def set_login(self, get):
session_id = public.get_session_id()
if cache.get(session_id) == 'True':
return self.check_app_login(get)
if os.path.exists(self.app_path + "login.pl"):
data = public.readFile(self.app_path + 'login.pl')
public.ExecShell('rm ' + self.app_path + "login.pl")
secret_key, init_time = data.split(':')
if time.time() - float(init_time) < 60 and get[
'secret_key'] == secret_key:
sql = db.Sql()
userInfo = sql.table('users').where(
"id=?", (1, )).field('id,username,password').find()
session['login'] = True
session['username'] = userInfo['username']
cache.delete('panelNum')
cache.delete('dologin')
public.WriteLog(
'TYPE_LOGIN', 'LOGIN_SUCCESS',
('WeChat scan code login', public.GetClientIp() + ":" +
str(request.environ.get('REMOTE_PORT'))))
login_type = 'data/app_login.pl'
self.set_request_token()
import config
config.config().reload_session()
public.writeFile(login_type, 'True')
public.login_send_body("Wechat program", userInfo['username'],
public.GetClientIp(),
str(request.environ.get('REMOTE_PORT')))
return public.returnMsg(True, 'login successful')
return public.returnMsg(False, 'Login failed')
def check_app_login(self, get):
#判断是否存在绑定
btapp_info = json.loads(
public.readFile('/www/server/panel/config/api.json'))
if not btapp_info: return public.returnMsg(False, 'Unbound')
if not btapp_info['open']:
return public.returnMsg(False, 'API is not turned on')
if not 'apps' in btapp_info:
return public.returnMsg(False, 'Unbound phone')
if not btapp_info['apps']:
return public.returnMsg(False, 'Unbound phone')
try:
session_id = public.get_session_id()
if not os.path.exists(self.app_path + 'app_login_check.pl'):
return public.returnMsg(False,
'Waiting for APP scan code login 1')
data = public.readFile(self.app_path + 'app_login_check.pl')
public.ExecShell('rm ' + self.app_path + "app_login_check.pl")
secret_key, init_time = data.split(':')
if len(session_id) != 64:
return public.returnMsg(False,
'Waiting for APP scan code login 2')
if len(secret_key) != 64:
return public.returnMsg(False,
'Waiting for APP scan code login 2')
if time.time() - float(init_time) > 60:
return public.returnMsg(False,
'Waiting for APP scan code login')
if session_id != secret_key:
return public.returnMsg(False,
'Waiting for APP scan code login')
cache.delete(session_id)
userInfo = public.M('users').where(
"id=?", (1, )).field('id,username').find()
session['login'] = True
session['username'] = userInfo['username']
session['tmp_login'] = True
public.WriteLog(
'TYPE_LOGIN',
'APP scan code login, account: {}, login IP: {}'.format(
userInfo['username'],
public.GetClientIp() + ":" +
str(request.environ.get('REMOTE_PORT'))))
cache.delete('panelNum')
cache.delete('dologin')
session['session_timeout'] = time.time(
) + public.get_session_timeout()
login_type = 'data/app_login.pl'
self.set_request_token()
import config
config.config().reload_session()
public.writeFile(login_type, 'True')
public.login_send_body("aaPanel Mobile", userInfo['username'],
public.GetClientIp(),
str(request.environ.get('REMOTE_PORT')))
return public.returnMsg(True, 'login successful!')
except:
return public.returnMsg(False, 'Login failed 2')
def request_temp(self,get):
try:
if len(get.__dict__.keys()) > 2: return public.getMsg('INIT_ARGS_ERR')
if not hasattr(get,'tmp_token'): return public.getMsg('INIT_ARGS_ERR')
if len(get.tmp_token) != 48: return public.getMsg('INIT_ARGS_ERR')
if not re.match(r"^\w+$",get.tmp_token):return public.getMsg('INIT_ARGS_ERR')
skey = public.GetClientIp() + '_temp_login'
if not public.get_error_num(skey,10): return public.getMsg('AUTH_FAILED')
s_time = int(time.time())
data = public.M('temp_login').where('state=? and expire>?',(0,s_time)).field('id,token,salt,expire').find()
if not data:
public.set_error_num(skey)
return public.getMsg('VERIFICATION_FAILED')
if not isinstance(data,dict):
public.set_error_num(skey)
return public.getMsg('VERIFICATION_FAILED')
r_token = public.md5(get.tmp_token + data['salt'])
if r_token != data['token']:
public.set_error_num(skey)
return public.getMsg('VERIFICATION_FAILED')
public.set_error_num(skey,True)
userInfo = public.M('users').where("id=?",(1,)).field('id,username').find()
session['login'] = True
session['username'] = public.getMsg('TEMPORARY_ID',(data['id'],))
session['tmp_login'] = True
session['tmp_login_id'] = str(data['id'])
session['tmp_login_expire'] = time.time() + 3600
session['uid'] = data['id']
sess_path = 'data/session'
if not os.path.exists(sess_path):
os.makedirs(sess_path,384)
public.writeFile(sess_path + '/' + str(data['id']),'')
login_addr = public.GetClientIp()+ ":" + str(request.environ.get('REMOTE_PORT'))
public.WriteLog('TYPE_LOGIN','LOGIN_SUCCESS',(userInfo['username'],login_addr))
public.M('temp_login').where('id=?',(data['id'],)).update({"login_time":s_time,'state':1,'login_addr':login_addr})
self.limit_address('-')
cache.delete('panelNum')
cache.delete('dologin')
sess_input_path = 'data/session_last.pl'
public.writeFile(sess_input_path,str(int(time.time())))
self.set_request_token()
self.login_token()
self.set_cdn_host(get)
public.login_send_body("Temporary authorization",userInfo['username'],public.GetClientIp(),str(request.environ.get('REMOTE_PORT')))
return redirect('/')
except:
return public.getMsg('LOGIN_FAIL')
def request_post(self, post):
if not hasattr(post, 'username') or not hasattr(post, 'password'):
return public.returnJson(False, 'LOGIN_USER_EMPTY'), json_header
self.error_num(False)
if self.limit_address('?') < 1:
return public.returnJson(False, 'LOGIN_ERR_LIMIT'), json_header
post.username = post.username.strip()
public.chdck_salt()
sql = db.Sql()
user_list = sql.table('users').field(
'id,username,password,salt').select()
userInfo = None
for u_info in user_list:
if public.md5(u_info['username']) == post.username:
userInfo = u_info
if 'code' in session:
if session['code'] and not 'is_verify_password' in session:
if not hasattr(post, 'code'):
return public.returnJson(
False,
'Verification code can not be empty!'), json_header
if not public.checkCode(post.code):
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_CODE',
('****', '****', public.GetClientIp()))
return public.returnJson(False, 'CODE_ERR'), json_header
try:
if not userInfo['salt']:
public.chdck_salt()
userInfo = sql.table('users').where(
'id=?', (userInfo['id'],
)).field('id,username,password,salt').find()
password = public.md5(post.password.strip() + userInfo['salt'])
if public.md5(
userInfo['username']
) != post.username or userInfo['password'] != password:
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS',
('****', '******', public.GetClientIp()))
num = self.limit_address('+')
return public.returnJson(False, 'LOGIN_USER_ERR',
(str(num), )), json_header
_key_file = "/www/server/panel/data/two_step_auth.txt"
#登陆告警
public.login_send_body("Userinfo", userInfo['username'],
public.GetClientIp(),
str(request.environ.get('REMOTE_PORT')))
if hasattr(post, 'vcode'):
if self.limit_address('?', v="vcode") < 1:
return public.returnJson(
False,
'You have failed verification many times, forbidden for 10 minutes'
), json_header
import pyotp
secret_key = public.readFile(_key_file)
if not secret_key:
return public.returnJson(
False,
"Did not find the key, please close Google verification on the command line and trun on again"
), json_header
t = pyotp.TOTP(secret_key)
result = t.verify(post.vcode)
if not result:
if public.sync_date(): result = t.verify(post.vcode)
if not result:
num = self.limit_address('++', v="vcode")
return public.returnJson(
False,
'Invalid Verification code. You have [{}] times left to try!'
.format(num)), json_header
now = int(time.time())
public.writeFile(
"/www/server/panel/data/dont_vcode_ip.txt",
json.dumps({
"client_ip": public.GetClientIp(),
"add_time": now
}))
self.limit_address('--', v="vcode")
self.set_cdn_host(post)
return self._set_login_session(userInfo)
acc_client_ip = self.check_two_step_auth()
if not os.path.exists(_key_file) or acc_client_ip:
self.set_cdn_host(post)
return self._set_login_session(userInfo)
self.limit_address('-')
session['is_verify_password'] = True
return "1"
except Exception as ex:
stringEx = str(ex)
if stringEx.find('unsupported') != -1 or stringEx.find('-1') != -1:
public.ExecShell("rm -f /tmp/sess_*")
public.ExecShell("rm -f /www/wwwlogs/*log")
public.ServiceReload()
return public.returnJson(False, 'USER_INODE_ERR'), json_header
public.WriteLog('TYPE_LOGIN', 'LOGIN_ERR_PASS',
('****', '******', public.GetClientIp()))
num = self.limit_address('+')
return public.returnJson(False, 'LOGIN_USER_ERR',
(str(num), )), json_header