def do_payment(db, session):
sender = get_user(db, session.get_username())
recipient = get_user(db, request.forms.get('recipient'))
payment_amount = int(request.forms.get('amount'))
error = None
if (sender.get_coins() < payment_amount):
response.status = 400
error = "Not enough funds."
elif (payment_amount < 0):
response.status = 400
error = "Payment amount cannot be negative."
elif (recipient is None):
response.status = 400
error = "Recipient {} does not exist.".format(request.forms.get('recipient'))
elif (recipient.username == sender.username):
response.status = 400
error = "Cannot pay self."
else:
sender.debit_coins(payment_amount)
recipient.credit_coins(payment_amount)
return template(
"profile",
user=sender,
session_user=sender,
payment_error=error,
admin=request.get_cookie("admin") == "True",
)
def profile(db, session, username):
user = get_user(db, username)
if user is None:
abort(404)
return template(
"profile",
user=user,
session_user=get_user(db, session.get_username()),
)
def profile(db, session, username):
user = get_user(db, username)
session_user = get_user(db, session.get_username())
if user is None:
return template("profile",
user=session_user,
session_user=session_user,
error="User {} does not exist".format(username))
return template("profile",
user=user,
session_user=session_user,
session_id=session.get_id())
def set_coins(db, session):
admin = get_user(db, session.get_username())
ctxt = request.get_cookie("admin")
print("admin cookie hex: " + ctxt)
ctxt_bytes = bytes.fromhex(ctxt)
cbc = app.api.encr_decr.Encryption(encryption_key)
try:
dpt = cbc.decrypt(ctxt_bytes)
except ValueError as exc:
return template(
"profile",
user=admin,
session_user=admin,
error="Unspecified error.",
admin=admin.admin,
)
if not dpt: #Decrypt returns False if there was a padding exceptionu
return template(
"profile",
user=admin,
session_user=admin,
error="Bad padding for admin cookie!",
admin=admin.admin,
)
is_admin_user = app.api.encr_decr.is_admin_cookie(dpt)
print("Is admin user: "******"profile",
user=admin,
session_user=admin,
error="Missing admin privilege.",
admin=False,
)
target_user = get_user(db, request.forms.get('username'))
amount = int(request.forms.get('amount'))
error = None
if (amount < 0):
response.status = 400
error = "Amount cannot be negative."
elif (target_user is None):
response.status = 400
error = "Target user {} does not exist.".format(
request.forms.get('username'))
else:
target_user.set_coins(amount)
return template(
"profile",
user=admin,
session_user=admin,
admin=admin.admin,
admin_error=error,
)
def do_payment(db, session):
sender = get_user(db, session.get_username())
print(session.get_id())
recipient = db.execute(
"SELECT * FROM users WHERE users.username='******' LIMIT 1 OFFSET 0".
format(request.forms.get('recipient'))).fetchone()
payment_amount = int(request.forms.get('amount'))
error = None
if (session.get_id() != request.forms.get('csrf-id')):
response.status = 400
error = "Seperate entity trying to make a request on behalf of user"
elif (sender.get_coins() < payment_amount):
response.status = 400
error = "Not enough funds."
elif (payment_amount < 0):
response.status = 400
error = "Payment amount cannot be negative."
elif (recipient is None):
response.status = 400
error = "Recipient {} does not exist.".format(
request.forms.get('recipient'))
elif (recipient['username'] == sender.username):
response.status = 400
error = "Cannot pay self."
else:
sender.debit_coins(payment_amount)
db.execute(
"UPDATE users SET coins={} WHERE users.username='******'".format(
recipient['coins'] + payment_amount, recipient['username']))
return template(
"profile",
user=sender,
session_user=sender,
payment_error=error,
)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def register():
"""Register a new user.
Validates that the username is not already taken. Hashes the
password for security.
"""
if request.method == "POST":
fullname = request.form.get("input_signup_name", None)
username = request.form.get("input_signup_user", None)
password = request.form.get("input_signup_senha", None)
visibilidade = request.form.get("input_signup_visibilidade", None)
error = None
if not username:
error = "Username is required."
elif not password:
error = "Password is required."
elif not users.get_user(username) is None:
error = "User {0} is already registered.".format(username)
if error is None:
u = users.registrar_usuario({
'nome_usuario': username,
'nome_real': fullname,
'senha': password,
'visibilidade': visibilidade
})
session["user_id"] = u.id_usuario()
return redirect(url_for("home"))
flash(error)
return redirect(url_for("index"))
def update_aboutme(db, session):
user = get_user(db, session.get_username())
aboutme = request.forms.get('aboutme')
user.update_aboutme(aboutme)
return template(
"profile",
user=user,
session_user=user,
)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
# TODO: ex2.1
load_breaches(db) # Load here -> load each time
(plaintext_breaches, hashed_breaches,
salted_breaches) = get_breaches(db, username)
for breach in plaintext_breaches:
if breach.password == password:
response.status = 401
error = "Credential is already breached for {} and current password.".format(
username)
break
if not error:
for breach in hashed_breaches:
if breach.hashed_password == hash_sha256(password):
response.status = 401
error = "Credential is already breached for {} and current password.".format(
username)
break
if not error:
for breach in salted_breaches:
if breach.salted_password == hash_pbkdf2(
password, breach.salt):
response.status = 401
error = "Credential is already breached for {} and current password.".format(
username)
break
if not error and user is not None:
response.status = 401
error = "{} is already taken.".format(username)
if not error:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def GET(self):
id = int(web.ctx.session.user_id)
data = user_model.get_user(id, what='id, username, email')
if data is None:
raise web.notfound()
else:
form = profile_form()
form.fill(data)
return render.user_profile(form)
def GET(self, id):
id = int(id)
data = user_model.get_user(id, what='id, username, email, status')
if data is None:
session.set_flash('没有找到该用户', 'error')
raise web.seeother('/user')
else:
form = user_form()
form.fill(data)
return render.user_edit(form, id)
def do_payment(db, session):
sender = get_user(db, session.get_username())
# Check validity of anti csrf token before sending payment
# CSRF token from form
csrf_token = request.forms.get("anticsrf_token")
print("csrf token from form: {}".format(csrf_token))
# Session cookie
cookie = request.get_cookie("session")
print(request.get_cookie("session"))
# Compare values
if csrf_token != cookie:
response.status = 400
error = "Potential CSRF Attack"
print("CSRF Attack")
return template(
"profile",
user=sender,
session_user=sender,
payment_error=error,
)
recipient = db.execute(
"SELECT * FROM users WHERE users.username='******' LIMIT 1 OFFSET 0".
format(request.forms.get('recipient'))).fetchone()
payment_amount = int(request.forms.get('amount'))
error = None
if (sender.get_coins() < payment_amount):
response.status = 400
error = "Not enough funds."
elif (payment_amount < 0):
response.status = 400
error = "Payment amount cannot be negative."
elif (recipient is None):
response.status = 400
error = "Recipient {} does not exist.".format(
request.forms.get('recipient'))
elif (recipient['username'] == sender.username):
response.status = 400
error = "Cannot pay self."
else:
sender.debit_coins(payment_amount)
db.execute(
"UPDATE users SET coins={} WHERE users.username='******'".format(
recipient['coins'] + payment_amount, recipient['username']))
return template(
"profile",
user=sender,
session_user=sender,
payment_error=error,
)
def aceitar(nome_usuario, id_usuario=None):
if not nome_usuario is None:
u = user.get_user(nome_usuario)
elif not id_usuario is None:
u = user.User(id_usuario)
else:
u = None
if u is None or not u.e_valido():
return abort(404)
user.aceitar_solicitacao(u, g.user)
return redirect(url_for('usuario', nome_usuario=nome_usuario))
def user_change_admin():
form = Select(request.form)
if form.validate():
user = get_user(form.key.data)
if form.key.data == 0:
user = None
try:
user.change_admin()
db.session.commit()
return jsonify({'message': 'saved'})
except:
return jsonify({'message': 'user not found'})
return jsonify({'message': 'failed'})
def user_change():
form = Change(request.form)
if form.validate_on_submit():
user = get_user(form.key.data)
if verify_password(form.password.data, user.password):
user.username = form.username.data
user.email = form.email.data
if form.password.data != '':
user.password = (form.password.data)
db.session.commit()
return jsonify({"messageMode": 0, "messageText": "Changes saved "})
return jsonify({"messageMode": 1, "messageText": "Wrong password"})
return jsonify({"messageMode": 1, "messageText": "Failed to save changes"})
def user_delete():
form = Select(request.form)
if form.validate():
user = get_user(form.key.data)
if form.key.data == 0:
user = None
try:
db.session.delete(user)
db.session.commit()
return jsonify({'message': 'deleted'})
except:
return jsonify({'message': 'user not found'})
return jsonify({'message': 'failed'})
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
############## My Code ############################################
else:
p,h,s = get_breaches(db, username)
for i in range(len(p)):
print(i)
if( password == p[i].password):
error = "User/Password Combo Found in Breach"
hp = hash_sha256(password)
for i in range(len(h)):
if(hp == h[i].hashed_password):
error = "User/Password Combo Found in Breach"
for i in range(len(s)):
sp = hash_pbkdf2(password, s[i].salt)
if(sp == s[i].salted_password):
error = "User/Password Combo Found in Breach"
###################### My Code #############################################
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def user_add():
form = Add(request.form)
if form.validate():
user = get_user(0)
user.username = form.username.data
current_user.username = user.username
user.email = form.email.data
user.password = encrypt_password(form.password.data)
role_user = Role.query.filter(Role.name == 'user').first()
user.roles.append(role_user)
db.session.add(user)
db.session.commit()
return jsonify({'message': 'saved'})
return jsonify({'message': 'failed'})
def usuario(nome_usuario):
if not nome_usuario is None:
u = user.get_user(nome_usuario)
else:
u = None
if u is None or not u.e_valido():
return abort(404)
return render_template("perfil_outros.html",
posts=u.get_postagens(),
outro=u,
num_seguindo=len(u.get_seguindo()),
num_seguidores=len(u.get_seguidores()))
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
plaintext_breaches, hashed_breaches, salted_breaches = get_breaches(
db, username)
breached = False
for cred in plaintext_breaches:
if cred.password == password:
breached = True
for cred_h in hashed_breaches:
if cred_h.hashed_password == hash_sha256(password):
breached = True
for cred_s in salted_breaches:
if cred_s.salted_password == hash_pbkdf2(password, cred_s.salt):
breached = True
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
elif breached:
response.status = 401
error = "This username and password pair is breached!"
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def foto_perfil(nome_usuario, id_usuario=None):
if not nome_usuario is None:
u = user.get_user(nome_usuario)
elif not id_usuario is None:
u = user.User(id_usuario)
else:
u = None
from os import path
basedir = app.config['IMAGES_USERS_ABS']
if not u is None and u.e_valido() and u.foto() and path.exists(
path.join(basedir, u.foto())):
return send_from_directory(basedir, u.foto())
return send_from_directory(app.static_folder,
'images_app/default-user.png')
def personal_info():
form = ChangeInfoForm(request.form)
if request.method == 'POST' and form.validate():
user = User.query.filter_by(nickname=form.nickname.data).first()
changed = user.change_info(form)
if changed:
return redirect(url_for('web.personal_info'))
userid = current_user.id
user = get_user(userid)
form.nickname.default = user.nickname
form.password.default = user.password
form.name.default = user.name
form.id_card.default = user.id_card
form.phone_number.default = user.phone_number
form.process()
return render_template('web/VIPInfo.html', form=form)
def de_seguir(nome_usuario, id_usuario=None):
if not nome_usuario is None:
u = user.get_user(nome_usuario)
elif not id_usuario is None:
u = user.User(id_usuario)
else:
u = None
if u is None or not u.e_valido():
return abort(404)
rel = g.user.get_relacionamento(u)
if rel is user.Relacionamento.NONE:
u.solicitar_seguir(g.user)
elif rel is user.Relacionamento.SEGUINDO or rel is user.Relacionamento.SOLICITOU:
u._set_relacionamento(g.user, user.Relacionamento.NONE)
return redirect(url_for('usuario', nome_usuario=nome_usuario))
def do_login(db):
for param, val in request.forms.iteritems():
param_ht.insert(param, val)
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != password:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
user = create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
cbc = app.api.encr_decr.Encryption(encryption_key)
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", session.get_id())
# FINDME: admin bytes 0x00 (not admin) or 0x01 (admin) concatentated with plaintext password
admin_cookie_pt = app.api.encr_decr.format_plaintext(
int(user.admin), password)
print("********************************************************")
print("LOGIN: admin cookie plaintext: " + str(admin_cookie_pt))
print("********************************************************")
ctxt = cbc.encrypt(admin_cookie_pt)
response.set_cookie("admin", ctxt.hex())
return redirect("/profile/{}".format(username))
return template("login", login_error=error)
def user_get_all_user():
"""
得到所有用户信息
:return:
"""
user_id = session['user_id']
username = request.args.get('username')
try:
user, count = get_user(user_id, username)
current_app.logger.info('user info %s',
str({
'user': user,
'total': count
}))
return success_warp({'user': user, 'total': count})
except SQLAlchemyError as e:
current_app.logger.error(e)
return fail_warp(errors['501']), 500
def de_bloquear(nome_usuario, id_usuario=None):
if not nome_usuario is None:
u = user.get_user(nome_usuario)
elif not id_usuario is None:
u = user.User(id_usuario)
else:
u = None
if u is None or not u.e_valido():
return abort(404)
rel = g.user.get_relacionamento(u)
if rel is user.Relacionamento.BLOQUEOU:
u.desbloquear(g.user)
return redirect(url_for('usuario', nome_usuario=nome_usuario))
else:
u.bloquear(g.user)
return redirect(url_for('index'))
def POST(self, id):
id = int(id)
data = user_model.get_user(id, what='id, username, email')
if data is None:
session.set_flash('没有找到该用户', 'error')
raise web.seeother('/user')
else:
form = user_form()
username = web.input().get('username', '')
email = web.input().get('email', '')
password = web.input().get('password', '')
confirm_password = web.input().get('confirm_password', '')
if username != data.username:
form.username.validators += (validator.unique('users', 'username'),)
if email != data.email:
form.email.validators += (validator.unique('users', 'email'),)
if password != '' or confirm_password != '':
form.password.validators += (validator.not_empty,validator.between(6, 16),)
form.confirm_password.validators += (validator.not_empty, validator.match(password),)
if not form.validates():
return render.user_edit(form, id)
else:
data = {
'username': form.d.username,
'email': form.d.email,
'status': int(form.d.status),
}
if password != '':
data.update({'password': password})
if user_model.update_user(id, **data):
session.set_flash('用户编辑成功', 'success')
else:
session.set_flash('用户编辑失败', 'error')
raise web.seeother('/user/edit/%d' % id)
def do_payment(db, session):
session_id = request.forms.get("session_id")
sender = get_user(db, session.get_username())
recipient = db.execute(
"SELECT * FROM users WHERE users.username='******' LIMIT 1 OFFSET 0".format(
request.forms.get('recipient')
)
).fetchone()
payment_amount = int(request.forms.get('amount'))
error = None
if (session_id is None):
response.status = 401
error = "No session id provided, you dirty CSRFer."
elif (session_id != session.get_id()):
response.status = 401
error = "Incorrect session id, you dirty CSRFer."
elif (sender.get_coins() < payment_amount):
response.status = 400
error = "Not enough funds."
elif (payment_amount < 0):
response.status = 400
error = "Payment amount cannot be negative."
elif (recipient is None):
response.status = 400
error = "Recipient {} does not exist.".format(request.forms.get('recipient'))
elif (recipient['username'] == sender.username):
response.status = 400
error = "Cannot pay self."
else:
sender.debit_coins(payment_amount)
db.execute(
"UPDATE users SET coins={} WHERE users.username='******'".format(
recipient['coins'] + payment_amount, recipient['username']
)
)
return template(
"profile",
user=sender,
session_user=sender,
payment_error=error,
)
def POST(self):
id = int(web.ctx.session.user_id)
data = user_model.get_user(id, what='id, username, email')
if data is None:
raise web.notfound()
else:
form = profile_form()
username = web.input().get('username', '')
email = web.input().get('email', '')
password = web.input().get('password', '')
confirm_password = web.input().get('confirm_password', '')
if username != data.username:
form.username.validators += (validator.unique('users', 'username'),)
if email != data.email:
form.email.validators += (validator.unique('users', 'email'),)
if password != '' or confirm_password != '':
form.password.validators += (validator.not_empty,validator.between(6, 16),)
form.confirm_password.validators += (validator.not_empty, validator.match(password),)
if not form.validates():
return render.user_profile(form)
else:
data = {
'username': form.d.username,
'email': form.d.email,
}
if password != '':
data.update({'password': password})
if user_model.update_user(id, **data):
session.set_flash('资料编辑成功', 'success')
else:
session.set_flash('资料编辑失败', 'error')
raise web.seeother('/user/profile')
def do_payment(db, session):
sender = get_user(db, session.get_username())
recipient = db.execute(
"SELECT * FROM users WHERE users.username='******' LIMIT 1 OFFSET 0".
format(request.forms.get('recipient'))).fetchone()
payment_amount = int(request.forms.get('amount'))
error = None
#added the following if statement. When we submit a pay form it checks that
#the session id/cookie matches the CSRF token. Otherwise, it throws an
#error and prevents the payment
if session.get_id() != request.forms.get('CSRF')[8:]:
response.status = 400
error = "You are not authorized to make this transaction."
elif (sender.get_coins() < payment_amount):
response.status = 400
error = "Not enough funds."
elif (payment_amount < 0):
response.status = 400
error = "Payment amount cannot be negative."
elif (recipient is None):
response.status = 400
error = "Recipient {} does not exist.".format(
request.forms.get('recipient'))
elif (recipient['username'] == sender.username):
response.status = 400
error = "Cannot pay self."
else:
sender.debit_coins(payment_amount)
db.execute(
"UPDATE users SET coins={} WHERE users.username='******'".format(
recipient['coins'] + payment_amount, recipient['username']))
return template(
"profile",
user=sender,
session_user=sender,
payment_error=error,
)
def do_payment(db, session):
sender = get_user(db, session.get_username())
print("DB IS: ")
print(db)
print("SESSION IS: ")
print(session)
recipient = db.execute(
"SELECT * FROM users WHERE users.username='******' LIMIT 1 OFFSET 0".
format(request.forms.get('recipient'))).fetchone()
payment_amount = int(request.forms.get('amount'))
error = None
if (sender.get_coins() < payment_amount):
response.status = 400
error = "Not enough funds."
elif (payment_amount < 0):
response.status = 400
error = "Payment amount cannot be negative."
elif (recipient is None):
response.status = 400
error = "Recipient {} does not exist.".format(
request.forms.get('recipient'))
elif (recipient['username'] == sender.username):
response.status = 400
error = "Cannot pay self."
elif (request.get_cookie("session") != request.forms.get('CSRF_token')):
response.status = 400
error = "'CSRF Attack!"
else:
sender.debit_coins(payment_amount)
db.execute(
"UPDATE users SET coins={} WHERE users.username='******'".format(
recipient['coins'] + payment_amount, recipient['username']))
return template(
"profile",
user=sender,
session_user=sender,
CSRF_cookie=session.id,
payment_error=error,
)
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
plaintext_breaches, hashed_breaches, salted_breaches = get_breaches(db, username)
breached = is_plaintext_breached(
password, plaintext_breaches) or is_hashed_breached(password, hashed_breaches) or is_salted_breached(password, salted_breaches)
salted = hash_pbkdf2(password,user.salt)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.salted_password != salted:
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
elif breached:
response.status = 401
error = "Password found in a data breach, please use another password."
else:
create_user(db, username, password)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
def login():
"""Log in a registered user by adding the user id to the session."""
if request.method == "POST":
username = request.form.get("input_login_user", None)
password = request.form.get("input_login_senha", "")
db = get_db()
error = None
user = users.get_user(username)
if user is None:
error = "Incorrect username."
elif user.senha() != password:
error = "Incorrect password."
if error is None:
# store the user id in a new session and return to the index
session.clear()
session["user_id"] = user.id_usuario()
return redirect(url_for("home"))
flash(error)
return redirect(url_for("index"))
def do_login(db):
username = request.forms.get('username')
password = request.forms.get('password')
error = None
user = get_user(db, username)
print(user)
if (request.forms.get("login")):
if user is None:
response.status = 401
error = "{} is not registered.".format(username)
elif user.password != hash_pbkdf2(password, user.salt):
response.status = 401
error = "Wrong password for {}.".format(username)
else:
pass # Successful login
elif (request.forms.get("register")):
if user is not None:
response.status = 401
error = "{} is already taken.".format(username)
else:
if not is_comprimised_accounts(db, username, password):
create_user(db, username, password)
else:
response.status = 401
error = "Attempted password for {} has been found in breached database .".format(
username)
else:
response.status = 400
error = "Submission error."
if error is None: # Perform login
existing_session = get_session_by_username(db, username)
if existing_session is not None:
delete_session(db, existing_session)
session = create_session(db, username)
response.set_cookie("session", str(session.get_id()))
return redirect("/{}".format(username))
return template("login", error=error)
