def login():
# redirect to home if already logged in
if session.get('user_id'):
return redirect(url_for('ph_bp.home'))
if request.method == 'POST':
token = md5(request.form['password'] +
session.get('nonce', '')).hexdigest()
if token == request.form['token']:
query = "SELECT * FROM users WHERE username='******' AND password_hash='{}'"
username = request.form['username']
password_hash = xor_encrypt(request.form['password'],
current_app.config['PW_ENC_KEY'])
user = db.session.execute(query.format(username,
password_hash)).first()
if user and user['status'] == 1:
session['user_id'] = user.id
path = os.path.join(current_app.config['UPLOAD_FOLDER'],
md5(str(user.id)).hexdigest())
if not os.path.exists(path):
os.makedirs(path)
session['upload_folder'] = path
session.rotate()
return redirect(
request.args.get('next') or url_for('ph_bp.home'))
return redirect(
url_for('ph_bp.login', error='Invalid username or password.'))
return redirect(url_for('ph_bp.login', error='Bot detected.'))
session['nonce'] = get_token(5)
return render_template('login.html')
def init_session(user_id):
session['user_id'] = user_id
path = os.path.join(current_app.config['UPLOAD_FOLDER'],
md5(str(user_id).encode()).hexdigest())
if not os.path.exists(path):
os.makedirs(path)
session['upload_folder'] = path
session.rotate()
def auth():
username = request.form.get('username')
password = request.form.get('password')
user = User.query.filter_by(username=username).first()
if user:
pw_hash = hashpw(password.encode(), user.password.encode()).decode()
if safe_str_cmp(pw_hash, user.password):
session.rotate()
session['user'] = user.id
return redirect(url_for('.home'), code=303)
else:
flash('Incorrect password', 'error')
return redirect(url_for('.login_page', username=username),
code=303)
else:
flash('No such user', 'error')
return redirect(url_for('.login_page'), code=303)
def auth():
username = request.form.get('username')
password = request.form.get('password')
user = User.query.filter_by(username=username).first()
if user:
pw_hash = hashpw(password.encode(), user.password.encode()).decode()
if safe_str_cmp(pw_hash, user.password):
session.rotate()
session['user'] = user.id
return redirect(url_for('.home'), code=303)
else:
flash('Incorrect password', 'error')
return redirect(url_for('.login_page', username=username),
code=303)
else:
flash('No such user', 'error')
return redirect(url_for('.login_page'), code=303)
def login():
# redirect to home if already logged in
if session.get('user_id'):
return redirect(url_for('home'))
if request.method == 'POST':
query = "SELECT * FROM users WHERE username='******' AND password_hash='{}'"
username = request.form['username']
password_hash = xor_encrypt(request.form['password'], app.config['PW_ENC_KEY'])
user = db.session.execute(query.format(username, password_hash)).first()
if user and user['status'] == 1:
session['user_id'] = user.id
path = os.path.join(app.config['UPLOAD_FOLDER'], md5(str(user.id)).hexdigest())
if not os.path.exists(path):
os.makedirs(path)
session['upload_folder'] = path
session.rotate()
return redirect(request.args.get('next') or url_for('home'))
return redirect(url_for('login', error='Invalid username or password.'))
return render_template('login.html')
def oauth():
code = request.args.get('code')
try:
client_id = current_app.config['GITHUB_CLIENT_ID']
client_secret = current_app.config['GITHUB_CLIENT_SECRET']
access_token = get_access_token(code, client_id, client_secret)
user = get_user(access_token)
except:
abort(503)
if not user_exists(user):
create_user(user, access_token)
session['user'] = user
session.rotate()
next = request.args.get('next', '/')
if not next or not is_safe_url(next, True):
next = request.host_url
return redirect(next, code=302)
