2021-10-15 14:08:27 +00:00
from urllib . parse import urlencode
from files . mail import *
from files . __main__ import app , limiter
from files . helpers . const import *
import requests
@app.get ( " /login " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def login_get ( v ) :
2022-01-17 11:06:12 +00:00
redir = request . values . get ( " redirect " )
if redir :
2022-01-17 11:50:03 +00:00
redir = redir . replace ( " /logged_out " , " " ) . strip ( )
2022-01-24 17:37:37 +00:00
if not redir . startswith ( SITE_FULL ) and not redir . startswith ( ' / ' ) : redir = None
2021-10-15 14:08:27 +00:00
2022-01-28 20:02:21 +00:00
if v and redir :
if redir . startswith ( SITE_FULL ) : return redirect ( redir )
elif redir . startswith ( ' / ' ) : return redirect ( f ' { SITE_FULL } { redir } ' )
2022-01-17 11:06:12 +00:00
return render_template ( " login.html " , failed = False , redirect = redir )
2021-10-15 14:08:27 +00:00
def check_for_alts ( current_id ) :
2022-02-24 08:28:13 +00:00
ids = [ x [ 0 ] for x in g . db . query ( User . id ) . all ( ) ]
2021-10-15 14:08:27 +00:00
past_accs = set ( session . get ( " history " , [ ] ) )
2022-02-18 09:05:00 +00:00
for past_id in list ( past_accs ) :
2021-11-16 00:18:41 +00:00
2022-02-15 20:22:48 +00:00
if past_id not in ids :
past_accs . remove ( past_id )
continue
2021-11-18 20:53:47 +00:00
if past_id == MOM_ID or current_id == MOM_ID : break
2021-11-16 00:18:41 +00:00
if past_id == current_id : continue
2021-10-15 14:08:27 +00:00
2022-01-29 02:01:16 +00:00
li = [ past_id , current_id ]
existing = g . db . query ( Alt ) . filter ( Alt . user1 . in_ ( li ) , Alt . user2 . in_ ( li ) ) . one_or_none ( )
if not existing :
new_alt = Alt ( user1 = past_id , user2 = current_id )
g . db . add ( new_alt )
g . db . flush ( )
2021-10-15 14:08:27 +00:00
2022-01-29 02:01:16 +00:00
otheralts = g . db . query ( Alt ) . filter ( Alt . user1 . in_ ( li ) , Alt . user2 . in_ ( li ) ) . all ( )
2021-10-15 14:08:27 +00:00
for a in otheralts :
2022-01-29 02:01:16 +00:00
if a . user1 != past_id :
li = [ a . user1 , past_id ]
existing = g . db . query ( Alt ) . filter ( Alt . user1 . in_ ( li ) , Alt . user2 . in_ ( li ) ) . one_or_none ( )
if not existing :
new_alt = Alt ( user1 = a . user1 , user2 = past_id )
g . db . add ( new_alt )
g . db . flush ( )
if a . user1 != current_id :
li = [ a . user1 , current_id ]
existing = g . db . query ( Alt ) . filter ( Alt . user1 . in_ ( li ) , Alt . user2 . in_ ( li ) ) . one_or_none ( )
if not existing :
new_alt = Alt ( user1 = a . user1 , user2 = current_id )
g . db . add ( new_alt )
g . db . flush ( )
if a . user2 != past_id :
li = [ a . user2 , past_id ]
existing = g . db . query ( Alt ) . filter ( Alt . user1 . in_ ( li ) , Alt . user2 . in_ ( li ) ) . one_or_none ( )
if not existing :
new_alt = Alt ( user1 = a . user2 , user2 = past_id )
g . db . add ( new_alt )
g . db . flush ( )
if a . user2 != current_id :
li = [ a . user2 , current_id ]
existing = g . db . query ( Alt ) . filter ( Alt . user1 . in_ ( li ) , Alt . user2 . in_ ( li ) ) . one_or_none ( )
if not existing :
new_alt = Alt ( user1 = a . user2 , user2 = current_id )
g . db . add ( new_alt )
g . db . flush ( )
2022-02-15 20:22:48 +00:00
past_accs . add ( current_id )
session [ " history " ] = list ( past_accs )
2021-10-15 14:08:27 +00:00
@app.post ( " /login " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;6/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
def login_post ( ) :
2021-12-19 13:04:39 +00:00
template = ' '
2021-10-15 14:08:27 +00:00
username = request . values . get ( " username " )
2022-03-27 13:41:19 +00:00
if not username : abort ( 400 )
username = username . lstrip ( ' @ ' ) . replace ( ' \\ ' , ' ' ) . replace ( ' _ ' , ' \ _ ' ) . replace ( ' % ' , ' ' ) . strip ( )
2021-10-15 14:08:27 +00:00
if not username : abort ( 400 )
2022-02-06 13:07:35 +00:00
if username . startswith ( ' @ ' ) : username = username [ 1 : ]
2022-02-13 21:25:09 +00:00
if " @ " in username :
try : account = g . db . query ( User ) . filter ( User . email . ilike ( username ) ) . one_or_none ( )
except : return " Multiple users use this email! "
2022-02-06 13:07:35 +00:00
else : account = get_user ( username , graceful = True )
2021-10-15 14:08:27 +00:00
if not account :
time . sleep ( random . uniform ( 0 , 2 ) )
2022-01-14 12:04:35 +00:00
return render_template ( " login.html " , failed = True )
2021-10-15 14:08:27 +00:00
if request . values . get ( " password " ) :
if not account . verifyPass ( request . values . get ( " password " ) ) :
time . sleep ( random . uniform ( 0 , 2 ) )
2022-01-14 12:04:35 +00:00
return render_template ( " login.html " , failed = True )
2021-10-15 14:08:27 +00:00
if account . mfa_secret :
now = int ( time . time ( ) )
hash = generate_hash ( f " { account . id } + { now } +2fachallenge " )
2022-01-14 12:04:35 +00:00
return render_template ( " login_2fa.html " ,
2021-10-15 14:08:27 +00:00
v = account ,
time = now ,
hash = hash ,
redirect = request . values . get ( " redirect " , " / " )
)
elif request . values . get ( " 2fa_token " , " x " ) :
now = int ( time . time ( ) )
if now - int ( request . values . get ( " time " ) ) > 600 :
2022-04-02 17:11:35 +00:00
return redirect ( ' /login ' )
2021-10-15 14:08:27 +00:00
formhash = request . values . get ( " hash " )
2022-02-13 21:25:09 +00:00
if not validate_hash ( f " { account . id } + { request . values . get ( ' time ' ) } +2fachallenge " , formhash ) :
2022-04-02 17:11:35 +00:00
return redirect ( " /login " )
2021-10-15 14:08:27 +00:00
if not account . validate_2fa ( request . values . get ( " 2fa_token " , " " ) . strip ( ) ) :
hash = generate_hash ( f " { account . id } + { time } +2fachallenge " )
2022-01-14 12:04:35 +00:00
return render_template ( " login_2fa.html " ,
2021-10-15 14:08:27 +00:00
v = account ,
time = now ,
hash = hash ,
failed = True ,
)
else :
abort ( 400 )
2022-04-02 18:35:16 +00:00
session . permanent = True
2021-12-21 22:28:29 +00:00
session [ " session_id " ] = token_hex ( 49 )
session [ " lo_user " ] = account . id
2021-10-15 14:08:27 +00:00
session [ " login_nonce " ] = account . login_nonce
2022-02-26 18:30:11 +00:00
if account . id == AEVANN_ID : session [ " verified " ] = time . time ( )
2021-10-15 14:08:27 +00:00
g . db . commit ( )
2022-01-17 11:06:12 +00:00
redir = request . values . get ( " redirect " )
if redir :
2022-01-17 11:50:03 +00:00
redir = redir . replace ( " /logged_out " , " " ) . strip ( )
2022-01-24 17:37:37 +00:00
if not redir . startswith ( SITE_FULL ) and not redir . startswith ( ' / ' ) : redir = ' / '
2022-01-17 11:06:12 +00:00
2022-03-25 22:38:05 +00:00
if redir :
if redir . startswith ( SITE_FULL ) : return redirect ( redir )
if redir . startswith ( ' / ' ) : return redirect ( f ' { SITE_FULL } { redir } ' )
2022-04-02 17:11:35 +00:00
return redirect ( ' / ' )
2021-10-15 14:08:27 +00:00
@app.get ( " /me " )
@app.get ( " /@me " )
@auth_required
def me ( v ) :
if request . headers . get ( " Authorization " ) : return v . json
else : return redirect ( v . url )
@app.post ( " /logout " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;30/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
@auth_required
def logout ( v ) :
session . pop ( " session_id " , None )
2021-12-21 22:28:29 +00:00
session . pop ( " lo_user " , None )
2021-10-15 14:08:27 +00:00
return { " message " : " Logout successful! " }
@app.get ( " /signup " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def sign_up_get ( v ) :
2022-02-08 14:49:49 +00:00
with open ( ' disable_signups ' , ' r ' ) as f :
if f . read ( ) == " yes " :
return { " error " : " New account registration is currently closed. Please come back later. " } , 403
2021-10-15 14:08:27 +00:00
2022-02-28 00:13:07 +00:00
if v : return redirect ( SITE_FULL )
2021-10-15 14:08:27 +00:00
2022-03-04 23:49:38 +00:00
agent = request . headers . get ( " User-Agent " )
2021-10-15 14:08:27 +00:00
if not agent : abort ( 403 )
2022-03-04 23:49:38 +00:00
ref = request . values . get ( " ref " )
2022-03-04 22:46:20 +00:00
2021-10-15 14:08:27 +00:00
if ref :
2022-03-04 23:12:33 +00:00
ref = ref . replace ( ' \\ ' , ' ' ) . replace ( ' _ ' , ' \ _ ' ) . replace ( ' % ' , ' ' ) . strip ( )
2022-01-02 00:06:46 +00:00
ref_user = g . db . query ( User ) . filter ( User . username . ilike ( ref ) ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
else :
ref_user = None
if ref_user and ( ref_user . id in session . get ( " history " , [ ] ) ) :
2022-01-03 10:57:43 +00:00
return render_template ( " sign_up_failed_ref.html " )
2021-10-15 14:08:27 +00:00
now = int ( time . time ( ) )
token = token_hex ( 16 )
session [ " signup_token " ] = token
formkey_hashstr = str ( now ) + token + agent
formkey = hmac . new ( key = bytes ( environ . get ( " MASTER_KEY " ) , " utf-16 " ) ,
msg = bytes ( formkey_hashstr , " utf-16 " ) ,
digestmod = ' md5 '
) . hexdigest ( )
2022-03-04 23:49:38 +00:00
error = request . values . get ( " error " )
2022-02-12 19:42:15 +00:00
2022-01-03 10:57:43 +00:00
return render_template ( " sign_up.html " ,
2021-10-15 14:08:27 +00:00
formkey = formkey ,
now = now ,
ref_user = ref_user ,
2022-02-12 19:42:15 +00:00
hcaptcha = app . config [ " HCAPTCHA_SITEKEY " ] ,
error = error
2021-10-15 14:08:27 +00:00
)
@app.post ( " /signup " )
2022-02-21 01:58:12 +00:00
@limiter.limit ( " 10/day " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def sign_up_post ( v ) :
2022-02-08 14:49:49 +00:00
with open ( ' disable_signups ' , ' r ' ) as f :
if f . read ( ) == " yes " :
return { " error " : " New account registration is currently closed. Please come back later. " } , 403
2021-10-15 14:08:27 +00:00
if v : abort ( 403 )
2022-03-04 23:49:38 +00:00
agent = request . headers . get ( " User-Agent " )
2021-10-15 14:08:27 +00:00
if not agent : abort ( 403 )
form_timestamp = request . values . get ( " now " , ' 0 ' )
form_formkey = request . values . get ( " formkey " , " none " )
submitted_token = session . get ( " signup_token " , " " )
if not submitted_token : abort ( 400 )
correct_formkey_hashstr = form_timestamp + submitted_token + agent
correct_formkey = hmac . new ( key = bytes ( environ . get ( " MASTER_KEY " ) , " utf-16 " ) ,
msg = bytes ( correct_formkey_hashstr , " utf-16 " ) ,
digestmod = ' md5 '
) . hexdigest ( )
now = int ( time . time ( ) )
username = request . values . get ( " username " ) . strip ( )
2022-02-27 23:58:46 +00:00
def signup_error ( error ) :
2021-10-15 14:08:27 +00:00
args = { " error " : error }
if request . values . get ( " referred_by " ) :
2022-02-14 02:33:27 +00:00
user = g . db . query ( User ) . filter_by ( id = request . values . get ( " referred_by " ) ) . one_or_none ( )
if user : args [ " ref " ] = user . username
2021-10-15 14:08:27 +00:00
2022-04-02 17:11:35 +00:00
return redirect ( f " /signup? { urlencode ( args ) } " )
2021-10-15 14:08:27 +00:00
if now - int ( form_timestamp ) < 5 :
2022-02-27 23:58:46 +00:00
return signup_error ( " There was a problem. Please try again. " )
2021-10-15 14:08:27 +00:00
if not hmac . compare_digest ( correct_formkey , form_formkey ) :
2022-02-27 23:58:46 +00:00
return signup_error ( " There was a problem. Please try again. " )
2021-10-15 14:08:27 +00:00
if not request . values . get (
" password " ) == request . values . get ( " password_confirm " ) :
2022-02-27 23:58:46 +00:00
return signup_error ( " Passwords did not match. Please try again. " )
2021-10-15 14:08:27 +00:00
2022-02-26 20:13:34 +00:00
if not valid_username_regex . fullmatch ( username ) :
2022-02-27 23:58:46 +00:00
return signup_error ( " Invalid username " )
2021-10-15 14:08:27 +00:00
2022-02-26 20:13:34 +00:00
if not valid_password_regex . fullmatch ( request . values . get ( " password " ) ) :
2022-02-27 23:58:46 +00:00
return signup_error ( " Password must be between 8 and 100 characters. " )
2021-10-15 14:08:27 +00:00
2021-12-20 14:56:47 +00:00
email = request . values . get ( " email " ) . strip ( ) . lower ( )
2021-11-23 21:03:20 +00:00
2022-03-02 04:24:36 +00:00
if email :
if not email_regex . fullmatch ( email ) :
return signup_error ( " Invalid email. " )
else : email = None
2021-10-15 14:08:27 +00:00
existing_account = get_user ( username , graceful = True )
if existing_account and existing_account . reserved :
return redirect ( existing_account . url )
2022-02-27 23:58:46 +00:00
if existing_account :
return signup_error ( " An account with that username already exists. " )
2021-10-15 14:08:27 +00:00
if app . config . get ( " HCAPTCHA_SITEKEY " ) :
token = request . values . get ( " h-captcha-response " )
if not token :
2022-02-27 23:58:46 +00:00
return signup_error ( " Unable to verify captcha [1]. " )
2021-10-15 14:08:27 +00:00
data = { " secret " : app . config [ " HCAPTCHA_SECRET " ] ,
" response " : token ,
" sitekey " : app . config [ " HCAPTCHA_SITEKEY " ] }
url = " https://hcaptcha.com/siteverify "
2021-11-14 01:19:32 +00:00
x = requests . post ( url , data = data , timeout = 5 )
2021-10-15 14:08:27 +00:00
if not x . json ( ) [ " success " ] :
2022-02-27 23:58:46 +00:00
return signup_error ( " Unable to verify captcha [2]. " )
2021-10-15 14:08:27 +00:00
session . pop ( " signup_token " )
ref_id = int ( request . values . get ( " referred_by " , 0 ) )
2022-02-07 11:39:26 +00:00
id_1 = g . db . query ( User . id ) . filter_by ( id = 9 ) . count ( )
2021-11-14 22:35:18 +00:00
users_count = g . db . query ( User . id ) . count ( )
2022-02-13 23:52:44 +00:00
if id_1 == 0 and users_count == 8 :
admin_level = 3
session [ " history " ] = [ ]
2021-10-15 14:08:27 +00:00
else : admin_level = 0
2022-03-09 01:44:53 +00:00
profileurl = ' /e/ ' + random . choice ( marseys_const ) + ' .webp '
2021-10-15 14:08:27 +00:00
new_user = User (
username = username ,
original_username = username ,
admin_level = admin_level ,
password = request . values . get ( " password " ) ,
email = email ,
referred_by = ref_id or None ,
2022-03-09 01:44:53 +00:00
ban_evade = int ( any ( ( x . is_banned or x . shadowbanned ) and not x . unban_utc for x in g . db . query ( User ) . filter ( User . id . in_ ( session . get ( " history " , [ ] ) ) ) . all ( ) if x ) ) ,
profileurl = profileurl
2021-10-15 14:08:27 +00:00
)
g . db . add ( new_user )
g . db . flush ( )
2022-04-09 23:07:03 +00:00
if ref_id :
ref_user = g . db . query ( User ) . filter_by ( id = ref_id ) . one_or_none ( )
if ref_user :
if ref_user . referral_count and not ref_user . has_badge ( 10 ) :
new_badge = Badge ( user_id = ref_user . id , badge_id = 10 )
g . db . add ( new_badge )
g . db . flush ( )
send_notification ( ref_user . id , f " @AutoJanny has given you the following profile badge: \n \n ![]( { new_badge . path } ) \n \n { new_badge . name } " )
if ref_user . referral_count > = 10 and not ref_user . has_badge ( 11 ) :
new_badge = Badge ( user_id = ref_user . id , badge_id = 11 )
g . db . add ( new_badge )
g . db . flush ( )
send_notification ( ref_user . id , f " @AutoJanny has given you the following profile badge: \n \n ![]( { new_badge . path } ) \n \n { new_badge . name } " )
if ref_user . referral_count > = 100 and not ref_user . has_badge ( 12 ) :
new_badge = Badge ( user_id = ref_user . id , badge_id = 12 )
g . db . add ( new_badge )
g . db . flush ( )
send_notification ( ref_user . id , f " @AutoJanny has given you the following profile badge: \n \n ![]( { new_badge . path } ) \n \n { new_badge . name } " )
2021-10-15 14:08:27 +00:00
check_for_alts ( new_user . id )
if email : send_verification_email ( new_user )
2021-12-28 08:17:49 +00:00
send_notification ( new_user . id , WELCOME_MSG )
2021-10-15 14:08:27 +00:00
2022-04-02 18:35:16 +00:00
session . permanent = True
2021-12-21 22:28:29 +00:00
session [ " session_id " ] = token_hex ( 49 )
session [ " lo_user " ] = new_user . id
2021-10-15 14:08:27 +00:00
g . db . commit ( )
2022-02-28 00:13:07 +00:00
return redirect ( SITE_FULL )
2021-10-15 14:08:27 +00:00
@app.get ( " /forgot " )
def get_forgot ( ) :
2022-01-07 21:03:14 +00:00
return render_template ( " forgot_password.html " )
2021-10-15 14:08:27 +00:00
@app.post ( " /forgot " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;30/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
def post_forgot ( ) :
2022-03-27 13:41:19 +00:00
username = request . values . get ( " username " )
if not username : abort ( 400 )
2022-03-02 04:24:36 +00:00
email = request . values . get ( " email " , ' ' ) . strip ( ) . lower ( )
if not email_regex . fullmatch ( email ) :
return render_template ( " forgot_password.html " , error = " Invalid email. " )
2022-03-27 13:41:19 +00:00
username = username . lstrip ( ' @ ' ) . replace ( ' \\ ' , ' ' ) . replace ( ' _ ' , ' \ _ ' ) . replace ( ' % ' , ' ' ) . strip ( )
2022-03-04 22:46:20 +00:00
email = email . replace ( ' \\ ' , ' ' ) . replace ( ' _ ' , ' \ _ ' ) . replace ( ' % ' , ' ' ) . strip ( )
2021-10-15 14:08:27 +00:00
2021-11-06 15:52:48 +00:00
user = g . db . query ( User ) . filter (
2021-10-15 14:08:27 +00:00
User . username . ilike ( username ) ,
2022-01-02 00:06:46 +00:00
User . email . ilike ( email ) ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if user :
now = int ( time . time ( ) )
token = generate_hash ( f " { user . id } + { now } +forgot+ { user . login_nonce } " )
2022-01-24 17:37:37 +00:00
url = f " { SITE_FULL } /reset?id= { user . id } &time= { now } &token= { token } "
2021-10-15 14:08:27 +00:00
send_mail ( to_address = user . email ,
subject = " Password Reset Request " ,
html = render_template ( " email/password_reset.html " ,
action_url = url ,
v = user )
)
2022-01-07 21:03:14 +00:00
return render_template ( " forgot_password.html " ,
2021-10-15 14:08:27 +00:00
msg = " If the username and email matches an account, you will be sent a password reset email. You have ten minutes to complete the password reset process. " )
@app.get ( " /reset " )
def get_reset ( ) :
user_id = request . values . get ( " id " )
2021-12-30 05:43:49 +00:00
2021-10-15 14:08:27 +00:00
timestamp = int ( request . values . get ( " time " , 0 ) )
token = request . values . get ( " token " )
now = int ( time . time ( ) )
if now - timestamp > 600 :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Password reset link expired " ,
error = " That password reset link has expired. " )
2022-01-02 00:06:46 +00:00
user = g . db . query ( User ) . filter_by ( id = user_id ) . one_or_none ( )
2021-12-30 05:43:49 +00:00
2022-01-21 10:44:12 +00:00
if not user : abort ( 400 )
2021-10-15 14:08:27 +00:00
if not validate_hash ( f " { user_id } + { timestamp } +forgot+ { user . login_nonce } " , token ) :
abort ( 400 )
if not user :
abort ( 404 )
reset_token = generate_hash ( f " { user . id } + { timestamp } +reset+ { user . login_nonce } " )
2022-01-07 21:03:14 +00:00
return render_template ( " reset_password.html " ,
2021-10-15 14:08:27 +00:00
v = user ,
token = reset_token ,
time = timestamp ,
)
@app.post ( " /reset " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;30/minute;200/hour;1000/day " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def post_reset ( v ) :
2022-04-02 17:11:35 +00:00
if v : return redirect ( ' / ' )
2021-10-15 14:08:27 +00:00
user_id = request . values . get ( " user_id " )
2021-12-19 02:37:18 +00:00
2021-10-15 14:08:27 +00:00
timestamp = int ( request . values . get ( " time " ) )
token = request . values . get ( " token " )
password = request . values . get ( " password " )
confirm_password = request . values . get ( " confirm_password " )
now = int ( time . time ( ) )
if now - timestamp > 600 :
2022-01-14 12:04:35 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Password reset expired " ,
error = " That password reset form has expired. " )
2022-01-02 00:06:46 +00:00
user = g . db . query ( User ) . filter_by ( id = user_id ) . one_or_none ( )
2021-10-15 14:08:27 +00:00
if not validate_hash ( f " { user_id } + { timestamp } +reset+ { user . login_nonce } " , token ) :
abort ( 400 )
if not user :
abort ( 404 )
2022-01-22 09:58:22 +00:00
if password != confirm_password :
2022-01-14 12:04:35 +00:00
return render_template ( " reset_password.html " ,
2021-10-15 14:08:27 +00:00
v = user ,
token = token ,
time = timestamp ,
error = " Passwords didn ' t match. " )
user . passhash = hash_password ( password )
g . db . add ( user )
g . db . commit ( )
2022-01-14 12:04:35 +00:00
return render_template ( " message_success.html " ,
2021-10-15 14:08:27 +00:00
title = " Password reset successful! " ,
message = " Login normally to access your account. " )
@app.get ( " /lost_2fa " )
2022-01-11 22:03:01 +00:00
@auth_desired
2021-10-15 14:08:27 +00:00
def lost_2fa ( v ) :
return render_template (
" lost_2fa.html " ,
v = v
)
@app.post ( " /request_2fa_disable " )
2022-01-15 06:31:17 +00:00
@limiter.limit ( " 1/second;6/minute;200/hour;1000/day " )
2021-10-15 14:08:27 +00:00
def request_2fa_disable ( ) :
username = request . values . get ( " username " )
user = get_user ( username , graceful = True )
if not user or not user . email or not user . mfa_secret :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Removal request received " ,
message = " If username, password, and email match, we will send you an email. " )
2021-12-20 14:56:47 +00:00
email = request . values . get ( " email " ) . strip ( ) . lower ( )
2021-10-15 14:08:27 +00:00
2022-03-02 04:24:36 +00:00
if not email_regex . fullmatch ( email ) :
return render_template ( " message.html " , title = " Invalid email. " , error = " Invalid email. " )
2021-10-15 14:08:27 +00:00
password = request . values . get ( " password " )
if not user . verifyPass ( password ) :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Removal request received " ,
message = " If username, password, and email match, we will send you an email. " )
valid = int ( time . time ( ) )
token = generate_hash ( f " { user . id } + { user . username } +disable2fa+ { valid } + { user . mfa_secret } + { user . login_nonce } " )
2022-01-24 17:37:37 +00:00
action_url = f " { SITE_FULL } /reset_2fa?id= { user . id } &t= { valid } &token= { token } "
2021-10-15 14:08:27 +00:00
send_mail ( to_address = user . email ,
subject = " 2FA Removal Request " ,
html = render_template ( " email/2fa_remove.html " ,
action_url = action_url ,
v = user )
)
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Removal request received " ,
message = " If username, password, and email match, we will send you an email. " )
@app.get ( " /reset_2fa " )
def reset_2fa ( ) :
now = int ( time . time ( ) )
2022-03-18 18:31:24 +00:00
t = request . values . get ( " t " )
if not t : abort ( 400 )
t = int ( t )
2021-10-15 14:08:27 +00:00
if now > t + 3600 * 24 :
2022-01-07 21:03:14 +00:00
return render_template ( " message.html " ,
2021-10-15 14:08:27 +00:00
title = " Expired Link " ,
error = " That link has expired. " )
token = request . values . get ( " token " )
uid = request . values . get ( " id " )
user = get_account ( uid )
if not validate_hash ( f " { user . id } + { user . username } +disable2fa+ { t } + { user . mfa_secret } + { user . login_nonce } " , token ) :
abort ( 403 )
user . mfa_secret = None
g . db . add ( user )
g . db . commit ( )
2022-01-07 21:03:14 +00:00
return render_template ( " message_success.html " ,
2021-10-15 14:08:27 +00:00
title = " Two-factor authentication removed. " ,
message = " Login normally to access your account. " )