2021-10-15 14:08:27 +00:00
from urllib . parse import urlencode
from files . mail import *
from files . __main__ import app , limiter
from files . helpers . const import *
import requests
valid_username_regex = re . compile ( " ^[a-zA-Z0-9_ \ -] { 3,25}$ " )
valid_password_regex = re . compile ( " ^. { 8,100}$ " )
@app.get ( " /login " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def login_get ( v ) :
2022-01-17 11:06:12 +00:00
redir = request . values . get ( " redirect " )
if redir :
2022-01-17 11:50:03 +00:00
redir = redir . replace ( " /logged_out " , " " ) . strip ( )
2022-01-24 17:37:37 +00:00
if not redir . startswith ( SITE_FULL ) and not redir . startswith ( ' / ' ) : redir = None
2021-10-15 14:08:27 +00:00
2022-01-28 20:02:21 +00:00
if v and redir :
if redir . startswith ( SITE_FULL ) : return redirect ( redir )
elif redir . startswith ( ' / ' ) : return redirect ( f ' { SITE_FULL } { redir } ' )
2022-01-17 11:06:12 +00:00
return render_template ( " login.html " , failed = False , redirect = redir )
2021-10-15 14:08:27 +00:00
def check_for_alts ( current_id ) :
past_accs = set ( session . get ( " history " , [ ] ) )
past_accs . add ( current_id )
session [ " history " ] = list ( past_accs )
for past_id in session [ " history " ] :
2021-11-16 00:18:41 +00:00
2021-11-18 20:53:47 +00:00
if past_id == MOM_ID or current_id == MOM_ID : break
2021-11-16 00:18:41 +00:00
if past_id == current_id : continue
2021-10-15 14:08:27 +00:00
2021-11-06 15:52:48 +00:00
check1 = g . db . query ( Alt ) . filter_by (
2022-01-02 00:06:46 +00:00
user1 = current_id , user2 = past_id ) . one_or_none ( )
2021-11-06 15:52:48 +00:00
check2 = g . db . query ( Alt ) . filter_by (
2022-01-02 00:06:46 +00:00
user1 = past_id , user2 = current_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not check1 and not check2 :
try :
new_alt = Alt ( user1 = past_id , user2 = current_id )
g . db . add ( new_alt )
g . db . flush ( )
2021-12-26 02:29:01 +00:00
except : pass
2021-10-15 14:08:27 +00:00
2021-11-06 15:52:48 +00:00
alts = g . db . query ( Alt )
2021-10-15 14:08:27 +00:00
otheralts = alts . filter ( or_ ( Alt . user1 == past_id , Alt . user2 == past_id , Alt . user1 == current_id , Alt . user2 == current_id ) ) . all ( )
for a in otheralts :
2022-01-02 00:06:46 +00:00
existing = alts . filter_by ( user1 = a . user1 , user2 = past_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not existing :
new_alt = Alt ( user1 = a . user1 , user2 = past_id )
g . db . add ( new_alt )
g . db . flush ( )
2022-01-02 00:06:46 +00:00
existing = alts . filter_by ( user1 = a . user1 , user2 = current_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not existing :
new_alt = Alt ( user1 = a . user1 , user2 = current_id )
g . db . add ( new_alt )
g . db . flush ( )
2022-01-02 00:06:46 +00:00
existing = alts . filter_by ( user1 = a . user2 , user2 = past_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not existing :
new_alt = Alt ( user1 = a . user2 , user2 = past_id )
g . db . add ( new_alt )
g . db . flush ( )
2022-01-02 00:06:46 +00:00
existing = alts . filter_by ( user1 = a . user2 , user2 = current_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not existing :
new_alt = Alt ( user1 = a . user2 , user2 = current_id )
g . db . add ( new_alt )
g . db . flush ( )
@app.post ( " /login " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;6/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
def login_post ( ) :
2021-12-19 13:04:39 +00:00
template = ' '
2021-10-15 14:08:27 +00:00
username = request . values . get ( " username " )
if not username : abort ( 400 )
if " @ " in username :
2021-11-06 15:52:48 +00:00
account = g . db . query ( User ) . filter (
2022-01-02 00:06:46 +00:00
User . email . ilike ( username ) ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
else :
account = get_user ( username , graceful = True )
if not account :
time . sleep ( random . uniform ( 0 , 2 ) )
2022-01-14 12:04:35 +00:00
return render_template ( " login.html " , failed = True )
2021-10-15 14:08:27 +00:00
if request . values . get ( " password " ) :
if not account . verifyPass ( request . values . get ( " password " ) ) :
time . sleep ( random . uniform ( 0 , 2 ) )
2022-01-14 12:04:35 +00:00
return render_template ( " login.html " , failed = True )
2021-10-15 14:08:27 +00:00
if account . mfa_secret :
now = int ( time . time ( ) )
hash = generate_hash ( f " { account . id } + { now } +2fachallenge " )
2022-01-14 12:04:35 +00:00
return render_template ( " login_2fa.html " ,
2021-10-15 14:08:27 +00:00
v = account ,
time = now ,
hash = hash ,
redirect = request . values . get ( " redirect " , " / " )
)
elif request . values . get ( " 2fa_token " , " x " ) :
now = int ( time . time ( ) )
if now - int ( request . values . get ( " time " ) ) > 600 :
2022-01-24 20:26:15 +00:00
return redirect ( f ' { SITE_FULL } /login ' )
2021-10-15 14:08:27 +00:00
formhash = request . values . get ( " hash " )
if not validate_hash ( f " { account . id } + { request . values . get ( ' time ' ) } +2fachallenge " ,
formhash
) :
2022-01-24 20:26:15 +00:00
return redirect ( f " { SITE_FULL } /login " )
2021-10-15 14:08:27 +00:00
if not account . validate_2fa ( request . values . get ( " 2fa_token " , " " ) . strip ( ) ) :
hash = generate_hash ( f " { account . id } + { time } +2fachallenge " )
2022-01-14 12:04:35 +00:00
return render_template ( " login_2fa.html " ,
2021-10-15 14:08:27 +00:00
v = account ,
time = now ,
hash = hash ,
failed = True ,
)
else :
abort ( 400 )
2021-12-23 19:17:29 +00:00
session . permanent = True
2021-12-21 22:28:29 +00:00
session [ " session_id " ] = token_hex ( 49 )
session [ " lo_user " ] = account . id
2021-10-15 14:08:27 +00:00
session [ " login_nonce " ] = account . login_nonce
2021-12-30 05:43:49 +00:00
if account . id != PW_ID : check_for_alts ( account . id )
2021-10-15 14:08:27 +00:00
g . db . commit ( )
2022-01-17 11:06:12 +00:00
redir = request . values . get ( " redirect " )
if redir :
2022-01-17 11:50:03 +00:00
redir = redir . replace ( " /logged_out " , " " ) . strip ( )
2022-01-24 17:37:37 +00:00
if not redir . startswith ( SITE_FULL ) and not redir . startswith ( ' / ' ) : redir = ' / '
2022-01-17 11:06:12 +00:00
2022-01-28 20:02:21 +00:00
if redir . startswith ( SITE_FULL ) : return redirect ( redir )
if redir . startswith ( ' / ' ) : return redirect ( f ' { SITE_FULL } { redir } ' )
return redirect ( f ' { SITE_FULL } / ' )
2021-10-15 14:08:27 +00:00
@app.get ( " /me " )
@app.get ( " /@me " )
@auth_required
def me ( v ) :
if request . headers . get ( " Authorization " ) : return v . json
else : return redirect ( v . url )
@app.post ( " /logout " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;30/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
@auth_required
def logout ( v ) :
session . pop ( " session_id " , None )
2021-12-21 22:28:29 +00:00
session . pop ( " lo_user " , None )
2021-10-15 14:08:27 +00:00
return { " message " : " Logout successful! " }
@app.get ( " /signup " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def sign_up_get ( v ) :
2022-01-28 03:22:31 +00:00
if environ . get ( ' disable_signups ' ) :
return { " error " : " New account registration is currently closed. Please come back later. " } , 403
2021-10-15 14:08:27 +00:00
2022-01-24 20:26:15 +00:00
if v : return redirect ( f " { SITE_FULL } / " )
2021-10-15 14:08:27 +00:00
agent = request . headers . get ( " User-Agent " , None )
if not agent : abort ( 403 )
ref = request . values . get ( " ref " , None )
if ref :
2022-01-02 00:06:46 +00:00
ref_user = g . db . query ( User ) . filter ( User . username . ilike ( ref ) ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
else :
ref_user = None
if ref_user and ( ref_user . id in session . get ( " history " , [ ] ) ) :
2022-01-03 10:57:43 +00:00
return render_template ( " sign_up_failed_ref.html " )
2021-10-15 14:08:27 +00:00
now = int ( time . time ( ) )
token = token_hex ( 16 )
session [ " signup_token " ] = token
formkey_hashstr = str ( now ) + token + agent
formkey = hmac . new ( key = bytes ( environ . get ( " MASTER_KEY " ) , " utf-16 " ) ,
msg = bytes ( formkey_hashstr , " utf-16 " ) ,
digestmod = ' md5 '
) . hexdigest ( )
redir = request . values . get ( " redirect " , " / " ) . replace ( " /logged_out " , " " ) . strip ( )
2022-01-03 10:57:43 +00:00
return render_template ( " sign_up.html " ,
2021-10-15 14:08:27 +00:00
formkey = formkey ,
now = now ,
redirect = redir ,
ref_user = ref_user ,
hcaptcha = app . config [ " HCAPTCHA_SITEKEY " ]
)
@app.post ( " /signup " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/minute;5/day " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def sign_up_post ( v ) :
2022-01-28 03:22:31 +00:00
if environ . get ( ' disable_signups ' ) :
return { " error " : " New account registration is currently closed. Please come back later. " } , 403
2021-10-15 14:08:27 +00:00
if v : abort ( 403 )
agent = request . headers . get ( " User-Agent " , None )
if not agent : abort ( 403 )
form_timestamp = request . values . get ( " now " , ' 0 ' )
form_formkey = request . values . get ( " formkey " , " none " )
submitted_token = session . get ( " signup_token " , " " )
if not submitted_token : abort ( 400 )
correct_formkey_hashstr = form_timestamp + submitted_token + agent
correct_formkey = hmac . new ( key = bytes ( environ . get ( " MASTER_KEY " ) , " utf-16 " ) ,
msg = bytes ( correct_formkey_hashstr , " utf-16 " ) ,
digestmod = ' md5 '
) . hexdigest ( )
now = int ( time . time ( ) )
username = request . values . get ( " username " ) . strip ( )
def new_signup ( error ) :
args = { " error " : error }
if request . values . get ( " referred_by " ) :
2021-11-06 15:52:48 +00:00
user = g . db . query ( User ) . filter_by (
2022-01-02 00:06:46 +00:00
id = request . values . get ( " referred_by " ) ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if user :
args [ " ref " ] = user . username
2022-01-24 20:26:15 +00:00
return redirect ( f " { SITE_FULL } /signup? { urlencode ( args ) } " )
2021-10-15 14:08:27 +00:00
if now - int ( form_timestamp ) < 5 :
return new_signup ( " There was a problem. Please try again. " )
if not hmac . compare_digest ( correct_formkey , form_formkey ) :
return new_signup ( " There was a problem. Please try again. " )
if not request . values . get (
" password " ) == request . values . get ( " password_confirm " ) :
return new_signup ( " Passwords did not match. Please try again. " )
if not re . fullmatch ( valid_username_regex , username ) :
return new_signup ( " Invalid username " )
if not re . fullmatch ( valid_password_regex , request . values . get ( " password " ) ) :
return new_signup ( " Password must be between 8 and 100 characters. " )
2021-12-20 14:56:47 +00:00
email = request . values . get ( " email " ) . strip ( ) . lower ( )
2021-11-23 21:03:20 +00:00
2021-10-15 14:08:27 +00:00
if not email : email = None
existing_account = get_user ( username , graceful = True )
if existing_account and existing_account . reserved :
return redirect ( existing_account . url )
2021-11-30 16:49:10 +00:00
if existing_account : return new_signup ( " An account with that username already exists. " )
2021-10-15 14:08:27 +00:00
if app . config . get ( " HCAPTCHA_SITEKEY " ) :
token = request . values . get ( " h-captcha-response " )
if not token :
return new_signup ( " Unable to verify captcha [1]. " )
data = { " secret " : app . config [ " HCAPTCHA_SECRET " ] ,
" response " : token ,
" sitekey " : app . config [ " HCAPTCHA_SITEKEY " ] }
url = " https://hcaptcha.com/siteverify "
2021-11-14 01:19:32 +00:00
x = requests . post ( url , data = data , timeout = 5 )
2021-10-15 14:08:27 +00:00
if not x . json ( ) [ " success " ] :
return new_signup ( " Unable to verify captcha [2]. " )
session . pop ( " signup_token " )
ref_id = int ( request . values . get ( " referred_by " , 0 ) )
2022-01-02 00:05:22 +00:00
if ref_id :
ref_user = g . db . query ( User ) . filter_by ( id = ref_id ) . one_or_none ( )
if ref_user :
2022-01-19 06:20:05 +00:00
if ref_user . referral_count and not ref_user . has_badge ( 10 ) :
2022-01-02 00:05:22 +00:00
new_badge = Badge ( user_id = ref_user . id , badge_id = 10 )
g . db . add ( new_badge )
2022-01-19 06:20:05 +00:00
if ref_user . referral_count > 9 and not ref_user . has_badge ( 11 ) :
2022-01-02 00:05:22 +00:00
new_badge = Badge ( user_id = ref_user . id , badge_id = 11 )
g . db . add ( new_badge )
2022-01-19 06:20:05 +00:00
if ref_user . referral_count > 99 and not ref_user . has_badge ( 12 ) :
2022-01-02 00:05:22 +00:00
new_badge = Badge ( user_id = ref_user . id , badge_id = 12 )
g . db . add ( new_badge )
2021-11-06 15:52:48 +00:00
id_1 = g . db . query ( User . id ) . filter_by ( id = 7 ) . count ( )
2021-11-14 22:35:18 +00:00
users_count = g . db . query ( User . id ) . count ( )
2021-12-28 06:28:18 +00:00
if id_1 == 0 and users_count == 7 : admin_level = 3
2021-10-15 14:08:27 +00:00
else : admin_level = 0
new_user = User (
username = username ,
original_username = username ,
admin_level = admin_level ,
password = request . values . get ( " password " ) ,
email = email ,
created_utc = int ( time . time ( ) ) ,
referred_by = ref_id or None ,
2022-01-07 21:03:14 +00:00
ban_evade = int ( any ( ( x . is_banned or x . shadowbanned ) and not x . unban_utc for x in g . db . query ( User ) . filter ( User . id . in_ ( tuple ( session . get ( " history " , [ ] ) ) ) ) . all ( ) if x ) ) ,
agendaposter = any ( x . agendaposter for x in g . db . query ( User ) . filter ( User . id . in_ ( tuple ( session . get ( " history " , [ ] ) ) ) ) . all ( ) if x )
2021-10-15 14:08:27 +00:00
)
g . db . add ( new_user )
g . db . flush ( )
check_for_alts ( new_user . id )
if email : send_verification_email ( new_user )
2021-12-28 08:17:49 +00:00
send_notification ( new_user . id , WELCOME_MSG )
2021-10-15 14:08:27 +00:00
2021-12-23 19:17:29 +00:00
session . permanent = True
2021-12-21 22:28:29 +00:00
session [ " session_id " ] = token_hex ( 49 )
session [ " lo_user " ] = new_user . id
2021-10-15 14:08:27 +00:00
g . db . commit ( )
2022-01-24 20:26:15 +00:00
return redirect ( f " { SITE_FULL } / " )
2021-10-15 14:08:27 +00:00
@app.get ( " /forgot " )
def get_forgot ( ) :
2022-01-07 21:03:14 +00:00
return render_template ( " forgot_password.html " )
2021-10-15 14:08:27 +00:00
@app.post ( " /forgot " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;30/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
def post_forgot ( ) :
username = request . values . get ( " username " ) . lstrip ( ' @ ' )
2022-01-01 22:06:53 +00:00
email = request . values . get ( " email " , ' ' ) . strip ( ) . lower ( ) . replace ( " _ " , " \ _ " )
2021-10-15 14:08:27 +00:00
2021-11-06 15:52:48 +00:00
user = g . db . query ( User ) . filter (
2021-10-15 14:08:27 +00:00
User . username . ilike ( username ) ,
2022-01-02 00:06:46 +00:00
User . email . ilike ( email ) ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if user :
now = int ( time . time ( ) )
token = generate_hash ( f " { user . id } + { now } +forgot+ { user . login_nonce } " )
2022-01-24 17:37:37 +00:00
url = f " { SITE_FULL } /reset?id= { user . id } &time= { now } &token= { token } "
2021-10-15 14:08:27 +00:00
send_mail ( to_address = user . email ,
subject = " Password Reset Request " ,
html = render_template ( " email/password_reset.html " ,
action_url = url ,
v = user )
)
2022-01-07 21:03:14 +00:00
return render_template ( " forgot_password.html " ,
2021-10-15 14:08:27 +00:00
msg = " If the username and email matches an account, you will be sent a password reset email. You have ten minutes to complete the password reset process. " )
@app.get ( " /reset " )
def get_reset ( ) :
user_id = request . values . get ( " id " )
2021-12-30 05:43:49 +00:00
2021-10-15 14:08:27 +00:00
timestamp = int ( request . values . get ( " time " , 0 ) )
token = request . values . get ( " token " )
now = int ( time . time ( ) )
if now - timestamp > 600 :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Password reset link expired " ,
error = " That password reset link has expired. " )
2022-01-02 00:06:46 +00:00
user = g . db . query ( User ) . filter_by ( id = user_id ) . one_or_none ( )
2021-12-30 05:43:49 +00:00
2022-01-21 10:44:12 +00:00
if not user : abort ( 400 )
2021-10-15 14:08:27 +00:00
if not validate_hash ( f " { user_id } + { timestamp } +forgot+ { user . login_nonce } " , token ) :
abort ( 400 )
if not user :
abort ( 404 )
reset_token = generate_hash ( f " { user . id } + { timestamp } +reset+ { user . login_nonce } " )
2022-01-07 21:03:14 +00:00
return render_template ( " reset_password.html " ,
2021-10-15 14:08:27 +00:00
v = user ,
token = reset_token ,
time = timestamp ,
)
@app.post ( " /reset " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;30/minute;200/hour;1000/day " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def post_reset ( v ) :
2022-01-24 20:26:15 +00:00
if v : return redirect ( f ' { SITE_FULL } / ' )
2021-10-15 14:08:27 +00:00
user_id = request . values . get ( " user_id " )
2021-12-19 02:37:18 +00:00
2021-10-15 14:08:27 +00:00
timestamp = int ( request . values . get ( " time " ) )
token = request . values . get ( " token " )
password = request . values . get ( " password " )
confirm_password = request . values . get ( " confirm_password " )
now = int ( time . time ( ) )
if now - timestamp > 600 :
2022-01-14 12:04:35 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Password reset expired " ,
error = " That password reset form has expired. " )
2022-01-02 00:06:46 +00:00
user = g . db . query ( User ) . filter_by ( id = user_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not validate_hash ( f " { user_id } + { timestamp } +reset+ { user . login_nonce } " , token ) :
abort ( 400 )
if not user :
abort ( 404 )
2022-01-22 09:58:22 +00:00
if password != confirm_password :
2022-01-14 12:04:35 +00:00
return render_template ( " reset_password.html " ,
2021-10-15 14:08:27 +00:00
v = user ,
token = token ,
time = timestamp ,
error = " Passwords didn ' t match. " )
user . passhash = hash_password ( password )
g . db . add ( user )
g . db . commit ( )
2022-01-14 12:04:35 +00:00
return render_template ( " message_success.html " ,
2021-10-15 14:08:27 +00:00
title = " Password reset successful! " ,
message = " Login normally to access your account. " )
@app.get ( " /lost_2fa " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def lost_2fa ( v ) :
return render_template (
" lost_2fa.html " ,
v = v
)
@app.post ( " /request_2fa_disable " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;6/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
def request_2fa_disable ( ) :
username = request . values . get ( " username " )
user = get_user ( username , graceful = True )
if not user or not user . email or not user . mfa_secret :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Removal request received " ,
message = " If username, password, and email match, we will send you an email. " )
2021-12-20 14:56:47 +00:00
email = request . values . get ( " email " ) . strip ( ) . lower ( )
2021-10-15 14:08:27 +00:00
password = request . values . get ( " password " )
if not user . verifyPass ( password ) :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Removal request received " ,
message = " If username, password, and email match, we will send you an email. " )
valid = int ( time . time ( ) )
token = generate_hash ( f " { user . id } + { user . username } +disable2fa+ { valid } + { user . mfa_secret } + { user . login_nonce } " )
2022-01-24 17:37:37 +00:00
action_url = f " { SITE_FULL } /reset_2fa?id= { user . id } &t= { valid } &token= { token } "
2021-10-15 14:08:27 +00:00
send_mail ( to_address = user . email ,
subject = " 2FA Removal Request " ,
html = render_template ( " email/2fa_remove.html " ,
action_url = action_url ,
v = user )
)
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Removal request received " ,
message = " If username, password, and email match, we will send you an email. " )
@app.get ( " /reset_2fa " )
def reset_2fa ( ) :
now = int ( time . time ( ) )
t = int ( request . values . get ( " t " ) )
if now > t + 3600 * 24 :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Expired Link " ,
error = " That link has expired. " )
token = request . values . get ( " token " )
uid = request . values . get ( " id " )
user = get_account ( uid )
if not validate_hash ( f " { user . id } + { user . username } +disable2fa+ { t } + { user . mfa_secret } + { user . login_nonce } " , token ) :
abort ( 403 )
user . mfa_secret = None
g . db . add ( user )
g . db . commit ( )
2022-01-07 21:03:14 +00:00
return render_template ( " message_success.html " ,
2021-10-15 14:08:27 +00:00
title = " Two-factor authentication removed. " ,
message = " Login normally to access your account. " )