capsul-flask/capsulflask/auth.py

import functools
import re

from nanoid import generate

from flask import Blueprint
from flask import flash
from flask import current_app
from flask import g
from flask import redirect
from flask import url_for
from flask import request
from flask import session
from flask import render_template
from flask_mail import Message
from werkzeug.exceptions import abort

from capsulflask.db import get_model

bp = Blueprint("auth", __name__, url_prefix="/auth")

def account_required(view):
    """View decorator that redirects non-logged-in users to the login page."""

    @functools.wraps(view)
    def wrapped_view(**kwargs):
        if session.get("account") is None or session.get("csrf-token") is None :
            return redirect(url_for("auth.login"))

        return view(**kwargs)

    return wrapped_view

def admin_account_required(view):
    """View decorator that redirects non-admin users to the login page."""

    @functools.wraps(view)
    def wrapped_view(**kwargs):
        if session.get("account") is None or session.get("csrf-token") is None:
            return abort(404)

        if session.get("account") not in current_app.config["ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES"].split(","):
            return abort(404)

        return view(**kwargs)

    return wrapped_view

@bp.route("/login", methods=("GET", "POST"))
def login():
    if request.method == "POST":
        email = request.form["email"]
        errors = list()

        if not email:
            errors.append("email is required")
        elif len(email.strip()) < 6 or email.count('@') != 1 or email.count('.') == 0: 
	        errors.append("enter a valid email address")

        if len(errors) == 0:
            result = get_model().login(email)
            token = result[0]
            ignoreCaseMatches = result[1]
            if token is None:
                errors.append("too many logins. please use one of the existing login links that have been emailed to you")
            else:
                link = f"{current_app.config['BASE_URL']}/auth/magic/{token}"

                message = (f"Navigate to {link} to log into Capsul.\n"
                            "\nIf you didn't request this, ignore this message.")

                if len(ignoreCaseMatches) > 0:
                  joinedMatches = " or ".join(map(lambda x: f"'{x}'", ignoreCaseMatches))
                  message = (f"You tried to log in as '{email}', but that account doesn't exist yet. \n"
                              f"If you would like to create a new account for '{email}', click here {link} \n\n"
                              f"If you meant to log in as {joinedMatches}, please return to https://capsul.org \n"
                              "and log in again with the correct (case-sensitive) email address.")

                current_app.config["FLASK_MAIL_INSTANCE"].send(
                    Message(
                        "Click This Link to Login to Capsul",
                        sender=current_app.config["MAIL_DEFAULT_SENDER"],
                        body=message,
                        recipients=[email]
                    )
                )

                return render_template("login-landing.html", email=email, has_smtp=(current_app.config["MAIL_SERVER"] != ""))

        for error in errors:
            flash(error)

    return render_template("login.html")

@bp.route("/magic/<string:token>", methods=("GET", ))
def magiclink(token):
    email = get_model().consume_token(token)
    if email is not None:
        session.clear()
        session["account"] = email
        session["csrf-token"] = generate()
        
        return redirect(url_for("console.index"))
    else:
        # this is here to prevent xss
        if token and not re.match(r"^[a-zA-Z0-9_-]+$", token):
          token = '___________'

        abort(404, f"Token {token} doesn't exist or has already been used.")

@bp.route("/logout")
def logout():
    session.clear()
    return redirect(url_for("index"))
broken auth WIP 2020-05-10 01:36:14 +00:00			`import functools`
validate email address 2020-05-10 04:45:20 +00:00			`import re`
broken auth WIP 2020-05-10 01:36:14 +00:00
implement anti-csrf measures in all posted forms 2020-05-22 21:04:47 +00:00			`from nanoid import generate`

broken auth WIP 2020-05-10 01:36:14 +00:00			`from flask import Blueprint`
it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`from flask import flash`
			`from flask import current_app`
broken auth WIP 2020-05-10 01:36:14 +00:00			`from flask import g`
			`from flask import redirect`
			`from flask import url_for`
it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`from flask import request`
broken auth WIP 2020-05-10 01:36:14 +00:00			`from flask import session`
it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`from flask import render_template`
			`from flask_mail import Message`
login is working 2020-05-10 04:32:13 +00:00			`from werkzeug.exceptions import abort`
broken auth WIP 2020-05-10 01:36:14 +00:00
			`from capsulflask.db import get_model`

			`bp = Blueprint("auth", __name__, url_prefix="/auth")`

			`def account_required(view):`
fine-tuning login 2020-05-10 18:51:54 +00:00			`"""View decorator that redirects non-logged-in users to the login page."""`
broken auth WIP 2020-05-10 01:36:14 +00:00
			`@functools.wraps(view)`
			`def wrapped_view(**kwargs):`
implement anti-csrf measures in all posted forms 2020-05-22 21:04:47 +00:00			`if session.get("account") is None or session.get("csrf-token") is None :`
broken auth WIP 2020-05-10 01:36:14 +00:00			`return redirect(url_for("auth.login"))`

			`return view(**kwargs)`

			`return wrapped_view`

start working on managed IPs 2021-07-08 19:10:14 +00:00			`def admin_account_required(view):`
			`"""View decorator that redirects non-admin users to the login page."""`

			`@functools.wraps(view)`
			`def wrapped_view(**kwargs):`
			`if session.get("account") is None or session.get("csrf-token") is None:`
finishing touches and fixes on managed IPs database migration 16 2021-07-09 19:35:23 +00:00			`return abort(404)`
start working on managed IPs 2021-07-08 19:10:14 +00:00
more managed ips work: cli sql improvements, added admin panel 2021-07-09 19:13:28 +00:00			`if session.get("account") not in current_app.config["ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES"].split(","):`
finishing touches and fixes on managed IPs database migration 16 2021-07-09 19:35:23 +00:00			`return abort(404)`
start working on managed IPs 2021-07-08 19:10:14 +00:00
			`return view(**kwargs)`

			`return wrapped_view`

it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`@bp.route("/login", methods=("GET", "POST"))`
			`def login():`
broken auth WIP 2020-05-10 01:36:14 +00:00			`if request.method == "POST":`
			`email = request.form["email"]`
create capsul and capsuls list page working 2020-05-11 20:13:20 +00:00			`errors = list()`
broken auth WIP 2020-05-10 01:36:14 +00:00
			`if not email:`
create capsul and capsuls list page working 2020-05-11 20:13:20 +00:00			`errors.append("email is required")`
added FAQ, Changelog, and Support static pages 2020-05-11 03:55:16 +00:00			`elif len(email.strip()) < 6 or email.count('@') != 1 or email.count('.') == 0:`
create capsul and capsuls list page working 2020-05-11 20:13:20 +00:00			`errors.append("enter a valid email address")`
broken auth WIP 2020-05-10 01:36:14 +00:00
create capsul and capsuls list page working 2020-05-11 20:13:20 +00:00			`if len(errors) == 0:`
fixing login email case sensitivity issues 2020-12-30 00:42:38 +00:00			`result = get_model().login(email)`
			`token = result[0]`
			`ignoreCaseMatches = result[1]`
fine-tuning login 2020-05-10 18:51:54 +00:00			`if token is None:`
create capsul and capsuls list page working 2020-05-11 20:13:20 +00:00			`errors.append("too many logins. please use one of the existing login links that have been emailed to you")`
fine-tuning login 2020-05-10 18:51:54 +00:00			`else:`
			`link = f"{current_app.config['BASE_URL']}/auth/magic/{token}"`
fixing bugs with email ignore case feature 2020-12-30 01:03:37 +00:00
fixing login email case sensitivity issues 2020-12-30 00:42:38 +00:00			`message = (f"Navigate to {link} to log into Capsul.\n"`
			`"\nIf you didn't request this, ignore this message.")`

			`if len(ignoreCaseMatches) > 0:`
fixing bugs with email ignore case feature 2020-12-30 01:03:37 +00:00			`joinedMatches = " or ".join(map(lambda x: f"'{x}'", ignoreCaseMatches))`
			`message = (f"You tried to log in as '{email}', but that account doesn't exist yet. \n"`
			`f"If you would like to create a new account for '{email}', click here {link} \n\n"`
			`f"If you meant to log in as {joinedMatches}, please return to https://capsul.org \n"`
fixing login email case sensitivity issues 2020-12-30 00:42:38 +00:00			`"and log in again with the correct (case-sensitive) email address.")`
fine-tuning login 2020-05-10 18:51:54 +00:00
			`current_app.config["FLASK_MAIL_INSTANCE"].send(`
			`Message(`
first try at creating VirtualizationInterface 2020-05-10 23:59:30 +00:00			`"Click This Link to Login to Capsul",`
fix defaults for running locally and make email server not required. 2021-07-07 18:47:21 +00:00			`sender=current_app.config["MAIL_DEFAULT_SENDER"],`
fixing login email case sensitivity issues 2020-12-30 00:42:38 +00:00			`body=message,`
first try at creating VirtualizationInterface 2020-05-10 23:59:30 +00:00			`recipients=[email]`
fine-tuning login 2020-05-10 18:51:54 +00:00			`)`
it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`)`

fix defaults for running locally and make email server not required. 2021-07-07 18:47:21 +00:00			`return render_template("login-landing.html", email=email, has_smtp=(current_app.config["MAIL_SERVER"] != ""))`
broken auth WIP 2020-05-10 01:36:14 +00:00
create capsul and capsuls list page working 2020-05-11 20:13:20 +00:00			`for error in errors:`
			`flash(error)`
broken auth WIP 2020-05-10 01:36:14 +00:00
it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`return render_template("login.html")`

login is working 2020-05-10 04:32:13 +00:00			`@bp.route("/magic/<string:token>", methods=("GET", ))`
			`def magiclink(token):`
starting to build console controller and views 2020-05-11 06:47:14 +00:00			`email = get_model().consume_token(token)`
login is working 2020-05-10 04:32:13 +00:00			`if email is not None:`
			`session.clear()`
			`session["account"] = email`
implement anti-csrf measures in all posted forms 2020-05-22 21:04:47 +00:00			`session["csrf-token"] = generate()`

starting to build console controller and views 2020-05-11 06:47:14 +00:00			`return redirect(url_for("console.index"))`
login is working 2020-05-10 04:32:13 +00:00			`else:`
remove query string XSS from login token 2020-05-17 04:05:45 +00:00			`# this is here to prevent xss`
fix bug when created query string is not present 2020-05-17 04:28:21 +00:00			`if token and not re.match(r"^[a-zA-Z0-9_-]+$", token):`
remove query string XSS from login token 2020-05-17 04:05:45 +00:00			`token = '___________'`

login is working 2020-05-10 04:32:13 +00:00			`abort(404, f"Token {token} doesn't exist or has already been used.")`

it sends a magic link when you log in 2020-05-10 03:59:22 +00:00			`@bp.route("/logout")`
			`def logout():`
			`session.clear()`
Remove HTML part and 90 spaces from sent login email 2020-05-12 05:02:55 +00:00			`return redirect(url_for("index"))`