def register_form():
form = tools.RegisterForm(request.form)
if form.validate():
first_name = form.first_name.data
surname = form.surname.data
email = form.email.data
password = bcrypt_sha256.using(salt=config.salt).hash(
str(form.password.data))
token = tools.token_generator()
try:
db.create_user(first_name, surname, email, password, token,
"photo-opt-in" in request.form)
link = config.url + "/register-confirmation?t=" + token
subject, body = mail_client.create_registration_completion_email(
first_name, surname, link)
email_sent = mail_client.send_email(subject, body, email)
except Exception as e:
flash("User email already registered, sign in?")
return redirect(
url_for('register',
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in()))
flash(
"""We have sent a verification email to you, please confirm so you can access your account"""
)
return render_template(
"register.html",
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in())
def create_user(username: str, password: str, phone: str):
"""Add a user to the database"""
con = sqlite3.connect(DB_NAME)
# check if username already exists (case-insensitive)
# cannot use LIKE since usernames can have underscores
# using '?' as a placeholder prevents injection attacks
if con.execute(
'SELECT username FROM account '
'WHERE LOWER(username) = LOWER(?)', (username, )).fetchone():
raise AccountError(f'User "{username}" already exists')
# encrypt the phone number and hash the password
phone = Fernet(create_fernet_key(username,
password)).encrypt(phone.encode())
# number of rounds = 2**{rounds} = 8192
password = bcrypt_sha256.using(rounds=13).hash(password)
# insert the user into the database.
# input validation has already occurred.
con.execute('INSERT INTO account VALUES (?, ?, ?)',
(username, password, phone))
con.commit()
con.close()
def nc_authr(self, msg, ip, port):
'''Prompts the user to enter their password for the server to verify
format of calling intent: NC_AUTHR:IP:PORT:NEWUSER:B64(AES(SALT))
'''
# Parse out the new user and salt
newuser = msg.split(':')[3]
salt = msg.split(':')[4]
# Decode then decrypt salt
salt = base64.b64decode(salt)
salt = decyrpt(ip, salt)
print('Password requested for current nick by {0}:{1}'.format(
ip, port))
# Prompt the user for the password and hash with salt
prompt = 'Current user password: '******''
while pw == '' or pw == None:
pw = getpass.getpass(prompt)
pw = bcrypt_sha256.using(salt=salt).hash(pw)
# Encrypt and encode the new hash
pw = encrypt(ip, pw)
pw = base64.b64encode(pw)
intent = 'NC_REQV:{0}:{1}:{2}:{3}'.format(localInfo.HOST,
localInfo.PORT, newuser, pw)
# Send off to the server.
self.sendIntent(intent, ip, port)
def change_password():
if request.method == "GET":
token = request.args.get("t")
if token is None:
return render_template('register.html')
return render_template(
'change_password.html',
TOKEN=token,
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in())
elif request.method == "POST":
try:
form = tools.ChangePasswordForm(request.form)
password = bcrypt_sha256.using(salt=config.salt).hash(
str(form.password.data))
db.change_password(form.token.data, password)
flash("You have successfully changed your password")
return render_template(
"register.html",
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in())
except Exception as e:
flash(
"Your password was not changed, please contact us at %s and we will assist you promptly."
% config.email_config["admin_email"])
return render_template(
'change_password.html',
COOKIES_NOTIFICATION=tools.show_cookies_policy(),
LOGGED_IN=tools.is_logged_in())
def hash_password(pwd, pep):
#compute the 14 round bcrypt hash
# of the sha256 hash of the password
h = bcrypt_sha256.using(rounds=14).hash(pwd)
# encrypt with AES (pepper)
ph = pep.encrypt(h.encode('utf-8'))
# encode as base64 string and return
b64ph = base64.b64encode(ph)
return b64ph
def add_pass(self):
print("\n[!] Minimum Password Requirements: 8-20 Characters, One Uppercase, One Special Character, One Number")
while True:
password = getpass.getpass(prompt="Password: "******"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[a-zA-Z]).{8,20}$", password) is None:
print("[-] Password Does Not Meet Requirements")
else:
self.hashed = bcrypt_sha256.using(rounds=12).hash(password)
print("\n[+] Account Created!")
return self.hashed
def req_known(self, msg, ip, port):
'''Deals with a request for a known user
This method deals with handling a request for a known user by prompting
for the password of a known user and hashing with the specified salt
then encrypting this with AES to send back to the server. It also will
send another message to the server if the remote connection has not yet
authorized which will depend upon whether that user exists locally or
not.
format of calling intent: REQ_KNOWN:IP:PORT:USERNAME:SALT
format of response: AUTH_VERIFY:IP:PORT:USER:HASH
note: HASH is AES encrypted base64
'''
# Get the username and set the salt
username = connections[ip].username
salt = msg.split(':')[4]
logging.debug('Bcrypting with salt: {0}'.format(salt))
print('Password requested by {0}:{1} for known user: {2}'.format(
ip, port, username))
# Prompt for the password:
prompt = 'Press ENTER then enter password: '******''
while pw == None or pw == '':
pw = getpass.getpass(prompt)
logging.debug('PLAINTEXT: {0}'.format(pw))
pw = bcrypt_sha256.using(salt=salt).hash(pw)
if pw == '' or pw == None:
print(
'Password is empty, perhaps you hit ENTER too many times')
# Encrypt password with AES:
pw = self.encrypt(ip, pw)
# Convert to base64 and str
pw = str(base64.b64encode(pw), 'utf8')
logging.debug('Encrypted Hash: {0}'.format(pw))
intent = 'AUTH_VERIFY:{0}:{1}:{2}:{3}'.format(localInfo.HOST,
localInfo.PORT, username,
pw)
# Send it off for the server to handle
self.sendIntent(intent, ip, port)
# Also call auth_req if the user has not authed yet.
if not connections[ip].Authed:
self.auth_req(msg, ip, port, 0)
def get_password(cls, password):
return bcrypt_sha256.using(
rounds=config.password_iterations).hash(password)
def verify_password(self, password):
if not bcrypt_sha256.using(salt=self._get_salt()).verify(
password, self.password):
raise Exception('Invalid password !')
def set_password(self, plain_password):
self.password = bcrypt_sha256.using(
salt=self._get_salt()).hash(plain_password)
def check_password(self, raw_password):
return bcrypt_sha256.using(rounds=13).verify(raw_password,
hash=self.password)
def set_password(self, raw_password):
self.password = bcrypt_sha256.using(rounds=13).hash(raw_password)
