def getUserG(self, guid):
if type(guid) is not str:
l.error("guid type is not str")
return (
None,
None,
)
if not RE_UUID.match(guid):
l.error("%s does not match regular expression '%s'." %
(guid, RE_UUID.pattern))
return (
None,
None,
)
where = dict(GUID=guid)
res = self.xec.select('Users',
what='Username,Password',
where=web.db.sqlwhere(where))
try:
res = res[0]
except IndexError:
# This guid did not exist, return the correct type
l.warn("guid %s does not exist." % guid)
return (
None,
None,
)
return (res.Username, res.Password)
def POST(self):
l.info('POST logon')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return logon_redirect()
if 'password' not in i:
l.error('password field required for POST')
return logon_redirect()
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed password')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
db_guid = web.d.getValidUser(username, h.hexdigest())
if not db_guid:
# invalid credentials
return logon_redirect()
create_cookie(str(db_guid), username)
return web.seeother('/')
def getUser(self, username):
if type(username) is not str:
l.error("username type is not str")
return (
None,
None,
)
if len(username) > USERNAME_MAX:
l.error("%s is greater than %d characters." %
(username, USERNAME_MAX))
return (
None,
None,
)
where = dict(Username=username)
res = self.xec.select('Users',
what='GUID,Password',
where=web.db.sqlwhere(where))
try:
res = res[0]
except IndexError:
# This username did not exist, return the correct type
l.warn("username %s does not exist." % username)
return (
None,
None,
)
return (res.GUID, res.Password)
def POST(self):
l.info('POST logon')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return logon_redirect()
if 'password' not in i:
l.error('password field required for POST')
return logon_redirect()
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed password')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
db_guid = web.d.getValidUser(username, h.hexdigest())
if not db_guid:
# invalid credentials
return logon_redirect()
create_cookie(str(db_guid), username)
return web.seeother('/')
def POST(self):
l.info('POST adduser')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing username')
if 'password' not in i:
l.error('password field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing password')
if 'password2' not in i:
l.error('password2 field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ',
'missing password2')
if 'recaptcha_challenge_field' not in i:
l.error('recaptcha_challenge_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ',
'missing recaptcha_challenge_field')
if 'recaptcha_response_field' not in i:
l.error('recaptcha_response_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ',
'missing_recaptcha_response_field')
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
password2 = str(i['password2'])
if password != password2:
l.warn("passwords don't match. not creating user.")
return render.error(web.ctx.fullpath, 'BADREQ',
'password mismatch')
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ',
'malformed password')
challenge = i['recaptcha_challenge_field']
response = i['recaptcha_response_field']
result = captcha.submit(challenge, response, web.captcha_private_key,
web.ctx.ip)
if result.error_code:
l.warn('error validating captcha: %s' % result.error_code)
return render.error(web.ctx.fullpath, 'BADREQ',
'bad captcha: %s' % result.error_code)
if not result.is_valid:
l.warn('invalid captcha')
return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
l.debug('Creating new user %s' % username)
guid = web.d.addUser(username, h.hexdigest())
if not guid:
return render.error(web.ctx.fullpath, 'EXISTS', 'username exists')
create_cookie(str(guid), username)
return web.seeother('/')
def deserialize(self, cookie):
unpacked = struct.unpack(USER_FMT + EXPR_FMT + DATA_FMT + DGST_FMT, cookie)
if len(unpacked) != 4:
l.error("Failed to unpack cookie data.")
user = unpacked[0]
expiration = unpacked[1]
ciphertext = unpacked[2]
mac = unpacked[3]
return (user.rstrip('\0'), expiration, ciphertext.rstrip('\0'), mac)
def deserialize(self, cookie):
unpacked = struct.unpack(USER_FMT + EXPR_FMT + DATA_FMT + DGST_FMT,
cookie)
if len(unpacked) != 4:
l.error("Failed to unpack cookie data.")
user = unpacked[0]
expiration = unpacked[1]
ciphertext = unpacked[2]
mac = unpacked[3]
return (user.rstrip('\0'), expiration, ciphertext.rstrip('\0'), mac)
def POST(self):
l.info('POST checkout')
if not logged_on():
return logon_redirect()
i = web.input()
if 'book' not in i:
l.error('book required for POST')
return web.seeother('/')
book = i['book']
serial = web.cookies().get(COOKIE_NAME)
user = session.cookie.getData(serial)
return render.checkout(user, book)
def POST(self):
l.info('POST checkout')
if not logged_on():
return logon_redirect()
i = web.input()
if 'book' not in i:
l.error('book required for POST')
return web.seeother('/')
book = i['book']
serial = web.cookies().get(COOKIE_NAME)
user = session.cookie.getData(serial)
return render.checkout(user, book)
def POST(self):
l.info('POST adduser')
i = web.input()
if 'username' not in i:
l.error('username field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing username')
if 'password' not in i:
l.error('password field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing password')
if 'password2' not in i:
l.error('password2 field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing password2')
if 'recaptcha_challenge_field' not in i:
l.error('recaptcha_challenge_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing recaptcha_challenge_field')
if 'recaptcha_response_field' not in i:
l.error('recaptcha_response_field required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing_recaptcha_response_field')
# XXX: validate inputs
username = str(i['username'])
password = str(i['password'])
password2 = str(i['password2'])
if password != password2:
l.warn("passwords don't match. not creating user.")
return render.error(web.ctx.fullpath, 'BADREQ', 'password mismatch')
if not RE_USERNAME.match(username):
l.warn('username does not match %s' % RE_USERNAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed username')
if not RE_PASSWORD.match(password):
l.warn('password does not match %s' % RE_PASSWORD.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed password')
challenge = i['recaptcha_challenge_field']
response = i['recaptcha_response_field']
result = captcha.submit(challenge, response, web.captcha_private_key, web.ctx.ip)
if result.error_code:
l.warn('error validating captcha: %s' % result.error_code)
return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha: %s' % result.error_code)
if not result.is_valid:
l.warn('invalid captcha')
return render.error(web.ctx.fullpath, 'BADREQ', 'bad captcha')
h = hashlib.sha1()
# hash password
h.update(password)
# hash with salt
h.update(username)
l.debug('Creating new user %s' % username)
guid = web.d.addUser(username, h.hexdigest())
if not guid:
return render.error(web.ctx.fullpath, 'EXISTS', 'username exists')
create_cookie(str(guid), username)
return web.seeother('/')
def getValidUser(self, username, password):
if type(username) is not str:
l.error("username type is not str")
return None
if len(username) > USERNAME_MAX:
l.error("%s is more that %d characters." %
(username, USERNAME_MAX))
return None
if type(password) is not str:
l.error("password type is not str")
return None
if not RE_SHA1.match(password):
l.error("%s does not match regular expression '%s'." %
(password, RE_SHA1.pattern))
return None
where = dict(Username=username, Password=password)
res = self.xec.select('Users',
what='GUID',
where=web.db.sqlwhere(where))
try:
res = res[0]
except IndexError:
# This guid did not exist, return the correct type
l.warn("Bad password match for user %s" % username)
return None
return res.GUID
def addUser(self, username, password):
if type(username) is not str:
l.error("username type is not str.")
return None
if type(password) is not str:
l.error("password type is not str.")
return None
if len(username) > USERNAME_MAX:
l.error('username is greater than %d characters.' % USERNAME_MAX)
return None
if not RE_SHA1.match(password):
l.error("%s does not match regular expression '%s'." %
(password, RE_SHA1.pattern))
return None
# The guid will be stored in the cookie with the user.
guid = str(uuid.uuid4())
try:
self.xec.insert('Users',
GUID=guid,
Username=username,
Password=password)
except sqlite3.IntegrityError:
l.warn("username %s already exists." % username)
return None
return guid
def getUserG(self, guid):
if type(guid) is not str:
l.error("guid type is not str")
return ( None, None, )
if not RE_UUID.match(guid):
l.error("%s does not match regular expression '%s'." % (guid, RE_UUID.pattern))
return ( None, None, )
where = dict(GUID=guid)
res = self.xec.select('Users', what='Username,Password', where=web.db.sqlwhere(where))
try:
res = res[0]
except IndexError:
# This guid did not exist, return the correct type
l.warn("guid %s does not exist." % guid)
return ( None, None, )
return (res.Username, res.Password)
def getUser(self, username):
if type(username) is not str:
l.error("username type is not str")
return ( None, None, )
if len(username) > USERNAME_MAX:
l.error("%s is greater than %d characters." % (username, USERNAME_MAX))
return ( None, None, )
where = dict(Username=username)
res = self.xec.select('Users', what='GUID,Password', where=web.db.sqlwhere(where))
try:
res = res[0]
except IndexError:
# This username did not exist, return the correct type
l.warn("username %s does not exist." % username)
return ( None, None, )
return (res.GUID, res.Password)
def addUser(self, username, password):
if type(username) is not str:
l.error("username type is not str.")
return None
if type(password) is not str:
l.error("password type is not str.")
return None
if len(username) > USERNAME_MAX:
l.error('username is greater than %d characters.' % USERNAME_MAX)
return None
if not RE_SHA1.match(password):
l.error("%s does not match regular expression '%s'." % (password, RE_SHA1.pattern))
return None
# The guid will be stored in the cookie with the user.
guid = str(uuid.uuid4())
try:
self.xec.insert('Users', GUID=guid, Username=username, Password=password)
except sqlite3.IntegrityError:
l.warn("username %s already exists." % username)
return None
return guid
def getValidUser(self, username, password):
if type(username) is not str:
l.error("username type is not str")
return None
if len(username) > USERNAME_MAX:
l.error("%s is more that %d characters." % (username, USERNAME_MAX))
return None
if type(password) is not str:
l.error("password type is not str")
return None
if not RE_SHA1.match(password):
l.error("%s does not match regular expression '%s'." % (password, RE_SHA1.pattern))
return None
where = dict(Username=username, Password=password)
res = self.xec.select('Users', what='GUID', where=web.db.sqlwhere(where))
try:
res = res[0]
except IndexError:
# This guid did not exist, return the correct type
l.warn("Bad password match for user %s" % username)
return None
return res.GUID
def POST(self):
l.info('POST purchase')
if not logged_on():
return logon_redirect()
i = web.input()
if 'name' not in i:
l.error('name required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing name')
if 'card' not in i:
l.error('card required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing card')
if 'ccv' not in i:
l.error('ccv required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing ccv')
if 'expmonth' not in i:
l.error('expmonth required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expmonth')
if 'expyear' not in i:
l.error('expyear required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expyear')
if 'book' not in i:
l.error('book required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing book')
name = i['name']
card = i['card']
book = i['book']
if not RE_NAME.match(name):
l.warn('name does not match %s' % RE_NAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed name')
if not RE_CARDNO.match(card):
l.warn('name does not match %s' % RE_CARDNO.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed card')
price = web.d.getPrice(book)
l.critical("getting cookie")
serial = web.cookies().get(COOKIE_NAME)
l.critical("got serial")
user = session.cookie.getData(serial)
l.critical("got cookie")
return render.purchase(user, name, card, book, price)
def POST(self):
l.info('POST purchase')
if not logged_on():
return logon_redirect()
i = web.input()
if 'name' not in i:
l.error('name required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing name')
if 'card' not in i:
l.error('card required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing card')
if 'ccv' not in i:
l.error('ccv required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing ccv')
if 'expmonth' not in i:
l.error('expmonth required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expmonth')
if 'expyear' not in i:
l.error('expyear required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing expyear')
if 'book' not in i:
l.error('book required for POST')
return render.error(web.ctx.fullpath, 'BADREQ', 'missing book')
name = i['name']
card = i['card']
book = i['book']
if not RE_NAME.match(name):
l.warn('name does not match %s' % RE_NAME.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed name')
if not RE_CARDNO.match(card):
l.warn('name does not match %s' % RE_CARDNO.pattern)
return render.error(web.ctx.fullpath, 'BADREQ', 'malformed card')
price = web.d.getPrice(book)
l.critical("getting cookie")
serial = web.cookies().get(COOKIE_NAME)
l.critical("got serial")
user = session.cookie.getData(serial)
l.critical("got cookie")
return render.purchase(user, name, card, book, price)