def set_token(self, gameMode, player1, player2): print("\n" * 100) tokens = [] # Spectate a game if (gameMode == 3): p1Token = util.generate_token(tokens) p2Token = util.generate_token(tokens) else: print("\nSelect a token: ") print( "A token is a letter (A to Z) that will be used to mark your moves on the board. \n" ) # Play against a friend if (gameMode == 2): p1Token = util.get_token_input(player1.name, tokens) p2Token = util.get_token_input(player2.name, tokens) # Play against AI else: p1Token = util.get_token_input(player1.name, tokens) p2Token = util.generate_token(tokens) player1.token = p1Token player2.token = p2Token
def post(self): form = forms.InvitationForm(self) if form.validate(): token = util.generate_token(32) invitation = { 'inviter': self.current_user._id, 'room': self.room._id, 'name': form.name.data, 'email': form.email.data, 'token': token, 'created_at': datetime.datetime.utcnow(), 'status': InvitationStatus.PENDING, } self.db.invitations.insert(invitation) self.application.mail_queue.put({ 'to': form.email.data, 'subject': 'Meetings invitation from %s' % self.current_user.name, 'text': ''' Hi, %(receiver)s %(sender)s invites you to %(room)s. Click the following link to accept this invitation. %(invitation_link)s ''' % { 'receiver': form.name.data, 'sender': self.current_user.name, 'room': self.room.name, 'invitation_link': self.request.protocol + "://" + self.request.host + self.reverse_url('invitation') + '?token=' + token } }) self.redirect(self.reverse_url('room', self.room._id)) else: self.render('new_invitation.html', form=form, room=self.room)
def fconnect(): """Handle facebook OAuth login GET /auth/fconnect If user does not exists create a new user. """ # userinfo has email, username, and access token userinfo = json.loads(request.data) user_access_token = userinfo.get('access_token') # To verify user's access token, we need to get our app token first. url = ('https://graph.facebook.com/oauth/access_token?' 'client_id={}&client_secret={}' '&grant_type=client_credentials'.format( config.FACEBOOK_CLIENT_ID, config.FACEBOOK_CLIENT_SECRET)) try: h = httplib2.Http() result = h.request(url, 'GET')[1] app_token = re.search(r'(access_token=)(.+?$)', result).group(2) print app_token # Using app token, we can verify user's access token url = ('https://graph.facebook.com/debug_token' '?input_token={}&access_token={}'.format( user_access_token, app_token)) h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1]) user_data = result.get("data") # If the user's token is valid to the app token, # Facecook api returns the variable 'is_valid' with True if not user_data.get("is_valid"): response = make_response( json.dumps("User access token is not valid"), 401) flash("Facebook connection Error.") response.headers['Content-Type'] = 'application/json' return response email = userinfo.get('email') user = User.get_by_email(session, email.strip()) # Create and store a new user if there is no user exist if not user: user = User(email=email) session.add(user) session.commit() expire_time, token = generate_token(user) flash("Successfully logged in with Facebook") response = make_response(redirect(url_for('basic.showMain')), 200) response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) return response except: response = make_response(json.dumps("User access token is not valid"), 401) flash("Facebook connection Error.") response.headers['Content-Type'] = 'application/json' return response
def sign_in(): data = request.data dataDict = json.loads(data) user_location = dataDict['location'] session_token = util.generate_token() auth_code = dataDict['auth_code'] credentials = util.google_auth_user(auth_code) user_email = credentials.id_token['email'] user_obj = User.create_user(user_email, user_location, auth_code, credentials.refresh_token, credentials.access_token) user_obj.session_token = session_token user_obj.save() return jsonify({'session_token': user_obj.session_token, 'user_email': user_email})
def create_bin(): bin_data = request.form["binData"] bin_id = generate_token(6) Bin.create( p_id = bin_id, content = bin_data ) if not bin_data: abort(400, "Invalid Request") return bin_id
def get_token(self): repeat = True self.token = generate_token() with sqlite3.connect(self.dbpath) as conn: cur = conn.cursor() while repeat is True: sql = f"""SELECT pk FROM {self.tablename} WHERE token == ?""" cur.execute(sql, (self.token,)) instance = cur.fetchone() if instance is None: repeat = False else: self.token = generate_token() sql = f"""UPDATE {self.tablename} SET token = "{self.token}" WHERE pk = {self.pk}""" cur.execute(sql)
def post(self): form = forms.RoomForm(self) if form.validate(): room = Model(owner=self.current_user._id, admins=[self.current_user._id], members=[self.current_user._id], topic='', current_users=[self.current_user._id]) form.populate_obj(room) room.token = util.generate_token(32) self.db.rooms.insert(room) self.redirect(self.reverse_url('room', room._id)) else: self.render('new.html', form=form)
def login(): '''Logs a user in by username and password, and returns an access token''' required_args = ('username', 'password') if any(arg not in request.args for arg in required_args): return abort(401) username = request.args['username'].lower() password = request.args['password'] print(username, password) query = cursor.execute( """ SELECT password FROM users WHERE username = ?; """, (username, )) result = query.fetchone() if result is None: return jsonify(error=404, message="Invalid username or password") db_password = result[0] print(db_password) if password != db_password: return jsonify(error=404, message="Invalid password") query = cursor.execute( """ SELECT verified FROM users WHERE username = ?; """, (username, )) verified = bool(query.fetchone()[0]) if not verified: return jsonify(error=401, message="Your email isn't verified yet") new_token = util.generate_token() cursor.execute( """ UPDATE users SET token = ? WHERE username = ?; """, (new_token, username)) conn.commit() return jsonify(token=new_token, message="Successfully logged in")
def signup(): '''Creates a new user via email, username and password''' required_args = ('name', 'email', 'username', 'password') if any(arg not in request.args for arg in required_args): return abort(401) name = request.args['name'] email = request.args['email'] username = request.args['username'].lower() password = request.args['password'] query = cursor.execute( """ SELECT COUNT(*) FROM users WHERE username = ?; """, (username, )) if db.exists(query): return jsonify(error=401, message="User with this username already exists") config = configparser.ConfigParser() config.read('./.settings') domain = config['settings']['domain'].rstrip('/') verification_code = util.generate_token() link = f'{domain}/verify?token={verification_code}' try: verify.send_verification_email(email, link) except httplib2.ServerNotFoundError: return jsonify(error=404, message="Unable to reach Server") cursor.execute( """ INSERT INTO users ( id, name, email, username, password, verification_code) VALUES (?, ?, ?, ?, ?, ?); """, (random.randrange(100_001, 1_000_000), name, email, username, password, verification_code)) conn.commit() return jsonify(success=True, message="Verification email sent")
def user_login(): if request.method == 'GET': name = 'app2' token = generate_token(name) generate_pub_rsa_key() _file = os.path.realpath('./' + '/token.ini') pub_filename = os.path.realpath('rsa.pub.key') with open(pub_filename, 'r') as fp: secrete = change_str(user_pub_add_salt(fp, UAER_KEY)) data = { 'name': 'less', 'age': 34, 'sex': 'w', 'uuid': uuid.uuid4(), 'token': token, 'secrete': secrete } info = f"{name}: {token}\n" logger.info(info) with open(_file, 'w+') as fp: print('进来了') fp.write(info) logger.info(data) return data
def login(cached_email=None): """Render login page and handle login form data. Requests: GET /auth/login POST /auth/login """ if request.method == 'GET': csrf_token = generate_csrf_token() response = make_response( render_template('login.html', cached_email=cached_email, client_id=CLIENT_ID, csrf_token=csrf_token)) # Store the csrf_token in the browser cookie. response.set_cookie('csrf_token', value=csrf_token) return response # Form fields: # email: user email, required # password: user password, required if request.method == 'POST': # Check csrf token cookie_csrf_token = request.cookies.get('csrf_token') form_csrf_token = request.form.get('_csrf_token') # CSRF attack detected! if cookie_csrf_token != form_csrf_token: flash("Please use proper login.") return render_template('login.html', cached_email=cached_email, client_id=CLIENT_ID, csrf_token="") # Get user data from login form. email = request.form.get('email') password = request.form.get('password') # User must fill the email and password field. if not (email and password): flash("Please fill the form. ") return render_template('login.html', cached_email=email) # Find user in the database by email. user = User.get_by_email(session, email.strip()) # User does not exists. if not user: flash("Invalid email address or password. ") return render_template('login.html', cached_email=email) # User exist, but Password does not. # The user have logged in with OAuth if not user.password: flash("You've signed up with social service. ") return render_template('login.html', cached_email=email) # Password incorrect. if not check_password(password, user.password, user.salt): flash("Invalid email address or password. ") return render_template('login.html', cached_email=email) # Generate JSON web token for user. # As long as client has non-expired and valid token, # they do not need to login again. expire_time, token = generate_token(user) response = make_response(redirect(url_for('basic.showMain'))) # Store the token in the browser cookie. response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) return response
def fconnect(): """Handle facebook OAuth login GET /auth/fconnect If user does not exists create a new user. """ # userinfo has email, username, and access token userinfo = json.loads(request.data) user_access_token = userinfo.get('access_token') # To verify user's access token, we need to get our app token first. url = ('https://graph.facebook.com/oauth/access_token?' 'client_id={}&client_secret={}' '&grant_type=client_credentials' .format(config.FACEBOOK_CLIENT_ID, config.FACEBOOK_CLIENT_SECRET)) try: h = httplib2.Http() result = h.request(url, 'GET')[1] app_token = re.search(r'(access_token=)(.+?$)', result).group(2) print app_token # Using app token, we can verify user's access token url = ('https://graph.facebook.com/debug_token' '?input_token={}&access_token={}' .format(user_access_token, app_token)) h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1]) user_data = result.get("data") # If the user's token is valid to the app token, # Facecook api returns the variable 'is_valid' with True if not user_data.get("is_valid"): response = make_response( json.dumps("User access token is not valid"), 401 ) flash("Facebook connection Error.") response.headers['Content-Type'] = 'application/json' return response email = userinfo.get('email') user = User.get_by_email(session, email.strip()) # Create and store a new user if there is no user exist if not user: user = User(email=email) session.add(user) session.commit() expire_time, token = generate_token(user) flash("Successfully logged in with Facebook") response = make_response( redirect(url_for('basic.showMain')), 200 ) response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) return response except: response = make_response( json.dumps("User access token is not valid"), 401 ) flash("Facebook connection Error.") response.headers['Content-Type'] = 'application/json' return response
def gconnect(): """Handle Google OAuth login. GET /auth/gconnect If user does not exists create a new user. """ # Check csrf token cookie_csrf_token = request.cookies.get('csrf_token') if request.args.get('_csrf_token') != cookie_csrf_token: flash("Please use proper authentication.") response = make_response(json.dumps('Fail to connect'), 401) response.headers['Content-Type'] = 'application/json' return response # code is a return value from front-end google + oauth API code = request.data try: # Create oauth login flow based on client_secret.json # Please make sure that you have downloaded and placed # client_secret.json properly. Please read README file. oauth_flow = flow_from_clientsecrets('settings/client_secret.json', scope='') oauth_flow.redirect_uri = 'postmessage' credentials = oauth_flow.step2_exchange(code) except FlowExchangeError: flash("Google plus connection Error.") response = make_response(json.dumps('Fail to upgrade'), 401) response.headers['Content-Type'] = 'application/json' return response # Get an access_token from Goolge OAuth provider access_token = credentials.access_token url = ('https://www.googleapis.' 'com/oauth2/v1/tokeninfo?access_token=%s' % access_token) h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1]) if result.get('error') is not None: flash("Google plus connection Error.") response = make_response(json.dumps(result.get('error')), 500) response.headers['Content-Type'] = 'application/json' return response # Get user id stored in Google gplus_id = credentials.id_token['sub'] if result['user_id'] != gplus_id: flash("Google plus connection Error.") response = make_response(json.dumps("Token's user ID doesn't match"), 401) response.headers['Content-Type'] = 'application/json' return response # Make sure client id is correct if result['issued_to'] != CLIENT_ID: response = make_response(json.dumps("Token's client ID doesn't match"), 401) flash("Google plus connection Error.") response.headers['Content-Type'] = 'application/json' return response # Retrieve user info. stored in Google userinfo_url = 'https://www.googleapis.com/oauth2/v1/userinfo' params = {'access_token': credentials.access_token, 'alt': 'json'} answer = requests.get(userinfo_url, params=params) data = json.loads(answer.text) email = data['email'] user = User.get_by_email(session, email.strip()) # If user does not exist, create a new user if not user: user = User(email=email) session.add(user) session.commit() # Generate JSON web token for user. # As long as client has non-expired and valid token, # they do not need to login again. flash("Successfully logged in with Google +") expire_time, token = generate_token(user) response = make_response(redirect(url_for('basic.showMain'))) # Store the JSON web token and Google + access token in the browser cookie. response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) response.set_cookie('gplus_token', value=access_token) return response
def get(self): params = { "token": util.generate_token(ACCOUNT_SID, AUTH_TOKEN, APP_SID) } self.response.out.write(render_template("index.html", params))
from peewee import SqliteDatabase db = SqliteDatabase('test.db') CONFIG = {'db': db} app = bottle.app() app.config.update(CONFIG) session_plugin = PeeweeSessionPlugin(cookie_lifetime='10 seconds', db_conn=db, cookie_secret='very-s3kr3t-s4lt') app.install(session_plugin) csrf_token = generate_token(20) username = "******" PASSWORD = "******" class User: @staticmethod def verify_password(user, password): if user == username and password == PASSWORD: return True else: return False login_required = authenticator(session_plugin.session_manager,
def signup(): """Render login page and handle login form data. Requests: GET /auth/signup POST /auth/signup """ if request.method == 'GET': csrf_token = generate_csrf_token() response = make_response( render_template('signup.html', client_id=CLIENT_ID)) # Store the csrf_token in the browser cookie. response.set_cookie('csrf_token', value=csrf_token) return response # Form fields: # email: user email, required # password: user password, required # confirm: user confirm password, required # User email, and hashed password and salt are stored when login succeed. if request.method == 'POST': # Check csrf token cookie_csrf_token = request.cookies.get('csrf_token') form_csrf_token = request.form.get('_csrf_token') # CSRF attack detected! if cookie_csrf_token != form_csrf_token: flash("Please use proper signup.") return render_template('signup.html', client_id=CLIENT_ID, csrf_token="") # Get user data from login form. email = request.form.get('email') password = request.form.get('password') confirm = request.form.get('confirm') # User must fill the email and password field. if not (email and password and confirm): flash("Please fill the form. ") return render_template('signup.html', cached_email=email) # Password field and confirm fields must be the same. if not (password == confirm): flash("Confirm password has to be the same as password") return render_template('signup.html', cached_email=email) # Find user in the database by email. user = User.get_by_email(session, email.strip()) # User already exist, remind user that. if user: if user.password: flash("Such user already exist. Please login") return render_template('signup.html', cached_email=email) # Create a new user object else: user = User(email=email.strip()) # Store encrypted password and salt in the database user.password, user.salt = encrypt_password(password) session.add(user) session.commit() # Generate JSON web token for user. # As long as client has non-expired and valid token, # they do not need to login again. expire_time, token = generate_token(user) response = make_response(redirect(url_for('basic.showMain'))) # Store the token in the browser cookie. response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) return response
def postform(): """Form POST endpoint for all form variations.""" input = request.form mode = input["mode"] email = input["email"] passwd = input.get("passwd") token = input.get("token") u = db.get_user_by_email(email) errmsg = "" if not email: errmsg = "Email is missing" elif mode == "login": if not u or not account.check_password(u.password, passwd): errmsg = "Invalid login credentials" else: account.build_session(u, is_permanent=True) log.info(f"LOGIN OK {email}") # you should redirect to real ui... return redirect("/api/me") elif mode == "signup": if u: errmsg = f"Account exists already {email}" elif passwd != input.get("passwd2"): errmsg = f"Passwords differ" else: errmsg = account.check_password_validity(passwd) if not errmsg: # create new user u = db.User() u.email = email u.first_name = input["firstname"] u.last_name = input["lastname"] u.password = account.hash_password(passwd) u.role = 'editor' # set default to what makes sense to your app u.save(force_insert=True) account.new_signup_steps(u) account.build_session(u, is_permanent=True) log.info(f"SIGNUP OK {email}") # you should redirect to real ui... return redirect("/api/me") elif mode == "forgot": # request a new password if u: # generate an expiring token and store in redis token = str(util.generate_token()) data = {"uid": f"{u.id}", "ip": get_ip()} expire_secs = 60 * 60 # 1h red.set_keyval(token, data, expire_secs) # email the link to the user link = f"DOMAIN/auth/reset?token={token}" errmsg = f"Server should now send a reset email to {email}..." log.info(f"password reset link = {link}") else: errmsg = f"Unknown account {email}" elif mode == "reset": # reset a password data = red.get_keyval(token) if data: try: u = db.get_user(data["uid"]) # extra security: make sure ip addresses match, only the # requester can use the link if get_ip() != data["ip"]: errmsg = "Invalid IP" elif passwd != input.get("passwd2"): errmsg = "Passwords differ" else: # ok, reset the password u.password = account.hash_password(passwd) u.save() account.build_session(u, is_permanent=True) # security: disable link from further use red.delete_key(token) log.info(f"PASSWD RESET OK {email}") return redirect("/api/me") except: log.error(f"no user {value}") errmsg = "Invalid token" else: errmsg = "Invalid token" if errmsg: log.warn(errmsg) return render_template('auth.html', mode=mode, email=email, err=errmsg, token=token)
def signup(): """Render login page and handle login form data. Requests: GET /auth/signup POST /auth/signup """ if request.method == 'GET': csrf_token = generate_csrf_token() response = make_response( render_template('signup.html', client_id=CLIENT_ID) ) # Store the csrf_token in the browser cookie. response.set_cookie('csrf_token', value=csrf_token) return response # Form fields: # email: user email, required # password: user password, required # confirm: user confirm password, required # User email, and hashed password and salt are stored when login succeed. if request.method == 'POST': # Check csrf token cookie_csrf_token = request.cookies.get('csrf_token') form_csrf_token = request.form.get('_csrf_token') # CSRF attack detected! if cookie_csrf_token != form_csrf_token: flash("Please use proper signup.") return render_template('signup.html', client_id=CLIENT_ID, csrf_token="") # Get user data from login form. email = request.form.get('email') password = request.form.get('password') confirm = request.form.get('confirm') # User must fill the email and password field. if not (email and password and confirm): flash("Please fill the form. ") return render_template('signup.html', cached_email=email) # Password field and confirm fields must be the same. if not (password == confirm): flash("Confirm password has to be the same as password") return render_template('signup.html', cached_email=email) # Find user in the database by email. user = User.get_by_email(session, email.strip()) # User already exist, remind user that. if user: if user.password: flash("Such user already exist. Please login") return render_template('signup.html', cached_email=email) # Create a new user object else: user = User(email=email.strip()) # Store encrypted password and salt in the database user.password, user.salt = encrypt_password(password) session.add(user) session.commit() # Generate JSON web token for user. # As long as client has non-expired and valid token, # they do not need to login again. expire_time, token = generate_token(user) response = make_response(redirect(url_for('basic.showMain'))) # Store the token in the browser cookie. response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) return response
def gconnect(): """Handle Google OAuth login. GET /auth/gconnect If user does not exists create a new user. """ # Check csrf token cookie_csrf_token = request.cookies.get('csrf_token') if request.args.get('_csrf_token') != cookie_csrf_token: flash("Please use proper authentication.") response = make_response(json.dumps('Fail to connect'), 401) response.headers['Content-Type'] = 'application/json' return response # code is a return value from front-end google + oauth API code = request.data try: # Create oauth login flow based on client_secret.json # Please make sure that you have downloaded and placed # client_secret.json properly. Please read README file. oauth_flow = flow_from_clientsecrets('settings/client_secret.json', scope='') oauth_flow.redirect_uri = 'postmessage' credentials = oauth_flow.step2_exchange(code) except FlowExchangeError: flash("Google plus connection Error.") response = make_response(json.dumps('Fail to upgrade'), 401) response.headers['Content-Type'] = 'application/json' return response # Get an access_token from Goolge OAuth provider access_token = credentials.access_token url = ('https://www.googleapis.' 'com/oauth2/v1/tokeninfo?access_token=%s' % access_token) h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1]) if result.get('error') is not None: flash("Google plus connection Error.") response = make_response( json.dumps(result.get('error')), 500 ) response.headers['Content-Type'] = 'application/json' return response # Get user id stored in Google gplus_id = credentials.id_token['sub'] if result['user_id'] != gplus_id: flash("Google plus connection Error.") response = make_response( json.dumps("Token's user ID doesn't match"), 401 ) response.headers['Content-Type'] = 'application/json' return response # Make sure client id is correct if result['issued_to'] != CLIENT_ID: response = make_response( json.dumps("Token's client ID doesn't match"), 401 ) flash("Google plus connection Error.") response.headers['Content-Type'] = 'application/json' return response # Retrieve user info. stored in Google userinfo_url = 'https://www.googleapis.com/oauth2/v1/userinfo' params = {'access_token': credentials.access_token, 'alt': 'json'} answer = requests.get(userinfo_url, params=params) data = json.loads(answer.text) email = data['email'] user = User.get_by_email(session, email.strip()) # If user does not exist, create a new user if not user: user = User(email=email) session.add(user) session.commit() # Generate JSON web token for user. # As long as client has non-expired and valid token, # they do not need to login again. flash("Successfully logged in with Google +") expire_time, token = generate_token(user) response = make_response(redirect(url_for('basic.showMain'))) # Store the JSON web token and Google + access token in the browser cookie. response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) response.set_cookie('gplus_token', value=access_token) return response
def login(cached_email=None): """Render login page and handle login form data. Requests: GET /auth/login POST /auth/login """ if request.method == 'GET': csrf_token = generate_csrf_token() response = make_response( render_template('login.html', cached_email=cached_email, client_id=CLIENT_ID, csrf_token=csrf_token) ) # Store the csrf_token in the browser cookie. response.set_cookie('csrf_token', value=csrf_token) return response # Form fields: # email: user email, required # password: user password, required if request.method == 'POST': # Check csrf token cookie_csrf_token = request.cookies.get('csrf_token') form_csrf_token = request.form.get('_csrf_token') # CSRF attack detected! if cookie_csrf_token != form_csrf_token: flash("Please use proper login.") return render_template('login.html', cached_email=cached_email, client_id=CLIENT_ID, csrf_token="") # Get user data from login form. email = request.form.get('email') password = request.form.get('password') # User must fill the email and password field. if not (email and password): flash("Please fill the form. ") return render_template('login.html', cached_email=email) # Find user in the database by email. user = User.get_by_email(session, email.strip()) # User does not exists. if not user: flash("Invalid email address or password. ") return render_template('login.html', cached_email=email) # User exist, but Password does not. # The user have logged in with OAuth if not user.password: flash("You've signed up with social service. ") return render_template('login.html', cached_email=email) # Password incorrect. if not check_password(password, user.password, user.salt): flash("Invalid email address or password. ") return render_template('login.html', cached_email=email) # Generate JSON web token for user. # As long as client has non-expired and valid token, # they do not need to login again. expire_time, token = generate_token(user) response = make_response(redirect(url_for('basic.showMain'))) # Store the token in the browser cookie. response.set_cookie('token', value=token) response.set_cookie('expire_time', value=str(expire_time)) return response