def recoverChange():
if not limiter.check():
return "409 (Conflict)", 409
limiter.count(login=True)
user = request.headers.get('Username')
confirm = request.headers.get('Confirm')
pw = request.headers.get('Password')
if user is None or confirm is None or len(confirm) != 64:
return "400 (Bad request)", 400
if pw is None:
return "400 (Bad request)", 400
user = base64.b64decode(user).decode('utf-8')
pw = base64.b64decode(pw).decode('utf-8')
if len(pw) < 8 or len(pw) > 20 or not pw.isalnum():
return "400 (Bad request)", 400
q = ddbb.query(
"SELECT confirmType, confirmValid FROM user WHERE confirm=%s AND username=%s",
confirm, user)
if len(q) == 0 or q[0][0] != 'password':
return "404 (Not Found)", 404
valid = q[0][1] + timedelta(hours=1)
valid = valid.timestamp()
if (valid - time.time()) < 0:
return "410 (Gone)", 410
ddbb.query(
"UPDATE user SET confirm=NULL, confirmType=NULL, confirmData=NULL, confirmValid=NULL, pw=%s WHERE username=%s",
password.createHash(pw), user)
return "done"
def recoverAdd():
if not limiter.check():
return "409 (Conflict)", 409
limiter.count(login=True)
user = request.headers.get('Username')
if user is None:
return "400 (Bad request)", 400
user = base64.b64decode(user).decode('utf-8')
q = ddbb.query(
"SELECT confirm, confirmType, confirmValid, pw FROM user WHERE username=%s",
user)
if len(q) == 0:
return "404 (Not Found)", 404
if q[0][2] != None:
valid = q[0][2] + timedelta(hours=1)
valid = valid.timestamp()
if q[0][1] == 'password' and (valid - time.time()) > 0:
return "done"
confirm = ''.join([
random.choice(string.ascii_letters + string.digits) for _ in range(64)
])
ddbb.query(
"UPDATE user SET confirm=%s, confirmType='password', confirmData=NULL, confirmValid=now() WHERE username=%s",
confirm, user)
email.passwordRecovery(user, confirm)
return "done"
def check():
user = request.cookies.get('Username')
hash = request.cookies.get('Session')
if user is None or hash is None or len(hash) > 150 or len(user) > 50:
return False
session = ddbb.query("SELECT session FROM user WHERE username=%s", user)
if len(session) > 0:
session = session[0][0]
else:
session = None
if session == hash:
return True
limiter.count()
return False
def login():
if not limiter.check():
return "409 (Conflict)", 409
user = request.headers.get('user')
pw = request.headers.get('pw')
if user is not None and pw is not None:
user = base64.b64decode(user).decode('utf-8')
pw = base64.b64decode(pw).decode('utf-8')
if ddbb.checkPW(user, pw):
with lsid:
sids = sid.get(user)
sid[user] = []
if sids is not None:
socketio.start_background_task(disconnect_user, sids)
response = {"username": user, "cookie": start(user)}
return str(json.dumps(response))
limiter.count(login=True)
return "403 (Forbidden)", 403
def registerConfirm():
if not limiter.check():
return "409 (Conflict)", 409
limiter.count(login=True)
user = request.headers.get('Username')
confirm = request.headers.get('Confirm')
if user is None or confirm is None:
return "400 (Bad request)", 400
user = base64.b64decode(user).decode('utf-8')
q = ddbb.query(
"SELECT confirmType, confirmData, confirmValid FROM user WHERE confirm=%s AND username=%s",
confirm, user)
if len(q) == 0 or (q[0][0] != 'register' and q[0][0] != 'email'):
return "404 (Not Found)", 404
valid = q[0][2] + timedelta(hours=1)
valid = valid.timestamp()
if (valid - time.time()) < 0:
return "410 (Gone)", 410
if q[0][0] == 'register':
data = q[0][1].split(';')
ddbb.query(
"INSERT INTO acls (mac, user, name) SELECT %s, id, 'Unnamed' FROM user WHERE username=%s",
data[1], user)
ddbb.query(
"UPDATE user SET pw=%s, confirm=NULL, confirmType=NULL, confirmData=NULL, confirmValid=NULL WHERE username=%s",
data[0], user)
if q[0][0] == 'email':
ddbb.query(
"UPDATE user SET username=confirmData, confirm=NULL, confirmType=NULL, confirmData=NULL, confirmValid=NULL WHERE username=%s",
user)
ddbb.broker.muser(user)
ddbb.broker.macls(user)
return "done"
def register():
if not limiter.check():
return "409 (Conflict)", 409
limiter.count(login=True)
user = request.headers.get('Username')
pw = request.headers.get('Password')
mac = request.headers.get('MAC')
if user is None or mac is None or pw is None:
return "400 (Bad request)", 400
user = base64.b64decode(user).decode('utf-8').lower()
pw = base64.b64decode(pw).decode('utf-8')
mac = base64.b64decode(mac).decode('utf-8').upper()
if len(pw) < 8 or len(pw) > 20 or not pw.isalnum():
return "400 (Bad request)", 400
if not re.match(
"^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$",
user):
return "400 (Bad request)", 400
q = ddbb.query(
"SELECT b.mac, a.mac FROM boards AS b LEFT JOIN acls AS a ON b.mac=a.mac WHERE b.mac=%s",
mac)
if len(q) == 0 or q[0][1] != None:
return "404 (Not Found)", 404
q = ddbb.query("SELECT pw FROM user WHERE username=%s", user)
if len(q) > 0 and len(q[0][0]) > 0:
return "404 (Not Found)", 404
q = ddbb.query(
"SELECT confirm, confirmType, confirmValid, confirmData FROM user WHERE username=%s",
user)
if len(q) > 0 and q[0][2] != None:
valid = q[0][2] + timedelta(hours=1)
valid = valid.timestamp()
if q[0][1] == 'register' and (valid - time.time()) > 0:
return "done"
q2 = ddbb.query(
"SELECT id FROM user WHERE date_add(NOW(), INTERVAL -1 HOUR) > confirmValid AND pw=''"
)
confirm = ''.join([
random.choice(string.ascii_letters + string.digits) for _ in range(64)
])
data = password.createHash(pw) + ";" + mac
if len(q) > 0:
ddbb.query(
"UPDATE user SET confirm=%s, confirmType='register', confirmData=%s, confirmValid=now() WHERE username=%s",
confirm, data, user)
elif len(q2) > 0:
ddbb.query("DELETE FROM share WHERE user=%s", q2[0][0])
ddbb.query(
"UPDATE user SET username=%s, confirm=%s, confirmType='register', confirmData=%s, confirmValid=now() WHERE id=%s",
user, confirm, data, q2[0][0])
else:
ddbb.query(
"INSERT INTO user (username, pw, confirm, confirmType, confirmData, confirmValid) VALUES (%s, '', %s, 'register', %s, now())",
user, confirm, data)
email.registerConfirm(user, confirm)
return "done"