def test_generate_token(self): self.assertEqual(len(generate_token()), 32) self.assertEqual(len(generate_token(False)), 32) self.assertEqual(len(generate_token(True)), config.TOKEN_SHORT_LENGTH) tokens = [] for i in range(1000): token = generate_token(True) self.assertNotIn(token, tokens) tokens.append(token)
def authenticate(request): v = validate_request(request) if v==0: body = request.POST if 'api_key' not in body: return jsonResponse({'error':True,'data':{'msg':'API key not found.'}},403) api_key = body['api_key'] if api_key not in API_TOKENS: return jsonResponse({'error':True,'data':{'msg':'Invalid API key.'}},403) if 'timestamp' not in body: return jsonResponse({'error':True,'data':{'msg':'Timestamp not found.'}},403) timestamp = body['timestamp'] if int(time.time()) - int(timestamp) > 3600: return jsonResponse({'error':True,'data':{'msg':'Invalid timestamp.'}},403) if 'username' not in body: return jsonResponse({'error':True,'data':{'msg':'Username not found.'}},403) username = body['username'] try: user = Author.objects.filter(username=username)[0] except: return jsonResponse({'error':True,'data':{'msg':'User does not exist.'}},404) signature = body['signature'] print "%s&%s&%s&%s"%(user.username,user.password,timestamp,API_TOKENS[api_key]) server_signature = hashlib.md5("%s&%s&%s&%s"%(user.username,user.password,timestamp,API_TOKENS[api_key])).hexdigest() if signature != server_signature: return jsonResponse({'error':True,'data':{'msg':'Cannot verify the signature.'}},404) access_token = helpers.generate_token() user.access_token = access_token user.save() return jsonResponse({'error':False,'data':{'msg':'Successfully authenticated','access_token':access_token}},200) elif v==-1: return jsonResponse({'error':True,'data':{'msg':'All requests must be POST.'}},403) else: return jsonResponse({'error':True,'data':{'msg':'Invalid signature.'}},403)
def revoke(sqlsession, device): error = False errors = [] device = sqlsession.query(Device).filter_by(id=device).first() if device: if device.is_online: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((config.api_host, config.api_port)) temporary_token = helpers.generate_token() q = Query() q.create_register_webui(config.webui_token, temporary_token) s.send(q.to_command()) q.create_kick(temporary_token, device.pubkey) s.send(q.to_command()) q.create_unregister(temporary_token) s.send(q.to_command()) s.close() except Exception: error = True errors.append(('flash', 'Connection to device failed.')) else: error = True errors.append(('device', 'Device does not exist.')) return error, errors
def login(): email = request.json['email'] password = request.json['password'] cursor = mysql.connection.cursor() cursor.execute('''select id, email, salt, password from users''') idx = -1 users = [] for user in cursor.fetchall(): users.append(user) mysql.connection.commit() cursor.close() for i, user in enumerate(users): if user['email'] == email: idx = i break if idx == -1: return json.dumps({'message': 'User Does not Exist', 'error': True}) else: salt = users[idx]['salt'] newHash = generate_hash(password, salt) if (newHash == users[idx]['password']): token = generate_token({'id': users[idx]['id']}) return json.dumps({'token': token, 'error': False}) else: return json.dumps({ 'message': 'Invalid Credentials', 'error': True })
def invited(token): try: enemy_token, game_type, game_limit = get_cache( 'invite_{}'.format(token)) except: return send_error('game not found') enemy_user = None user_id = get_cache('user_{}'.format(enemy_token)) if user_id: try: enemy_user = User.get(pk=user_id) except User.DoesNotExist: # TODO: if user not found game will be created with None as white player pass user_token = generate_token(True) game = Game.new_game(enemy_token, user_token, game_type, game_limit, white_user=enemy_user, black_user=request.user) delete_cache('wait_{}'.format(enemy_token)) result = {'game': user_token} result.update(game.get_info(consts.BLACK)) return send_data(result)
def login(): try: email = request.json['email'] password = request.json['password'] cursor = mysql.connection.cursor() cursor.execute('''select * from users where email = %s''', (email, )) results = cursor.fetchall() items = [] for item in results: items.append(item) if items: items = items[0] mysql.connection.commit() cursor.close() if not items: return json.dumps({ 'message': 'Account does not exists. Please Signup before logging in.', 'error': True }) else: newPasswordHash = generate_hash(password, items['salt']) if items['password'] != newPasswordHash: return json.dumps({ 'message': 'Invalid Password. Please Enter Correct Password.', 'error': True }) else: return json.dumps({ 'token': generate_token({'id': items['id']}), 'error': False }) except: return json.dumps({'message': 'Some Error Occured', 'error': True})
def flash(sqlsession, token, device): error = False errors = [] token = None device = None if type(token) == int: token = sqlsession.query(models.Token).filter_by(id=token).first() if type(device) == int: device = sqlsession.query(models.Device).filter_by(id=device).first() if device: if token: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((config.api_host, config.api_port)) temporary_token = helpers.generate_token() q = Query() q.create_register_webui(config.webui_token, temporary_token) s.send(q.to_command()) q.create_flash(temporary_token, token.value, device.pubkey) s.send(q.to_command()) q.create_unregister(temporary_token) s.send(q.to_command()) s.close() except Exception: error = True errors.append(('flash', 'Connection to device failed.')) else: error = True errors.append(('token', 'Token does not exist.')) else: error = True errors.append(('device', 'Device does not exist.')) return error, errors
def invite(data): game_type = data['type'] game_limit = data['limit'] if game_type != consts.TYPE_NOLIMIT and not game_limit: return send_error('game limit must be set for no limit game') token_game = generate_token(True) token_invite = generate_token(True) set_cache('invite_{}'.format(token_invite), (token_game, game_type, game_limit)) if request.user: set_cache('user_{}'.format(token_game), request.user.pk, 3600) set_cache('wait_{}'.format(token_game), (game_type, game_limit, token_invite)) return send_data({ 'game': token_game, 'invite': token_invite, })
def checkCredentials(cursor, email, password): cursor.execute('''select * from users where email = %s''', (email, )) result = cursor.fetchone() password_hash = generate_hash(password, result['salt']) token = None if password_hash == result['password']: token = generate_token({'id': result['id']}) return token
def add(sqlsession, **kwargs): error = False errors = [] name = None description = None expiry_date = None owner = None for attribute in kwargs: if attribute == 'owner': if type(kwargs[attribute]) == int: owner = sqlsession.query( models.User).filter_by(id=owner).first() if not owner: if 'owner_name' in kwargs: owner_query = sqlsession.query( models.User).filter_by(name=kwargs['owner_name']) if owner_query.count() == 1: owner = owner_query.first() else: errors.append(('owner', 'User was not found.')) else: errors.append(('owner', 'User was not found.')) elif attribute == 'expiry_date': try: expiry_date = helpers.str_to_date(kwargs[attribute]) except BaseException: error = True errors.append(( 'expiry_date', 'Expiry date has a bad format. It should be YYYY-mm-dd.' )) elif attribute == 'name': name = kwargs[attribute] elif attribute == 'description': description = kwargs[attribute] else: pass if not error: token = models.Token(name=name, value=helpers.generate_token(), description=description, owner=owner, flashed=False, expiry_date=expiry_date, creation_date=helpers.today()) sqlsession.add(token) sqlsession.commit() return token.id, None else: return False, errors
def post(self): game_type = self.data['type'] game_limit = self.data['limit'] if game_type != consts.TYPE_NOLIMIT and not game_limit: raise errors.APIException( 'game limit must be set for no limit game') token_game = generate_token(True) token_invite = generate_token(True) set_cache('invite_{}'.format(token_invite), (token_game, game_type, game_limit)) if request.user: set_cache('user_{}'.format(token_game), request.user.pk, 3600) set_cache('wait_{}'.format(token_game), (game_type, game_limit, token_invite)) return { 'game': token_game, 'invite': token_invite, }
def authenticate(cls, username, password): try: user = cls.get(username=username, password=encrypt_password(password)) except cls.DoesNotExist: return False token = generate_token() set_cache(token, user.pk, config.SESSION_TIME) return token
def add(sqlsession, **kwargs): error = False errors = [] name = None description = None expiry_date = None owner = None for attribute in kwargs: if attribute == 'owner': if type(kwargs[attribute]) == int: owner = sqlsession.query(models.User).filter_by(id=owner).first() if not owner: if 'owner_name' in kwargs: owner_query = sqlsession.query(models.User).filter_by(name=kwargs['owner_name']) if owner_query.count() == 1: owner = owner_query.first() else: errors.append(('owner', 'User was not found.')) else: errors.append(('owner', 'User was not found.')) elif attribute == 'expiry_date': try: expiry_date = helpers.str_to_date(kwargs[attribute]) except BaseException: error = True errors.append(('expiry_date', 'Expiry date has a bad format. It should be YYYY-mm-dd.')) elif attribute == 'name': name = kwargs[attribute] elif attribute == 'description': description = kwargs[attribute] else: pass if not error: token = models.Token( name=name, value=helpers.generate_token(), description=description, owner=owner, flashed=False, expiry_date=expiry_date, creation_date=helpers.today() ) sqlsession.add(token) sqlsession.commit() return token.id, None else: return False, errors
def _post(data): game_type = data['type'] game_limit = data['limit'] token = generate_token(True) pool = GamePool.create( player1=token, user1=request.user, type_game=game_type, time_limit=game_limit, ) set_cache('wait_{}'.format(token), (game_type, game_limit)) return send_data({'game': token})
def get_reset(self): if not self.email: raise AttributeError('your email is not defined') if self.date_last_reset: seconds = (datetime.now() - self.date_last_reset).total_seconds() if seconds < config.RESET_PERIOD: raise errors.ResetRequestError(config.RESET_PERIOD - int(seconds)) token = generate_token() set_cache(token, self.pk, config.RESET_TIME) self.date_last_reset = datetime.now() self.save() return token
def get_verification(self): if self.verified: raise errors.VerifiedError if not self.email: raise AttributeError('your email is not defined') if self.date_verification_token: seconds = (datetime.now() - self.date_verification_token).total_seconds() if seconds < config.VERIFICATION_PERIOD: raise errors.VerificationRequestError( config.VERIFICATION_PERIOD - int(seconds)) token = generate_token() set_cache(token, self.pk, config.VERIFICATION_TIME) self.date_verification_token = datetime.now() self.save() return token
def open(sqlsession, id): id = int(id) user = sqlsession.query( models.User).filter_by(username=session['username']).first() device = None if id == 0: if user.default_device: device = user.default_device else: id = int(config('default_door_device')) if id > 0 and not device: device = sqlsession.query(models.Device).filter_by(id=id).first() if device: access_granted = False if user.level > 9000: access_granted = True else: for token in user.tokens: if token in device.tokens: access_granted = True if not access_granted: flash('No access on device with id %s' % id, 'danger') else: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((config.api_host, config.api_port)) temporary_token = helpers.generate_token() q = Query() q.create_register_webui(config.webui_token, temporary_token) s.send(q.to_command()) q.create_open(temporary_token, device.pubkey) s.send(q.to_command()) q.create_unregister(temporary_token) s.send(q.to_command()) s.close() flash('%s has been opened.' % device.name, 'success') except Exception as e: flash('Failed to access device %s' % device.name, 'danger') else: flash('Could not find device with id %s' % id, 'danger') return redirect(request.referrer)
def open(sqlsession, id): id = int(id) user = sqlsession.query(models.User).filter_by(username=session['username']).first() device = None if id == 0: if user.default_device: device = user.default_device else: id = int(config('default_door_device')) if id > 0 and not device: device = sqlsession.query(models.Device).filter_by(id=id).first() if device: access_granted = False if user.level > 9000: access_granted = True else: for token in user.tokens: if token in device.tokens: access_granted = True if not access_granted: flash('No access on device with id %s' % id, 'danger') else: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((config.api_host, config.api_port)) temporary_token = helpers.generate_token() q = Query() q.create_register_webui(config.webui_token, temporary_token) s.send(q.to_command()) q.create_open(temporary_token, device.pubkey) s.send(q.to_command()) q.create_unregister(temporary_token) s.send(q.to_command()) s.close() flash('%s has been opened.' % device.name, 'success') except Exception as e: flash('Failed to access device %s' % device.name, 'danger') else: flash('Could not find device with id %s' % id, 'danger') return redirect(request.referrer)
def post(self, game_id): try: pool = GamePool.get(GamePool.pk == game_id) except GamePool.DoesNotExist: raise errors.APINotFound('game') except Exception as e: raise errors.APIException('wrong format') if pool.user1 and pool.user1 == request.user: raise errors.APIException('you cannot start game with yourself') pool.player2 = generate_token(True) pool.user2 = request.user pool.is_started = True pool.save() game = Game.new_game(pool.player1, pool.player2, pool.type_game, pool.time_limit, white_user=pool.user1, black_user=pool.user2) delete_cache('wait_{}'.format(pool.player1)) result = {'game': pool.player2} result.update(game.get_info(consts.BLACK)) return result
def flash(sqlsession, token, device): error = False errors = [] token = None device = None if type(token) == int: token = sqlsession.query(models.Token).filter_by(id=token).first() if type(device) == int: device = sqlsession.query( models.Device).filter_by(id=device).first() if device: if token: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((config.api_host, config.api_port)) temporary_token = helpers.generate_token() q = Query() q.create_register_webui(config.webui_token, temporary_token) s.send(q.to_command()) q.create_flash(temporary_token, token.value, device.pubkey) s.send(q.to_command()) q.create_unregister(temporary_token) s.send(q.to_command()) s.close() except Exception: error = True errors.append(('flash', 'Connection to device failed.')) else: error = True errors.append(('token', 'Token does not exist.')) else: error = True errors.append(('device', 'Device does not exist.')) return error, errors
def accept(game_id): try: pool = GamePool.get(GamePool.pk == game_id) except GamePool.DoesNotExist: return send_error('Game not found') except Exception as e: return send_error('Wrong format') if pool.user1 and pool.user1 == request.user: return send_error('You cannot start game with yourself') with config.DB.atomic(): pool.player2 = generate_token(True) pool.user2 = request.user pool.is_started = True pool.save() game = Game.new_game(pool.player1, pool.player2, pool.type_game, pool.time_limit, white_user=pool.user1, black_user=pool.user2) delete_cache('wait_{}'.format(pool.player1)) result = {'game': pool.player2} result.update(game.get_info(consts.BLACK)) return send_data(result)
def register(): """ Create a new user account using the supplied user info and send a confirmation email to the user. Integrated recaptcha prevents excessive calls to register user accounts :return: JWT with the user credentials enclosed """ req = loads(request.data) firstName = req.get('first_name') lastName = req.get('last_name') email = req.get('email') username = req.get('username') password = req.get('password') recaptchaResponse = req.get('g-recaptcha-response') # the data to be returned to the client data = { "jwt_token": None } # todo uncomment when no longer testing # let's verify the user passed the recaptcha # r = requests.post('https://www.google.com/recaptcha/api/siteverify', # data=dict(secret=os.environ.get('RECAPTCHA_SECRET'), response=recaptchaResponse)) # resp = r.json() # # if not resp['success']: # they must be a robot or something # return create_response({}, status=403) if email is None or username is None: return create_response({}, status=400) # check if the user already exists user = User.query.filter_by(username_lower=lower(username)).first() if user is not None: # todo maybe I should return error messages? return create_response({}, status=409) try: user = User( first_name=firstName, last_name=lastName, email=email, username=username, password=password ) db.session.add(user) db.session.commit() payload = { "username": user.username, "confirmed": user.confirmed } jwt_token = create_jwt(payload) data['jwt_token'] = jwt_token # creates a confirmation email for the user based on their email and secret token = generate_token(user.email, user.confirm_secret) if send_confirmation_email(to=user.email, token=token): # the email was sent, let the user know return create_response(data) return create_response({}, status=500) except Exception as e: db.session.rollback() return create_response({}, status=500)