daily pastebin goal
18%
SHARE
TWEET

Untitled

a guest Sep 20th, 2015 35 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from flask import Flask, render_template, request, Response, redirect
  2. from flask.ext.mysqldb import MySQL
  3. from functools import wraps
  4. import os, pwd, grp, random, struct, time, pyotp, urllib2, urlparse, imghdr, sys
  5. import utils
  6. sys.path.insert(0, "/home/csaw/development/weeb")
  7.  
  8. import logging, sys
  9. logging.basicConfig(stream=sys.stderr)
  10.  
  11. app = Flask(__name__)
  12. app.config.from_object("settings")
  13. mysql = MySQL()
  14. mysql.init_app(app)
  15. utils.mysql = mysql
  16.  
  17. def render_page(content, page_name, user=None):
  18.     return render_template("base.html", page_name=page_name, page_content=content, user=user)
  19.  
  20. def require_auth(f):
  21.     @wraps(f)
  22.     def decorated_function(*args, **kwargs):
  23.         cookie = request.cookies.get("session")
  24.         if (cookie and (utils.validate_cookie(app.config["COOKIE_SECRET"], cookie))):
  25.             return f(*args, **kwargs)
  26.         else:
  27.             return redirect("/login")
  28.     return decorated_function
  29.  
  30. @app.after_request
  31. def after_request(response):
  32.     response.headers.add('Content-Security-Policy', 'script-src "self" https://apis.google.com; report-uri /csp/violate')
  33.     return response
  34.  
  35. @app.route("/csp/violate", methods=["GET", "POST"])
  36. def csp_violate():
  37.     report_id = utils.insert_csp_report(request.remote_addr, request.data)
  38.     message_body = {"message": "Thoroughly violated, thanks", "view_url":"/csp/view/"+str(report_id)}
  39.     return Response(repr(message_body), mimetype="text/json")
  40.  
  41. @app.route("/csp/view/<report_id>")
  42. def csp_view(report_id):
  43.     return Response(repr(utils.get_csp_report(report_id)), mimetype="text/json")
  44.  
  45. @app.route("/")
  46. def index():
  47.     user = utils.get_user_from_cookie(request)
  48.     page_name = 'home page'
  49.     page_content = render_template("home.html")
  50.     return render_page(page_content, page_name, user=user)
  51.  
  52. @app.route("/register", methods=["GET", "POST"])
  53. def show_registration():
  54.     user = utils.get_user_from_cookie(request)
  55.     page_name = 'register'
  56.  
  57.     if request.method.lower() == 'get':
  58.         page_content = render_template("register.html")
  59.         return render_page(page_content, "register", user=user)
  60.  
  61.     if request.method.lower() == 'post':
  62.         username = request.form.get("username") or ""
  63.         password = request.form.get("password") or ""
  64.         if not username or not password :
  65.             page_content = render_template("register.html", message='Missing field')
  66.             return render_page(page_content, page_name)
  67.  
  68.         if utils.check_username(username):
  69.             page_content = render_template("register.html", message='That username is taken!')
  70.             return render_page(page_content, page_name)
  71.  
  72.         seed = utils.generate_seed(username, request.remote_addr)
  73.         totp_key = utils.get_totp_key(seed)
  74.         utils.register_user(username, password, request.remote_addr)
  75.         qr_url = 'http://api.qrserver.com/v1/create-qr-code/?data=otpauth://totp/%s?secret=%s&amp;size=220x220&amp;margin=0'%(username, totp_key)
  76.         page_content = render_template(
  77.             "register.html",
  78.             message="Success! <a href='/login'>login here</a><br />TOTP Key: %s<br /><img src='%s' />" % (totp_key, qr_url)
  79.         )
  80.  
  81.         return render_page(page_content, page_name)
  82.  
  83. @app.route("/login", methods=["GET", "POST"])
  84. def show_login():
  85.     page_name = 'login'
  86.  
  87.     if request.method.lower() == 'get':
  88.         page_content = render_template("login.html")
  89.         return render_page(page_content, "login")
  90.  
  91.     username = request.form.get("username") or ""
  92.     password = request.form.get("password") or ""
  93.     verification_code = request.form.get("verification_code") or ""
  94.  
  95.     if not (username and password and verification_code):
  96.         page_content = render_template("login.html", message='Missing field')
  97.         return render_page(page_content, page_name)
  98.  
  99.     if not utils.auth_user(username, password):
  100.         page_content = render_template("login.html", message='Invalid credentials')
  101.         return render_page(page_content, page_name)
  102.  
  103.     user = utils.check_username(username)
  104.     seed = utils.generate_seed(username, user["user_ip"])
  105.     totp_key = utils.get_totp_key(seed)
  106.     totp = pyotp.TOTP(totp_key)
  107.  
  108.     if verification_code != totp.now():
  109.         page_content = render_template("login.html", message='Invalid verification code')
  110.         return render_page(page_content, page_name)
  111.  
  112.     # user/pass/totp all valid by now
  113.     session_cookie = utils.make_cookie(app.config["COOKIE_SECRET"], username, request.remote_addr)
  114.     response = app.make_response(redirect("/"))
  115.     response.set_cookie('session', session_cookie)
  116.     return response
  117.  
  118.     page_content = render_template("login.html")
  119.     return render_page(page_content, page_name)
  120.  
  121. @app.route("/profile/edit", methods=["GET", "POST"])
  122. @require_auth
  123. def edit_profile():
  124.     user = utils.get_user_from_cookie(request)
  125.     page_name = 'edit profile'
  126.  
  127.     if request.method.lower() == 'get':
  128.         page_content = render_template("edit_profile.html", user=user)
  129.         return render_page(page_content, page_name, user=user)
  130.  
  131.     image_url = request.form.get("image_url") or ""
  132.     profile_text = request.form.get("profile_text") or ""
  133.  
  134.     if not (image_url and profile_text):
  135.         page_content = render_template("edit_profile.html", user=user, message='Missing fields')
  136.         return render_page(page_content, page_name, user=user)
  137.  
  138.     parsed_url = urlparse.urlparse(image_url)
  139.     if not (parsed_url.scheme and parsed_url.netloc and parsed_url.path):
  140.         page_content = render_template("edit_profile.html", user=user, message='Malformed url %s'%(repr(parsed_url)))
  141.         return render_page(page_content, page_name, user=user)
  142.  
  143.     try:
  144.         contents = urllib2.urlopen(image_url).read()
  145.         if imghdr.what(None, contents) not in ["png", "jpeg", "gif"]:
  146.             page_content = render_template("edit_profile.html", user=user, message='Unknown file type: '+contents)
  147.             return render_page(page_content, page_name, user=user)
  148.     except Exception, e:
  149.         page_content = render_template("edit_profile.html", user=user, message='An exception occurred '+str(e))
  150.         return render_page(page_content, page_name, user=user)
  151.  
  152.     utils.update_user_profile(user["user_id"], image_url, profile_text)
  153.     user = utils.get_user_from_cookie(request)
  154.     page_content = render_template("edit_profile.html", user=user, message='Success')
  155.     return render_page(page_content, page_name, user=user)
  156.  
  157. @app.route("/messages/")
  158. def messages_redirect():
  159.     return redirect("/messages/view")
  160.  
  161. @app.route("/messages/compose", methods=["GET", "POST"])
  162. @require_auth
  163. def message_compose():
  164.     user = utils.get_user_from_cookie(request)
  165.     page_name = 'messages'
  166.  
  167.     if request.method.lower() == "post":
  168.         message_to = request.form.get("message_to") or ""
  169.         message_title = request.form.get("message_title") or ""
  170.         message_contents = request.form.get("message_contents") or ""
  171.  
  172.         if not (message_to and message_title and message_contents):
  173.             message = 'Missing field'
  174.             page_content = render_template("compose.html", user=user, message=message)
  175.             return render_page(page_content, page_name, user=user)
  176.  
  177.         to_user = utils.check_username(message_to)
  178.         if not to_user:
  179.             message = 'Invalid user'
  180.             page_content = render_template("compose.html", user=user, message=message)
  181.             return render_page(page_content, page_name, user=user)
  182.  
  183.         utils.create_message(to_user["user_id"], user["user_id"], message_title, message_contents)
  184.         return redirect("/messages/view")
  185.  
  186.     page_content = render_template("compose.html", user=user)
  187.     return render_page(page_content, page_name, user=user)
  188.  
  189. @app.route("/messages/view")
  190. @require_auth
  191. def messages_view_listing():
  192.     user = utils.get_user_from_cookie(request)
  193.     page_name = 'messages'
  194.     messages = utils.get_messages_for_user(user["user_id"])
  195.     if request.method.lower() == 'get':
  196.         page_content = render_template("view_messages.html", user=user, messages=messages)
  197.         return render_page(page_content, page_name, user=user)
  198.  
  199. @app.route("/messages/<int:message_id>")
  200. @require_auth
  201. def messages_view_individual(message_id):
  202.     user = utils.get_user_from_cookie(request)
  203.     message = utils.get_message_by_id(message_id)
  204.     page_name = 'message'
  205.  
  206.     if not message or user["user_id"] not in (message["message_from"], message["message_to"]):
  207.         return redirect("/messages/view")
  208.  
  209.     page_content = render_template("individual_message.html", user=user, message=message)
  210.     return render_page(page_content, page_name, user=user)
  211.  
  212. @app.route("/search")
  213. @require_auth
  214. def search():
  215.     page_name = 'search'
  216.     user = utils.get_user_from_cookie(request)
  217.     search_query = request.args.get("query")
  218.     if not search_query:
  219.         page_content = render_template("search.html", user=user, message='')
  220.         return render_page(page_content, page_name, user=user)
  221.  
  222.     users = utils.search(search_query)
  223.     if not users:
  224.         page_content = render_template("search.html", message='NO USERS FOUND :(', user=user)
  225.         return render_page(page_content, page_name, user=user)
  226.  
  227.     page_content = render_template("search.html", message='', users=users)
  228.     return render_page(page_content, page_name, user=user)
  229.  
  230. @app.route("/user/<username>")
  231. @require_auth
  232. def browse_profile(username):
  233.     page_name = 'search'
  234.     user = utils.get_user_from_cookie(request)
  235.     if username and utils.check_username(username):
  236.         user_profile = utils.check_username(username)
  237.         page_content = render_template("user_profile.html", message=None, user_profile=user_profile, user=user)
  238.         return render_page(page_content, page_name)
  239.  
  240.     return redirect("/")
  241.  
  242. if __name__ == "__main__":
  243.     #app.run(debug=True, host="0.0.0.0", port=5000)
  244.     app.run(host="0.0.0.0", port=5000)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top