
):
# database query: save username, and password
hashed = hash_pass(str(password))
result = Account().save_account(
username,
email,
hashed
)
# notification: attempt to store account
if result:
return json.dumps({
'status': 0,
'username': username,
'email': email
})
else:
return json.dumps({
'status': 4,
'username': username,
})
# notification: email already exists
else:
return json.dumps({
'status': 3,
'username': username,
'email': email
})
# notification: account already exists
else:
return json.dumps({
'status': 2,
'username': username
})
# notification: password doesn't meet criteria
else:
return json.dumps({
'status': 1,
'username': username
})