def authenticate():
"""
Authenticates the user using username and password found in submitted JSON document
"""
try:
data = json.loads(request.stream.read())
except:
return Utils.make_response(
{
"status": "failure",
"reason": "Unable to decode the JSON payload"
}, 400)
username = data.get("username") or ""
password = data.get("password") or ""
if not re.match("^[a-z0-9]{5,100}$", username):
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid username"
}, 403)
if not re.match(
"^(?=.*[A-Z]+)(?=.*[a-z]+)(?=.*[0-9]+)", password) or not re.match(
"^[a-zA-Z0-9]{10,100}$", password):
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid password"
}, 403)
random_token = Utils.token_hex()
query = "SELECT u.id AS user_id FROM users u WHERE u.username = %s AND u.password = SHA2((%s), 256);"
g.cur.execute(query, [username, password + config["PASSWORD_SALT"]])
row = g.cur.fetchone()
if not row:
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid username or password"
}, 403)
user_id = row["user_id"]
expire_date = datetime.datetime.utcnow() + datetime.timedelta(
seconds=config["MAX_SESSION_DURATION_IN_SECONDS"])
response = Utils.make_response({"status": "success"}, 200)
"""
Create encrypted cookie using server master secret
"""
response.set_cookie(
"token",
Token.encode(user_id, random_token, config["SERVER_NONCE"],
config["MAX_SESSION_DURATION_IN_SECONDS"]),
secure=False,
httponly=True,
expires=expire_date,
samesite="Strict")
return response
def change_password():
"""
Changes the password of the user
"""
cookie = request.cookies.get("token", None)
token = Utils.get_token(cookie)
if not token:
return Utils.make_response(
{
'status': 'failure',
'reason': 'unauthorized'
}, 403)
try:
data = json.loads(request.stream.read())
except:
return Utils.make_response(
{
"status": "failure",
"reason": "Unable to decode the JSON payload"
}, 400)
username = data.get("username") or ""
old_password = data.get("old_password") or ""
if not re.match("^(?=.*[A-Z]+)(?=.*[a-z]+)(?=.*[0-9]+)",
old_password) or not re.match("^[a-zA-Z0-9]{10,100}$",
old_password):
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid old password"
}, 403)
new_password = data.get("new_password") or ""
if not re.match("^(?=.*[A-Z]+)(?=.*[a-z]+)(?=.*[0-9]+)",
new_password) or not re.match("^[a-zA-Z0-9]{10,100}$",
new_password):
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid new password"
}, 403)
query = "SELECT u.id AS user_id FROM users u WHERE u.username = %s AND u.password = SHA2((%s), 256);"
g.cur.execute(query, [username, old_password + config["PASSWORD_SALT"]])
row = g.cur.fetchone()
if not row:
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid old password"
}, 403)
user_id = Token.get_user_id(token)
if user_id != row["user_id"]:
return Utils.make_response(
{
"status": "failure",
"reason": "Invalid username"
}, 403)
query = "UPDATE users SET password = SHA2((%s), 256) WHERE id = %s;"
g.cur.execute(query, [new_password + config["PASSWORD_SALT"], user_id])
g.db.commit()
random_token = Utils.token_hex()
expire_date = datetime.datetime.utcnow() + datetime.timedelta(
seconds=config["MAX_SESSION_DURATION_IN_SECONDS"])
response = Utils.make_response({"status": "success"}, 200)
response.set_cookie(
"token",
Token.encode(user_id, random_token, config["SERVER_NONCE"],
config["MAX_SESSION_DURATION_IN_SECONDS"]),
secure=False,
httponly=True,
expires=expire_date,
samesite="Strict")
return response
