def signup():
# handle incoming form
if request.method == 'POST':
# retrieve form data
args = {
'firstname': request.form.get('firstname', type=str),
'lastname': request.form.get('lastname', type=str),
'username': request.form.get('username', type=str),
'password': request.form.get('password', type=str),
'password_confirm': request.form.get('password_confirm', type=str)
}
# check for valid data and no user conflicts
if any(x == None for x in args.values()):
flash('All fields are required', 'alert-danger')
elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()):
flash(
'Fields may not exceed {} characters'.format(
Model.TEXT_MAX_LEN), 'alert-danger')
elif (pw_complexity(args['password']) == False):
flash(
"Password needs 8 characters minimum, with at least 1 digit, 1 minuscule and 1 majuscule.",
'alert-danger')
elif args['password'] != args['password_confirm']:
flash("Passwords don't match", 'alert-danger')
elif User.find(args['username']):
flash('Username is already used', 'alert-danger')
else:
# create new account and redirect to login page
User.insert(False, args['firstname'], args['lastname'],
args['username'], hash_pw(args['password']))
flash('Account created successfully', 'alert-success')
return redirect('/login')
return render_template('signup.html', title='Create an account')
def change_password():
user = current_user()
# handle incoming form
if request.method == 'POST':
# retrieve form data
args = {
'newPassword': request.form.get('newPassword', type=str),
'repeatPassword': request.form.get('repeatPassword', type=str),
'currentPassword': request.form.get('currentPassword', type=str),
}
# check for valid data
if any(x == None for x in args.values()):
flash('All fields are required', 'alert-danger')
elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()):
flash(
'Fields may not exceed {} characters'.format(
Model.TEXT_MAX_LEN), 'alert-danger')
elif args['newPassword'] != args['repeatPassword']:
flash("New passwords don't match", 'alert-danger')
elif args['newPassword'] == args['currentPassword']:
flash('New password is the same as the current one',
'alert-danger')
elif not check_pw(args['currentPassword'], user.password):
flash('Current password is incorrect', 'alert-danger')
else:
User.change_pass(user.username, args['newPassword'])
flash('Password successfully changed', 'alert-success')
return logout(False)
return render_template('changePassword.html',
title='Change password',
user=user)
def user_add():
user = current_user()
# handle incoming form
if request.method == 'POST':
# retrieve form data
args = {
'firstname': request.form.get('firstname', type=str),
'lastname': request.form.get('lastname', type=str),
'username': request.form.get('username', type=str),
'password': request.form.get('password', type=str),
'password_confirm': request.form.get('password_confirm', type=str)
}
# check for valid data and no user conflicts
if any(x == None for x in args.values()):
flash('All fields are required', 'alert-danger')
elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()):
flash(
'Fields may not exceed {} characters'.format(
Model.TEXT_MAX_LEN), 'alert-danger')
elif args['password'] != args['password_confirm']:
flash("Passwords don't match", 'alert-danger')
elif User.find(args['username']):
flash('Username is already used', 'alert-danger')
else:
# create new account and redirect to login page
User.insert(False, args['firstname'], args['lastname'],
args['username'], hash_pw(args['password']))
flash('Account created successfully', 'alert-success')
return redirect('/admin')
return render_template('user_add.html', title='Add new user', user=user)
def login():
form = LoginForm()
if request.method == 'POST' and form.validate_on_submit():
user = db['users'].find_one({"username": form.username.data})
if user and User.validate_login(user['hash'], form.password.data):
user_obj = User(user['username'])
login_user(user_obj)
flash("Login successful")
return redirect(url_for('index'))
flash("Wrong username or password")
return render_template('login.html', form=form, title="Login")
def user_id(username):
user = current_user()
if len(username) > Model.TEXT_MAX_LEN:
flash('Bad username', 'alert-danger')
return redirect('/admin')
otheruser = User.select(username)
if not otheruser:
flash("User doesn't exist", 'alert-danger')
return redirect('/admin')
# handle incoming form
if request.method == 'POST':
# retrieve form data
args = {
'username': request.form.get('username', type=str),
'password': request.form.get('password', type=str),
'active': request.form.get('active', type=bool),
'admin': request.form.get('admin', type=bool),
}
# check if post username matches route
if args['username'] != username:
flash('Malformed request', 'alert-danger')
return redirect('/admin')
# prevent self corruption
elif args['username'] == user.username:
flash("Can't edit yourself !", 'alert-danger')
return redirect('/admin')
# create update dict
update_dict = {
'active': True if args['active'] else False,
'admin': True if args['admin'] else False
}
if args['password']:
update_dict['password'] = hash_pw(args['password'])
# patch user
User.update(args['username'], update_dict)
Session.terminate_user(args['username'])
flash('User successfully updated', 'alert-success')
return redirect('/admin')
return render_template('user_id.html',
title="Manager user '{}'".format(username),
user=user,
otheruser=otheruser)
def compose(msg_title=None, msg_recipient=None):
user = current_user()
if request.method == 'POST':
# retrieve form data
args = {
'recipient': request.form.get('recipient', type=str),
'title': request.form.get('title', type=str),
'body': request.form.get('body', type=str),
}
# ensure fields are present and within database limits
if any(x == None for x in args.values()):
flash('All fields are required', 'alert-danger')
elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()):
flash(
'Fields may not exceed {} characters'.format(
Model.TEXT_MAX_LEN), 'alert-danger')
# check if recipient exists
elif not User.find(args['recipient']):
flash("Recipient doesn't exist", 'alert-danger')
# create new message
else:
message = Message.insert(sender_name=user.username,
recipient_name=args['recipient'],
date=get_current_timestamp(),
title=args['title'],
body=args['body'])
flash('Message successfully sent', 'alert-success')
return render_template('compose.html',
title='New message',
user=user,
msg_title=msg_title,
msg_recipient=msg_recipient)
def admin():
user = current_user()
return render_template('admin.html',
title='Administration',
user=user,
users=User.all())
def decorated_function(*args, **kwargs):
# What is GEN ? Baby don't duplicate me, don't duplicate me, oh no
# check if session cookie is present
cookie = request.cookies.get('auth')
if not cookie:
flash('You must log in first to access this page.', 'alert-danger')
return redirect('/login')
# check if a valid JWT came in the cookie
payload = jwt_decode(cookie)
if not payload:
flash('You must log in first to access this page.', 'alert-danger')
return redirect('/login')
# check if the named session exists
session = Session.select(payload['session'])
if not session:
flash('You must log in first to access this page.', 'alert-danger')
return redirect('/login')
# check if the session has expired
if session.expiry <= dt.datetime.now():
flash('Session expired, please log in again.', 'alert-danger')
Session.delete(session.id)
return redirect('/login')
# check if the named session exists
user = User.select(session.username)
if not user.admin:
flash('This resource is currently unavailable.', 'alert-danger')
return redirect('/inbox')
return f(*args, **kwargs)
def user_delete(username):
user = current_user()
if len(username) > Model.TEXT_MAX_LEN:
flash('Bad username', 'alert-danger')
return redirect('/admin')
otheruser = User.select(username)
if not otheruser:
flash("User doesn't exist", 'alert-danger')
return redirect('/admin')
if username == user.username:
flash("Can't delete yourself !", 'alert-danger')
return redirect('/admin')
User.delete(username)
flash('User successfully deleted', 'alert-success')
return redirect('/admin')
def inbox():
user = current_user()
senders = {}
if user.messages:
for msg in user.messages:
senders[msg.sender_name] = '{}'.format(User.select(
msg.sender_name))
return render_template('inbox.html',
title='Inbox',
user=user,
senders=senders)
def login():
# handle incoming form
if request.method == 'POST':
# retrieve form data
args = {
'username': request.form.get('username', type=str),
'password': request.form.get('password', type=str),
}
# get matching user
user = User.select(args['username'])
# check for valid data and no user conflicts
if any(x == None for x in args.values()):
flash('All fields are required', 'alert-danger')
elif any(len(x) > Model.TEXT_MAX_LEN for x in args.values()):
flash(
'Fields may not exceed {} characters'.format(
Model.TEXT_MAX_LEN), 'alert-danger')
elif not (user and check_pw(args['password'], user.password)):
flash('Bad credentials', 'alert-danger')
elif not user.active:
flash('Account disabled, please contact an administrator',
'alert-danger')
else:
# generate new session
expiry = get_current_timestamp()
session_id = gen_rand_string()
Session.insert(session_id=session_id,
username=user.username,
expiry=expiry,
ip=request.remote_addr,
user_agent=request.user_agent.string)
# set cookie in response and redirect to inbox
res = make_response(redirect('/inbox'))
# TODO secure=True
res.set_cookie(
key='auth',
value=jwt_encode({
'session': session_id,
'exp': expiry
}),
expires=expiry,
samesite='Strict',
)
flash('Successfully logged in', 'alert-success')
return res
return render_template('login.html', title='Log in')
def message_id(message_id):
user = current_user()
if len(message_id) > Model.TEXT_MAX_LEN:
flash('Bad message ID', 'alert-danger')
return redirect('/inbox')
message = Message.select(message_id)
if not message:
flash("Message doesn't exist", 'alert-danger')
return redirect('/inbox')
elif message.recipient_name != user.username:
flash("Can't view messages from other users", 'alert-danger')
return redirect('/inbox')
sender = '{}'.format(User.select(message.sender_name))
return render_template('message_id.html',
title=message.title,
user=user,
message=message,
sender=sender)
def current_user():
# What is GEN ? Baby don't duplicate me, don't duplicate me, oh no
# check if session cookie is present
cookie = request.cookies.get('auth')
if not cookie:
return None
# check if a valid JWT came in the cookie
payload = jwt_decode(cookie)
if not payload:
return None
# check if the named session exists
session = Session.select(payload['session'])
if not session:
return None
# check if the session has expired
if session.expiry <= dt.datetime.now():
return None
return User.from_session(get_current_jwt()['session'])
def load_user(username):
u = db['users'].find_one({"username": username})
print(u)
if not u:
return None
return User(u["username"])
