def run(self):
"Displays the dialog"
while 1:
if Password.run(self) != gtk.RESPONSE_OK:
self.destroy()
raise CancelError
elif self.password is not None and self.entry_current.get_text() != self.password:
Error(self, _('Incorrect password'), _('The password you entered as the current file password is incorrect.')).run()
elif self.entry_new.get_text() != self.entry_confirm.get_text():
Error(self, _('Passwords don\'t match'), _('The password and password confirmation you entered does not match.')).run()
else:
password = self.entry_new.get_text()
try:
util.check_password(password)
except ValueError, res:
response = Warning(
self, _('Use insecure password?'),
_('The password you entered is not secure; %s. Are you sure you want to use it?') % str(res).lower(),
( ( gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL ), ( gtk.STOCK_OK, gtk.RESPONSE_OK ) ), gtk.RESPONSE_CANCEL
).run()
if response != gtk.RESPONSE_OK:
continue
self.destroy()
return password
def run(self):
"Displays the dialog"
while 1:
if Password.run(self) != gtk.RESPONSE_OK:
self.destroy()
raise CancelError
elif self.entry_new.get_text() != self.entry_confirm.get_text():
Error(self, _('Passwords don\'t match'), _('The passwords you entered does not match.')).run()
elif len(self.entry_new.get_text()) == 0:
Error(self, _('No password entered'), _('You must enter a password for the new data file.')).run()
else:
password = self.entry_new.get_text()
try:
util.check_password(password)
except ValueError, res:
res = str(res).lower()
response = Warning(
self, _('Use insecure password?'),
_('The password you entered is not secure; %s. Are you sure you want to use it?') % res,
( ( gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL ), ( gtk.STOCK_OK, gtk.RESPONSE_OK ) ), gtk.RESPONSE_CANCEL
).run()
if response != gtk.RESPONSE_OK:
continue
self.destroy()
return password
def POST(self):
userid = int(self.user.userid)
params = self.req.inputjson()
password = params.get('password', '')
mode = params.get('mode', '')
if not password:
raise ParamError('密码为空')
# 支持收银员切换
if mode == 'opuser':
opuid = params.get('opuid', '')
else:
opuid = self.user.ses.data.get('opuid', '')
# 验证管理员密码
if mode == 'manage':
with get_connection_exception('qf_core') as conn:
row = conn.select_one(
'extra_mchinfo', where={'userid': userid},
fields='manage_password'
)
if not row or not row['manage_password']:
raise DBError('未设置过管理密码')
else:
if not check_password(password, row['manage_password']):
return success(data={'result': 'fail'})
else:
return success(data={'result': 'success'})
# 验证普通密码
# 先判断是否opuid有值, 没有opuid属性说明是主账号
if opuid:
with get_connection('qf_core') as db:
opuser = db.select_one(
'opuser', fields='password',
where={
'userid': userid,
'opuid': int(opuid),
'status': VALID_OPUSER_STATUS
}
)
if not opuser:
raise DBError('该操作员不存在')
if not check_password(password, opuser['password']):
return success(data={'result': 'fail'})
else:
return success(data={'result': 'success'})
else:
try:
apcli('checkByUid', userid, password)
return success(data={'result': 'success'})
except ApolloException as e:
if e.respcd == '1008':
return success(data={'result': 'fail'})
else:
raise DBError('密码验证失败')
def username_mchnt(self):
'''商户预注册'''
d = {k: v.strip() for k, v in self.req.input().iteritems()}
self.req.inputjson()['password'] = '******'
# 验证用户名
username = d.get('username', '')
if not username:
raise ParamError('用户名为空')
# 验证验证码
code = d.get('code', '')
if not check_smscode(code, username):
raise ParamError('验证码错误')
# 验证是否注册
if UserUtil.check_profile(**{'auth_user.username': username}):
raise ParamError('商户已经注册')
# 获取userid
user = None
with get_connection('qf_core') as db:
user = db.select_one('auth_user',
where={'mobile': username},
fields='id, password')
log.debug(user)
if user:
if (user['password'] and not check_password(
d.get('password', ''), user['password'])):
raise SessionError('该账号已经设置密码')
return d['username'], user['id']
return d['username'], None
def POST(self):
userid = self.user.userid
params = {k: str(v).strip() for k, v in self.req.input().iteritems()}
origin_password = params.get("origin_password", "")
new_password = params.get("new_password", "")
if (not origin_password) or (not new_password):
raise ParamError("缺少参数")
# 验证商户是否已经设置过密码
pwd_indbm, has_set = has_set_mpwd(userid)
if not has_set:
raise DBError("此商户尚未设置过管理密码")
if not check_password(origin_password, pwd_indbm):
raise DBError("原始密码输入错误")
with get_connection("qf_core") as conn:
try:
affect_line = conn.update(
"extra_mchinfo",
where={"userid": userid},
values={"manage_password": enc_password(new_password)})
if not affect_line:
raise DBError("更新数据失败")
else:
return self.write(success(data={}))
except:
log.debug(traceback.format_exc())
raise DBError("更新数据失败")
def __cb_changed(self, widget, data=None):
"Callback for entry changes"
password = self.entry.get_text()
try:
if len(password) == 0:
icon = ui.STOCK_UNKNOWN
result = _('Enter a password to check')
else:
util.check_password(password)
icon = ui.STOCK_PASSWORD_STRONG
result = _('The password seems good')
except ValueError, result:
icon = ui.STOCK_PASSWORD_WEAK
result = _('The password %s') % str(result)
def __cb_changed(self, widget, data = None):
"Callback for entry changes"
password = self.entry.get_text()
try:
if len(password) == 0:
icon = ui.STOCK_UNKNOWN
result = _('Enter a password to check')
else:
util.check_password(password)
icon = ui.STOCK_PASSWORD_STRONG
result = _('The password seems good')
except ValueError, result:
icon = ui.STOCK_PASSWORD_WEAK
result = _('The password %s') % str(result)
def __cb_check_password(self, widget, data = None):
"Callback for changed, checks the password"
if self.autocheck == False:
return
password = self.get_text()
if len(password) == 0:
self.remove_icon()
else:
try:
util.check_password(password)
except ValueError, reason:
self.set_password_strong(False, _('The password %s') % str(reason))
else:
def run(self):
"Displays the dialog"
while 1:
if Password.run(self) != gtk.RESPONSE_OK:
self.destroy()
raise CancelError
elif self.password is not None and self.entry_current.get_text(
) != self.password:
Error(
self, _('Incorrect password'),
_('The password you entered as the current file password is incorrect.'
)).run()
elif self.entry_new.get_text() != self.entry_confirm.get_text():
Error(
self, _('Passwords don\'t match'),
_('The password and password confirmation you entered does not match.'
)).run()
else:
password = self.entry_new.get_text()
try:
util.check_password(password)
except ValueError, res:
response = Warning(
self, _('Use insecure password?'),
_('The password you entered is not secure; %s. Are you sure you want to use it?'
) % str(res).lower(),
((gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL),
(gtk.STOCK_OK, gtk.RESPONSE_OK)),
gtk.RESPONSE_CANCEL).run()
if response != gtk.RESPONSE_OK:
continue
self.destroy()
return password
def run(self):
"Displays the dialog"
while 1:
if Password.run(self) != gtk.RESPONSE_OK:
self.destroy()
raise CancelError
elif self.entry_new.get_text() != self.entry_confirm.get_text():
Error(self, _('Passwords don\'t match'),
_('The passwords you entered does not match.')).run()
elif len(self.entry_new.get_text()) == 0:
Error(self, _('No password entered'),
_('You must enter a password for the new data file.')
).run()
else:
password = self.entry_new.get_text()
try:
util.check_password(password)
except ValueError, res:
res = str(res).lower()
response = Warning(
self, _('Use insecure password?'),
_('The password you entered is not secure; %s. Are you sure you want to use it?'
) % res, ((gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL),
(gtk.STOCK_OK, gtk.RESPONSE_OK)),
gtk.RESPONSE_CANCEL).run()
if response != gtk.RESPONSE_OK:
continue
self.destroy()
return password
def post(self):
try:
username = self.get_argument("username")
password = self.get_argument("pass")
except:
self.write('<br> Incomplete fields')
try:
users = db.users.find({'username': username})
user = next(users)
if user['username'] == username and util.check_password(password, user['pass']):
self.set_secure_cookie("user", self.get_argument("username"))
self.redirect("/admin")
except StopIteration:
self.redirect("/login")
def post(self):
"""
return token if login succeed or return 404
"""
b = request.get_json()
user = User.objects(email=b["email"]).first()
if not user or not check_password(user['password'], b['password']):
abort(404, "Wrong username/password combination")
token = encode_user_token(user.get_id())
res = OK('Logged in', {"token": token.decode("utf-8")})
return res
def login():
"""The login action, which either shows the form (GET) or handles
the form submission (POST)."""
form = LoginForm(request.form)
if request.method == 'POST' and form.validate():
print form.password.data
user = User.objects(username=form.username.data).first()
if not check_password(user, form.password.data):
flash('The username or password is wrong.')
else:
setup_user_in_session(user, session)
flash('You are now logged in!')
return redirect("/")
return render_template('login.html', form=form)
def np_login():
data = request.get_json()
username = data.get("username")
password = data.get("password")
password = bytes(password, "utf-8")
with connect(DBPATH) as connection:
cursor = connection.cursor()
SQL = """SELECT password_hash FROM np_accounts
WHERE username=?;"""
password_hash = cursor.execute(SQL, (username, )).fetchone()[0]
if check_password(password, password_hash):
SQL = """SELECT pk FROM np_accounts
WHERE username=?;"""
np_pk = cursor.execute(SQL, (username, )).fetchone()[0]
return jsonify({"pk": np_pk})
return jsonify({"SQL": "ERROR"})
def POST(self):
userid = self.get_userid_login_or_ip()
d = self.validator.data
update_data = {}
if d['status'] not in [None, 0, 1]:
raise ParamError('状态非法')
with get_connection_exception('qf_core') as db:
opuser = db.select_one(table='opuser',
where={
'userid': int(userid),
'opuid': int(d['opuid'])
}) or {}
if not opuser:
raise UserError('操作员不存在')
fields = ['mobile', 'status', 'opname', 'password']
for field in fields:
if d[field] is not None:
if field == 'password':
if not check_password(d['password'], opuser['password']):
update_data[field] = enc_password(d['password'])
elif d[field] != unicode_to_utf8(opuser[field]):
update_data[field] = d[field]
if not update_data:
return success({})
with get_connection('qf_core') as db:
db.update('opuser',
update_data,
where={
'userid': userid,
'opuid': int(d['opuid'])
})
# 如果更新了状态,则剔除操作员
if update_data.get('status') == 0 or update_data.get('password'):
kick_user(userid, int(d['opuid']), mode='opuser')
return success({})
def check_op(self, userid, password, opuid):
opuser = None
with get_connection('qf_core') as db:
opuser = db.select_one('opuser',
fields='password, opname, opuid',
where={
'userid': userid,
'opuid': int(opuid),
'status': 1
})
if not opuser:
raise UserError('该操作员不存在')
if not check_password(password, opuser['password']):
self.password_error(userid, password, opuid)
raise UserError('账号或密码有误,请重新输入')
return {
'opname': opuser['opname'] or '',
'opuid': str(opuser['opuid']).rjust(4, '0')
}
def test_check():
from util import check_password
assert False == check_password({'iyr':'2013', 'ecl':'amb', 'cid':'350', 'eyr':'2023', 'pid':'028048884' , 'hcl':'#cfa07d' , 'byr':'1929'});
assert True == check_password({'hcl':'#ae17e1' , 'iyr':'2013' , 'eyr':'2024' , 'ecl':'brn' , 'pid':'760753108' , 'byr':'1931' , 'hgt':'179cm'});
def check_password(self, request_pwd):
return util.check_password(request_pwd, self.password)
def login(cached_email=None):
"""Render login page and handle login form data.
Requests:
GET /auth/login
POST /auth/login
"""
if request.method == 'GET':
csrf_token = generate_csrf_token()
response = make_response(
render_template('login.html',
cached_email=cached_email,
client_id=CLIENT_ID,
csrf_token=csrf_token))
# Store the csrf_token in the browser cookie.
response.set_cookie('csrf_token', value=csrf_token)
return response
# Form fields:
# email: user email, required
# password: user password, required
if request.method == 'POST':
# Check csrf token
cookie_csrf_token = request.cookies.get('csrf_token')
form_csrf_token = request.form.get('_csrf_token')
# CSRF attack detected!
if cookie_csrf_token != form_csrf_token:
flash("Please use proper login.")
return render_template('login.html',
cached_email=cached_email,
client_id=CLIENT_ID,
csrf_token="")
# Get user data from login form.
email = request.form.get('email')
password = request.form.get('password')
# User must fill the email and password field.
if not (email and password):
flash("Please fill the form. ")
return render_template('login.html', cached_email=email)
# Find user in the database by email.
user = User.get_by_email(session, email.strip())
# User does not exists.
if not user:
flash("Invalid email address or password. ")
return render_template('login.html', cached_email=email)
# User exist, but Password does not.
# The user have logged in with OAuth
if not user.password:
flash("You've signed up with social service. ")
return render_template('login.html', cached_email=email)
# Password incorrect.
if not check_password(password, user.password, user.salt):
flash("Invalid email address or password. ")
return render_template('login.html', cached_email=email)
# Generate JSON web token for user.
# As long as client has non-expired and valid token,
# they do not need to login again.
expire_time, token = generate_token(user)
response = make_response(redirect(url_for('basic.showMain')))
# Store the token in the browser cookie.
response.set_cookie('token', value=token)
response.set_cookie('expire_time', value=str(expire_time))
return response
def login(cached_email=None):
"""Render login page and handle login form data.
Requests:
GET /auth/login
POST /auth/login
"""
if request.method == 'GET':
csrf_token = generate_csrf_token()
response = make_response(
render_template('login.html', cached_email=cached_email,
client_id=CLIENT_ID, csrf_token=csrf_token)
)
# Store the csrf_token in the browser cookie.
response.set_cookie('csrf_token', value=csrf_token)
return response
# Form fields:
# email: user email, required
# password: user password, required
if request.method == 'POST':
# Check csrf token
cookie_csrf_token = request.cookies.get('csrf_token')
form_csrf_token = request.form.get('_csrf_token')
# CSRF attack detected!
if cookie_csrf_token != form_csrf_token:
flash("Please use proper login.")
return render_template('login.html', cached_email=cached_email,
client_id=CLIENT_ID, csrf_token="")
# Get user data from login form.
email = request.form.get('email')
password = request.form.get('password')
# User must fill the email and password field.
if not (email and password):
flash("Please fill the form. ")
return render_template('login.html', cached_email=email)
# Find user in the database by email.
user = User.get_by_email(session, email.strip())
# User does not exists.
if not user:
flash("Invalid email address or password. ")
return render_template('login.html', cached_email=email)
# User exist, but Password does not.
# The user have logged in with OAuth
if not user.password:
flash("You've signed up with social service. ")
return render_template('login.html', cached_email=email)
# Password incorrect.
if not check_password(password, user.password, user.salt):
flash("Invalid email address or password. ")
return render_template('login.html', cached_email=email)
# Generate JSON web token for user.
# As long as client has non-expired and valid token,
# they do not need to login again.
expire_time, token = generate_token(user)
response = make_response(redirect(url_for('basic.showMain')))
# Store the token in the browser cookie.
response.set_cookie('token', value=token)
response.set_cookie('expire_time', value=str(expire_time))
return response
def POST(self):
params = self.req.input()
username = params['username']
password = params['password']
udid = params.get('udid')
opuid = params.get('opuid')
params['password'] = '******'
user = self.get_user(username)
opinfo = None
self.check_user(user['userid'], opuid)
if opuid:
opinfo = self.check_op(user['userid'], password, opuid)
else:
if not check_password(password, user['password']):
self.password_error(user['userid'], password)
raise UserError('账号或密码有误,请重新输入')
# 获取用户信息
userinfo = apcli.user_by_id(user['userid'])
if not userinfo:
log.debug('[username:{} pwd:{}]'.format(username, password))
raise ThirdError('账号或密码有误,请重新输入')
# 线下店铺信息
user_ext = apcli_ex('getUserExt', int(userinfo['uid']))
cf = {}
# 线下店铺信息
cf['cate'] = self.get_cate(userinfo['uid'], userinfo['userCates'])
# 如果禁止大商户登录
if (not getattr(config, 'BIGMCHNT_LOGIN_ALLOWED', True)
and cf['cate'] == 'bigmerchant'):
raise ParamError('商户角色错误')
# 获取渠道信息
cf['qdinfo'] = self._qdinfo = get_qudaoinfo(userinfo['groupid'])
# 设置用户session
sid = self.set_session(udid=udid,
userinfo=userinfo,
opuid=opuid,
cate=cf['cate'],
language=self._qdinfo['language'])
# 支持刷卡设备获取terminalids
terminalids = []
user_agent = self.req.environ.get('HTTP_USER_AGENT', '').upper()
if any(True for i in config.UA_CARD if i in user_agent):
terms = None
with get_connection('qf_core') as db:
terms = db.select('termbind',
where={'userid': user['userid']},
fields='terminalid')
terminalids = [i['terminalid'] for i in terms or []]
ret = UserUtil.ret_userinfo(userinfo,
user_ext,
sessionid=sid,
opinfo=opinfo,
terminalids=terminalids,
**cf)
self.resp.set_cookie('sessionid', sid, **config.COOKIE_CONFIG)
conf_group_client_url = config.GROUP_CONF_CLIENT_URL.get(
str(userinfo['groupid']), config.DEFAULT_CLIENT_URL)
ret['pay_url'] = conf_group_client_url.get(
"pay_url", config.DEFAULT_CLIENT_URL.get("pay_url"))
ret['pay_trade_query_url'] = conf_group_client_url.get(
"pay_trade_query_url", config.DEFAULT_CLIENT_URL.get("pay_url"))
_, has_set = has_set_mpwd(user['userid'])
ret['has_set_mpwd'] = 1 if has_set else 0
return success(ret)
def check_password(self, request_pwd):
return util.check_password(request_pwd, self.password)