def vote_confirm(): try: token = request.json["token"] except KeyError: return jsonify("'token' missing from JSON body"), 400 s = URLSafeSerializer(current_app.config["SECRET_KEY"]) valid, vote_id = s.loads_unsafe(token, "vote-confirmation") if not valid: return jsonify(status="error", reason="token is not valid"), 400 v = Vote.query.get(vote_id) delete_votes = Vote.query \ .filter(Vote.voter_email == v.voter_email, Vote.id != v.id) \ .all() # delete any other vote that was clicked for d in delete_votes: db.session.delete(d) v.confirmed = True db.session.commit() return jsonify(status="success", reason="vote confirmed")
def unpack(token): """ Unpacks a token without verification. Should only be used for fields which provide their own integrity. (Such as other tokens). Returns: The token object. Raises ValueError if the token cannot be unpacked. """ unpacker = URLSafeSerializer("BadKey", None) _, res = unpacker.loads_unsafe(token) if not res: raise ValueError("Corrupt/empty token") return res
def validate_token(token, secret, salt): """ Validate a URL safe signature Args: secret: secret to use for signing salt: namespace or other known value Return: (validated, value): if validated == True, then value has the to be signed data """ serializer = URLSafeSerializer(secret) try: return serializer.loads_unsafe(token, salt=salt) except: return (False, None)
def vote_confirm(): try: token = request.json["token"] except KeyError: return jsonify("'token' missing from JSON body"), 400 s = URLSafeSerializer(current_app.config["SECRET_KEY"]) valid, vote_id = s.loads_unsafe(token, "vote-confirmation") if not valid: return jsonify(status="error", reason="token is not valid"), 400 v = Vote.query.get(vote_id) if not v: return jsonify( status="error", reason= "vote not found - try voting again, or contestant may have been disqualified.", ) if v.confirmed: return jsonify(status="success", reason="vote already confirmed") delete_votes = Vote.query.filter(Vote.voter_email == v.voter_email, Vote.id != v.id).all() # delete any other vote that was clicked for d in delete_votes: db.session.delete(d) v.confirmed = True db.session.commit() msg = Message(subject="Vote confirmation successful!", recipients=[v.voter_email]) votes, rank = v.ranking() msg.html = render_template( "challenge_vote_submitted.html", username=v.answer.user.username, votes=int(votes), rank=rank, ) mail.send(msg) return jsonify(status="success", reason="vote confirmed")
def validate_token(self, request, token): s = URLSafeSerializer(settings.BIDAUTH_SECRET) sig_ok, payload = s.loads_unsafe(token) if not sig_ok: return HttpResponse("bad token") email = payload['email'] if not within_an_hour(payload['timestamp']): # token's only valid for an hour return HttpResponse("stale token") r = Token.objects.filter( token=token, user__email=email) if r.count() == 0: return HttpResponse("token not found. probably already used") u = r[0].user u.backend = 'django.contrib.auth.backends.ModelBackend' django_login(request, u) redirect = r[0].redirect_to r[0].delete() return HttpResponseRedirect(redirect)
def fetch_steam_cookie(request): cookie_str = request.cookies.get("steam_info") if not cookie_str: return 0, {} ser = URLSafeSerializer(app.secret_key) loaded, cookie_json = ser.loads_unsafe(cookie_str) if not loaded: return 1, {} try: steam_info = json.loads(cookie_json) except json.JSONDecodeError: return 2, {} if "expires" not in steam_info.keys() or steam_info["expires"] <= datetime.now(timezone.utc).timestamp(): return 3, steam_info else: return 0, steam_info
def unlock_token(self, token): s = URLSafeSerializer(secret_key, salt=self.salt) sig_okay, payload = s.loads_unsafe(token) if not sig_okay: raise InvalidToken(token) return payload