API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 20th, 2015
217
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 9.88 KB | None | 0 0
raw download clone embed print report
  1. from flask import Flask, render_template, request, Response, redirect
  2. from flask.ext.mysqldb import MySQL
  3. from functools import wraps
  4. import os, pwd, grp, random, struct, time, pyotp, urllib2, urlparse, imghdr, sys
  5. import utils
  6. sys.path.insert(0, "/home/csaw/development/weeb")
  7.  
  8. import logging, sys
  9. logging.basicConfig(stream=sys.stderr)
  10.  
  11. app = Flask(__name__)
  12. app.config.from_object("settings")
  13. mysql = MySQL()
  14. mysql.init_app(app)
  15. utils.mysql = mysql
  16.  
  17. def render_page(content, page_name, user=None):
  18.     return render_template("base.html", page_name=page_name, page_content=content, user=user)
  19.  
  20. def require_auth(f):
  21.     @wraps(f)
  22.     def decorated_function(*args, **kwargs):
  23.         cookie = request.cookies.get("session")
  24.         if (cookie and (utils.validate_cookie(app.config["COOKIE_SECRET"], cookie))):
  25.             return f(*args, **kwargs)
  26.         else:
  27.             return redirect("/login")
  28.     return decorated_function
  29.  
  30. @app.after_request
  31. def after_request(response):
  32.     response.headers.add('Content-Security-Policy', 'script-src "self" https://apis.google.com; report-uri /csp/violate')
  33.     return response
  34.  
  35. @app.route("/csp/violate", methods=["GET", "POST"])
  36. def csp_violate():
  37.     report_id = utils.insert_csp_report(request.remote_addr, request.data)
  38.     message_body = {"message": "Thoroughly violated, thanks", "view_url":"/csp/view/"+str(report_id)}
  39.     return Response(repr(message_body), mimetype="text/json")
  40.  
  41. @app.route("/csp/view/<report_id>")
  42. def csp_view(report_id):
  43.     return Response(repr(utils.get_csp_report(report_id)), mimetype="text/json")
  44.  
  45. @app.route("/")
  46. def index():
  47.     user = utils.get_user_from_cookie(request)
  48.     page_name = 'home page'
  49.     page_content = render_template("home.html")
  50.     return render_page(page_content, page_name, user=user)
  51.  
  52. @app.route("/register", methods=["GET", "POST"])
  53. def show_registration():
  54.     user = utils.get_user_from_cookie(request)
  55.     page_name = 'register'
  56.  
  57.     if request.method.lower() == 'get':
  58.         page_content = render_template("register.html")
  59.         return render_page(page_content, "register", user=user)
  60.  
  61.     if request.method.lower() == 'post':
  62.         username = request.form.get("username") or ""
  63.         password = request.form.get("password") or ""
  64.         if not username or not password :
  65.             page_content = render_template("register.html", message='Missing field')
  66.             return render_page(page_content, page_name)
  67.  
  68.         if utils.check_username(username):
  69.             page_content = render_template("register.html", message='That username is taken!')
  70.             return render_page(page_content, page_name)
  71.  
  72.         seed = utils.generate_seed(username, request.remote_addr)
  73.         totp_key = utils.get_totp_key(seed)
  74.         utils.register_user(username, password, request.remote_addr)
  75.         qr_url = 'http://api.qrserver.com/v1/create-qr-code/?data=otpauth://totp/%s?secret=%s&amp;size=220x220&amp;margin=0'%(username, totp_key)
  76.         page_content = render_template(
  77.             "register.html",
  78.             message="Success! <a href='/login'>login here</a><br />TOTP Key: %s<br /><img src='%s' />" % (totp_key, qr_url)
  79.         )
  80.  
  81.         return render_page(page_content, page_name)
  82.  
  83. @app.route("/login", methods=["GET", "POST"])
  84. def show_login():
  85.     page_name = 'login'
  86.  
  87.     if request.method.lower() == 'get':
  88.         page_content = render_template("login.html")
  89.         return render_page(page_content, "login")
  90.  
  91.     username = request.form.get("username") or ""
  92.     password = request.form.get("password") or ""
  93.     verification_code = request.form.get("verification_code") or ""
  94.  
  95.     if not (username and password and verification_code):
  96.         page_content = render_template("login.html", message='Missing field')
  97.         return render_page(page_content, page_name)
  98.  
  99.     if not utils.auth_user(username, password):
  100.         page_content = render_template("login.html", message='Invalid credentials')
  101.         return render_page(page_content, page_name)
  102.  
  103.     user = utils.check_username(username)
  104.     seed = utils.generate_seed(username, user["user_ip"])
  105.     totp_key = utils.get_totp_key(seed)
  106.     totp = pyotp.TOTP(totp_key)
  107.  
  108.     if verification_code != totp.now():
  109.         page_content = render_template("login.html", message='Invalid verification code')
  110.         return render_page(page_content, page_name)
  111.  
  112.     # user/pass/totp all valid by now
  113.     session_cookie = utils.make_cookie(app.config["COOKIE_SECRET"], username, request.remote_addr)
  114.     response = app.make_response(redirect("/"))
  115.     response.set_cookie('session', session_cookie)
  116.     return response
  117.  
  118.     page_content = render_template("login.html")
  119.     return render_page(page_content, page_name)
  120.  
  121. @app.route("/profile/edit", methods=["GET", "POST"])
  122. @require_auth
  123. def edit_profile():
  124.     user = utils.get_user_from_cookie(request)
  125.     page_name = 'edit profile'
  126.  
  127.     if request.method.lower() == 'get':
  128.         page_content = render_template("edit_profile.html", user=user)
  129.         return render_page(page_content, page_name, user=user)
  130.  
  131.     image_url = request.form.get("image_url") or ""
  132.     profile_text = request.form.get("profile_text") or ""
  133.  
  134.     if not (image_url and profile_text):
  135.         page_content = render_template("edit_profile.html", user=user, message='Missing fields')
  136.         return render_page(page_content, page_name, user=user)
  137.  
  138.     parsed_url = urlparse.urlparse(image_url)
  139.     if not (parsed_url.scheme and parsed_url.netloc and parsed_url.path):
  140.         page_content = render_template("edit_profile.html", user=user, message='Malformed url %s'%(repr(parsed_url)))
  141.         return render_page(page_content, page_name, user=user)
  142.  
  143.     try:
  144.         contents = urllib2.urlopen(image_url).read()
  145.         if imghdr.what(None, contents) not in ["png", "jpeg", "gif"]:
  146.             page_content = render_template("edit_profile.html", user=user, message='Unknown file type: '+contents)
  147.             return render_page(page_content, page_name, user=user)
  148.     except Exception, e:
  149.         page_content = render_template("edit_profile.html", user=user, message='An exception occurred '+str(e))
  150.         return render_page(page_content, page_name, user=user)
  151.  
  152.     utils.update_user_profile(user["user_id"], image_url, profile_text)
  153.     user = utils.get_user_from_cookie(request)
  154.     page_content = render_template("edit_profile.html", user=user, message='Success')
  155.     return render_page(page_content, page_name, user=user)
  156.  
  157. @app.route("/messages/")
  158. def messages_redirect():
  159.     return redirect("/messages/view")
  160.  
  161. @app.route("/messages/compose", methods=["GET", "POST"])
  162. @require_auth
  163. def message_compose():
  164.     user = utils.get_user_from_cookie(request)
  165.     page_name = 'messages'
  166.  
  167.     if request.method.lower() == "post":
  168.         message_to = request.form.get("message_to") or ""
  169.         message_title = request.form.get("message_title") or ""
  170.         message_contents = request.form.get("message_contents") or ""
  171.  
  172.         if not (message_to and message_title and message_contents):
  173.             message = 'Missing field'
  174.             page_content = render_template("compose.html", user=user, message=message)
  175.             return render_page(page_content, page_name, user=user)
  176.  
  177.         to_user = utils.check_username(message_to)
  178.         if not to_user:
  179.             message = 'Invalid user'
  180.             page_content = render_template("compose.html", user=user, message=message)
  181.             return render_page(page_content, page_name, user=user)
  182.  
  183.         utils.create_message(to_user["user_id"], user["user_id"], message_title, message_contents)
  184.         return redirect("/messages/view")
  185.  
  186.     page_content = render_template("compose.html", user=user)
  187.     return render_page(page_content, page_name, user=user)
  188.  
  189. @app.route("/messages/view")
  190. @require_auth
  191. def messages_view_listing():
  192.     user = utils.get_user_from_cookie(request)
  193.     page_name = 'messages'
  194.     messages = utils.get_messages_for_user(user["user_id"])
  195.     if request.method.lower() == 'get':
  196.         page_content = render_template("view_messages.html", user=user, messages=messages)
  197.         return render_page(page_content, page_name, user=user)
  198.  
  199. @app.route("/messages/<int:message_id>")
  200. @require_auth
  201. def messages_view_individual(message_id):
  202.     user = utils.get_user_from_cookie(request)
  203.     message = utils.get_message_by_id(message_id)
  204.     page_name = 'message'
  205.  
  206.     if not message or user["user_id"] not in (message["message_from"], message["message_to"]):
  207.         return redirect("/messages/view")
  208.  
  209.     page_content = render_template("individual_message.html", user=user, message=message)
  210.     return render_page(page_content, page_name, user=user)
  211.  
  212. @app.route("/search")
  213. @require_auth
  214. def search():
  215.     page_name = 'search'
  216.     user = utils.get_user_from_cookie(request)
  217.     search_query = request.args.get("query")
  218.     if not search_query:
  219.         page_content = render_template("search.html", user=user, message='')
  220.         return render_page(page_content, page_name, user=user)
  221.  
  222.     users = utils.search(search_query)
  223.     if not users:
  224.         page_content = render_template("search.html", message='NO USERS FOUND :(', user=user)
  225.         return render_page(page_content, page_name, user=user)
  226.  
  227.     page_content = render_template("search.html", message='', users=users)
  228.     return render_page(page_content, page_name, user=user)
  229.  
  230. @app.route("/user/<username>")
  231. @require_auth
  232. def browse_profile(username):
  233.     page_name = 'search'
  234.     user = utils.get_user_from_cookie(request)
  235.     if username and utils.check_username(username):
  236.         user_profile = utils.check_username(username)
  237.         page_content = render_template("user_profile.html", message=None, user_profile=user_profile, user=user)
  238.         return render_page(page_content, page_name)
  239.  
  240.     return redirect("/")
  241.  
  242. if __name__ == "__main__":
  243.     #app.run(debug=True, host="0.0.0.0", port=5000)
  244.     app.run(host="0.0.0.0", port=5000)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!