2024-03-27 18:51:52 +00:00
|
|
|
#!/usr/bin/python3
|
2024-03-31 12:38:29 +01:00
|
|
|
import hashlib
|
|
|
|
import base64
|
2024-03-30 19:19:57 +00:00
|
|
|
import jwt
|
2024-03-27 18:51:52 +00:00
|
|
|
import os
|
|
|
|
import sqlite3
|
|
|
|
import time
|
|
|
|
import secrets
|
|
|
|
import configparser
|
|
|
|
import asyncio
|
|
|
|
from hypercorn.config import Config
|
|
|
|
from hypercorn.asyncio import serve
|
|
|
|
from werkzeug.security import generate_password_hash, check_password_hash
|
|
|
|
from quart import Quart, render_template, request, url_for, flash, redirect, session, make_response, send_from_directory, stream_with_context, Response, request
|
2024-04-20 16:13:15 +01:00
|
|
|
from urllib.parse import quote
|
2024-03-27 18:51:52 +00:00
|
|
|
|
|
|
|
# Parse configuration file, and check if anything is wrong with it
|
|
|
|
if not os.path.exists("config.ini"):
|
|
|
|
print("config.ini does not exist")
|
|
|
|
quit(1)
|
|
|
|
|
|
|
|
config = configparser.ConfigParser()
|
|
|
|
config.read("config.ini")
|
|
|
|
|
|
|
|
HOST = config["config"]["HOST"]
|
|
|
|
PORT = config["config"]["PORT"]
|
|
|
|
SECRET_KEY = config["config"]["SECRET_KEY"]
|
|
|
|
MAX_STORAGE = config["config"]["MAX_STORAGE"]
|
|
|
|
|
|
|
|
if SECRET_KEY == "supersecretkey" or SECRET_KEY == "placeholder":
|
|
|
|
print("[WARNING] Secret key not set")
|
|
|
|
|
|
|
|
# Define Quart
|
|
|
|
app = Quart(__name__)
|
|
|
|
app.config["SECRET_KEY"] = SECRET_KEY
|
|
|
|
|
2024-03-31 12:38:29 +01:00
|
|
|
# Hash creation function
|
|
|
|
def sha256_base64(s: str) -> str:
|
|
|
|
hashed = hashlib.sha256(s.encode()).digest()
|
|
|
|
encoded = base64.urlsafe_b64encode(hashed).rstrip(b'=').decode()
|
|
|
|
return encoded
|
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
# Database functions
|
|
|
|
def get_db_connection():
|
|
|
|
conn = sqlite3.connect("database.db")
|
|
|
|
conn.row_factory = sqlite3.Row
|
|
|
|
return conn
|
|
|
|
|
|
|
|
def get_user(id):
|
|
|
|
conn = get_db_connection()
|
|
|
|
post = conn.execute("SELECT * FROM users WHERE id = ?",
|
|
|
|
(id,)).fetchone()
|
|
|
|
conn.close()
|
|
|
|
if post is None:
|
|
|
|
return None
|
|
|
|
return post
|
|
|
|
|
|
|
|
def get_session(id):
|
|
|
|
conn = get_db_connection()
|
|
|
|
post = conn.execute("SELECT * FROM sessions WHERE session = ?",
|
|
|
|
(id,)).fetchone()
|
|
|
|
conn.close()
|
|
|
|
if post is None:
|
|
|
|
return None
|
|
|
|
return post
|
|
|
|
|
|
|
|
def get_session_from_sessionid(id):
|
|
|
|
conn = get_db_connection()
|
|
|
|
post = conn.execute("SELECT * FROM sessions WHERE sessionid = ?",
|
|
|
|
(id,)).fetchone()
|
|
|
|
conn.close()
|
|
|
|
if post is None:
|
|
|
|
return None
|
|
|
|
return post
|
|
|
|
|
|
|
|
def check_username_taken(username):
|
|
|
|
conn = get_db_connection()
|
|
|
|
post = conn.execute("SELECT * FROM users WHERE lower(username) = ?",
|
|
|
|
(username.lower(),)).fetchone()
|
|
|
|
conn.close()
|
|
|
|
if post is None:
|
|
|
|
return None
|
|
|
|
return post["id"]
|
|
|
|
|
2024-03-29 11:54:15 +00:00
|
|
|
async def oauth2_token_refresh(openid, appId):
|
2024-04-18 17:04:50 +01:00
|
|
|
refreshes = 0
|
2024-04-18 17:08:44 +01:00
|
|
|
nextopenid = "nil"
|
2024-04-18 17:04:50 +01:00
|
|
|
while refreshes != 720:
|
2024-03-30 19:53:07 +00:00
|
|
|
await asyncio.sleep(3600)
|
2024-04-18 17:04:50 +01:00
|
|
|
refreshes = refreshes + 1
|
2024-03-28 17:07:30 +00:00
|
|
|
conn = get_db_connection()
|
2024-03-30 09:04:11 +00:00
|
|
|
|
|
|
|
# Fetch required data in a single query
|
2024-03-30 19:41:00 +00:00
|
|
|
login_data = conn.execute("SELECT nextcode, nextsecret, nextopenid, creator FROM logins WHERE appId = ? AND openid = ?", (str(appId), str(openid))).fetchone()
|
|
|
|
|
|
|
|
user = get_user(int(login_data[3]))
|
2024-03-30 19:19:57 +00:00
|
|
|
|
|
|
|
datatemplate = {
|
|
|
|
"sub": user["username"],
|
|
|
|
"iss": "https://auth.hectabit.org",
|
|
|
|
"name": user["username"],
|
|
|
|
"aud": appId,
|
|
|
|
"exp": time.time() + 3600,
|
|
|
|
"iat": time.time(),
|
|
|
|
"auth_time": time.time(),
|
|
|
|
"nonce": str(secrets.token_hex(512))
|
|
|
|
}
|
|
|
|
|
|
|
|
jwt_token = jwt.encode(datatemplate, SECRET_KEY, algorithm='HS256')
|
2024-03-30 09:04:11 +00:00
|
|
|
|
|
|
|
if login_data:
|
|
|
|
nextcode = login_data[0]
|
|
|
|
nextsecret = login_data[1]
|
2024-03-30 19:19:57 +00:00
|
|
|
nextopenid = login_data[2]
|
|
|
|
conn.execute("UPDATE logins SET code = ?, nextcode = ?, secret = ?, nextsecret = ?, openid = ?, nextopenid = ? WHERE appId = ? AND openid = ?", (nextcode, str(secrets.token_hex(512)), nextsecret, str(secrets.token_hex(512)), nextopenid, str(jwt_token), str(appId), str(openid)))
|
2024-03-30 09:04:11 +00:00
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
else:
|
|
|
|
conn.close()
|
2024-04-18 17:08:44 +01:00
|
|
|
break
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
|
|
|
conn.execute("DELETE FROM logins WHERE appId = ? AND openid = ?", (appId, nextopenid))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
# Finally, rest.
|
2024-03-28 17:07:30 +00:00
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
# Disable CORS
|
|
|
|
@app.after_request
|
|
|
|
async def add_cors_headers(response):
|
|
|
|
response.headers.add("Access-Control-Allow-Origin", "*")
|
|
|
|
response.headers.add("Access-Control-Allow-Headers", "*")
|
|
|
|
response.headers.add("Access-Control-Allow-Methods", "*")
|
|
|
|
return response
|
|
|
|
|
|
|
|
@app.route("/api/version", methods=("GET", "POST"))
|
|
|
|
async def apiversion():
|
|
|
|
return "Burgerauth Version 1.2"
|
|
|
|
|
|
|
|
@app.route("/api/signup", methods=("GET", "POST"))
|
|
|
|
async def apisignup():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
username = data["username"]
|
|
|
|
password = data["password"]
|
|
|
|
|
|
|
|
if username == "":
|
|
|
|
return {}, 422
|
|
|
|
|
|
|
|
if len(username) > 20:
|
|
|
|
return {}, 422
|
|
|
|
|
|
|
|
if not username.isalnum():
|
|
|
|
return {}, 422
|
|
|
|
|
|
|
|
if password == "":
|
|
|
|
return {}, 422
|
|
|
|
|
|
|
|
if len(password) < 14:
|
|
|
|
return {}, 422
|
|
|
|
|
|
|
|
if not check_username_taken(username) == None:
|
|
|
|
return {}, 409
|
|
|
|
|
|
|
|
hashedpassword = generate_password_hash(password)
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
|
|
|
conn.execute("INSERT INTO users (username, password, created) VALUES (?, ?, ?)",
|
|
|
|
(username, hashedpassword, str(time.time())))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
userID = check_username_taken(username)
|
|
|
|
user = get_user(userID)
|
|
|
|
|
|
|
|
randomCharacters = secrets.token_hex(512)
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
|
|
|
conn.execute("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)",
|
|
|
|
(randomCharacters, userID, request.headers.get("user-agent")))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
return {
|
|
|
|
"key": randomCharacters
|
|
|
|
}, 200
|
|
|
|
|
|
|
|
@app.route("/api/login", methods=("GET", "POST"))
|
|
|
|
async def apilogin():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
username = data["username"]
|
|
|
|
password = data["password"]
|
|
|
|
passwordchange = data["passwordchange"]
|
|
|
|
newpass = data["newpass"]
|
|
|
|
|
|
|
|
check_username_thing = check_username_taken(username)
|
|
|
|
|
|
|
|
if check_username_thing == None:
|
|
|
|
return {}, 401
|
|
|
|
|
|
|
|
userID = check_username_taken(username)
|
|
|
|
user = get_user(userID)
|
|
|
|
|
|
|
|
if not check_password_hash(user["password"], (password)):
|
|
|
|
return {}, 401
|
|
|
|
|
|
|
|
randomCharacters = secrets.token_hex(512)
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
|
|
|
conn.execute("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)",
|
|
|
|
(randomCharacters, userID, request.headers.get("user-agent")))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
if passwordchange == "yes":
|
|
|
|
hashedpassword = generate_password_hash(newpass)
|
|
|
|
conn = get_db_connection()
|
|
|
|
conn.execute("UPDATE users SET password = ? WHERE username = ?", (hashedpassword, username))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
return {
|
|
|
|
"key": randomCharacters,
|
|
|
|
}, 200
|
|
|
|
|
|
|
|
|
|
|
|
@app.route("/api/userinfo", methods=("GET", "POST"))
|
|
|
|
async def apiuserinfo():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
secretKey = data["secretKey"]
|
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
datatemplate = {
|
|
|
|
"username": user["username"],
|
|
|
|
"id": user["id"],
|
|
|
|
"created": user["created"]
|
|
|
|
}
|
|
|
|
return datatemplate
|
|
|
|
|
2024-03-28 17:51:21 +00:00
|
|
|
@app.route("/userinfo", methods=("GET", "POST"))
|
|
|
|
async def apiopeniduserinfo():
|
|
|
|
if request.method == "GET":
|
|
|
|
access_token = request.headers.get('Authorization').split(' ')[1]
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
2024-03-30 19:57:31 +00:00
|
|
|
userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone()[0])
|
2024-03-28 17:51:21 +00:00
|
|
|
user = get_user(userid)
|
|
|
|
|
2024-03-30 19:44:52 +00:00
|
|
|
conn.close()
|
|
|
|
|
2024-03-28 17:51:21 +00:00
|
|
|
datatemplate = {
|
|
|
|
"sub": user["username"],
|
|
|
|
"name": user["username"]
|
|
|
|
}
|
2024-03-30 19:44:52 +00:00
|
|
|
|
2024-03-28 17:51:21 +00:00
|
|
|
return datatemplate
|
|
|
|
|
2024-04-18 13:15:51 +01:00
|
|
|
@app.route("/api/auth")
|
2024-03-27 18:51:52 +00:00
|
|
|
async def apiauthenticate():
|
2024-04-18 08:52:59 +01:00
|
|
|
if request.method == "GET":
|
2024-04-18 16:38:20 +01:00
|
|
|
secretKey = request.cookies.get("key")
|
|
|
|
appId = request.args.get("client_id")
|
|
|
|
code = request.args.get("code_challenge")
|
|
|
|
codemethod = request.args.get("code_challenge_method")
|
|
|
|
redirect_uri = request.args.get("redirect_uri")
|
|
|
|
state = request.args.get("state")
|
2024-03-27 18:51:52 +00:00
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
conn = get_db_connection()
|
2024-03-28 17:07:30 +00:00
|
|
|
secretkey = str(secrets.token_hex(512))
|
|
|
|
|
2024-03-29 11:02:22 +00:00
|
|
|
appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
|
2024-03-28 18:03:49 +00:00
|
|
|
if not str(appidcheck) == str(appId):
|
2024-04-20 16:13:15 +01:00
|
|
|
return "AppID is invalid", 401
|
2024-03-28 17:07:30 +00:00
|
|
|
|
2024-04-18 16:42:13 +01:00
|
|
|
rdircheck = str(conn.execute("SELECT rdiruri FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
|
2024-04-20 16:13:15 +01:00
|
|
|
if not str(rdircheck) == str(quote(redirect_uri)):
|
|
|
|
return str(str(quote(redirect_uri)) + " is not " + str(rdircheck)), 401
|
2024-04-18 16:42:13 +01:00
|
|
|
|
2024-03-30 19:19:57 +00:00
|
|
|
datatemplate = {
|
|
|
|
"sub": user["username"],
|
|
|
|
"iss": "https://auth.hectabit.org",
|
|
|
|
"name": user["username"],
|
|
|
|
"aud": appId,
|
|
|
|
"exp": time.time() + 3600,
|
|
|
|
"iat": time.time(),
|
|
|
|
"auth_time": time.time(),
|
|
|
|
"nonce": str(secrets.token_hex(512))
|
|
|
|
}
|
|
|
|
|
|
|
|
jwt_token = jwt.encode(datatemplate, SECRET_KEY, algorithm='HS256')
|
|
|
|
|
2024-03-30 19:37:08 +00:00
|
|
|
datatemplate2 = {
|
|
|
|
"sub": user["username"],
|
|
|
|
"iss": "https://auth.hectabit.org",
|
|
|
|
"name": user["username"],
|
|
|
|
"aud": appId,
|
|
|
|
"exp": time.time() + 7200,
|
|
|
|
"iat": time.time() + 3600,
|
|
|
|
"auth_time": time.time(),
|
|
|
|
"nonce": str(secrets.token_hex(512))
|
|
|
|
}
|
|
|
|
|
|
|
|
nextjwt_token = jwt.encode(datatemplate2, SECRET_KEY, algorithm='HS256')
|
|
|
|
|
2024-03-31 12:38:29 +01:00
|
|
|
conn.execute("INSERT INTO logins (appId, secret, nextsecret, code, nextcode, creator, openid, nextopenid, pkce, pkcemethod) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
|
|
|
|
(str(appId), str(secretkey), str(secrets.token_hex(512)), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(jwt_token), str(nextjwt_token), str(code), str(codemethod)))
|
2024-03-29 11:02:22 +00:00
|
|
|
|
2024-03-28 17:07:30 +00:00
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
2024-03-27 19:19:00 +00:00
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
if secretkey:
|
2024-04-18 16:38:20 +01:00
|
|
|
return redirect(redirect_uri + "?code=" + secretkey + "&state=" + state), 302
|
2024-03-27 18:51:52 +00:00
|
|
|
else:
|
|
|
|
return {}, 400
|
|
|
|
|
2024-03-28 17:07:30 +00:00
|
|
|
@app.route("/api/tokenauth", methods=("GET", "POST"))
|
|
|
|
async def apitokenexchange():
|
|
|
|
if request.method == "POST":
|
2024-03-29 11:02:22 +00:00
|
|
|
data = await request.form
|
2024-03-28 17:07:30 +00:00
|
|
|
appId = data["client_id"]
|
|
|
|
code = data["code"]
|
|
|
|
|
2024-03-31 12:38:29 +01:00
|
|
|
if "code_verifier" in data:
|
|
|
|
code_verify = data["code_verifier"]
|
2024-03-31 12:40:31 +01:00
|
|
|
verifycode = True
|
2024-03-31 12:38:29 +01:00
|
|
|
else:
|
2024-03-31 13:01:41 +01:00
|
|
|
secret = data["client_secret"]
|
2024-03-31 12:40:31 +01:00
|
|
|
verifycode = False
|
2024-03-31 12:38:29 +01:00
|
|
|
|
2024-03-28 17:07:30 +00:00
|
|
|
conn = get_db_connection()
|
|
|
|
|
2024-03-30 09:04:11 +00:00
|
|
|
# Fetch required data in a single query
|
2024-03-31 12:42:38 +01:00
|
|
|
oauth_data = conn.execute("SELECT appId, secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()
|
2024-03-31 13:01:41 +01:00
|
|
|
if not oauth_data or oauth_data["appId"] != appId:
|
2024-03-28 17:07:30 +00:00
|
|
|
return {}, 401
|
|
|
|
|
2024-03-31 12:42:38 +01:00
|
|
|
login_data = conn.execute("SELECT openid, code, pkce, pkcemethod FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()
|
|
|
|
|
2024-03-31 12:38:29 +01:00
|
|
|
if verifycode:
|
2024-03-31 12:42:38 +01:00
|
|
|
if str(login_data["pkce"]) == "none":
|
2024-03-31 13:24:09 +01:00
|
|
|
return {}, 400
|
2024-03-31 12:38:29 +01:00
|
|
|
else:
|
2024-03-31 12:42:38 +01:00
|
|
|
if str(login_data["pkcemethod"]) == "S256":
|
2024-03-31 13:24:09 +01:00
|
|
|
if str(sha256_base64(code_verify)) != str(login_data["pkce"]):
|
|
|
|
return {}, 403
|
2024-03-31 12:42:38 +01:00
|
|
|
elif str(login_data["pkcemethod"]) == "plain":
|
2024-03-31 13:24:09 +01:00
|
|
|
if str(code_verify) != str(login_data["pkce"]):
|
|
|
|
return {}, 403
|
2024-03-31 12:38:29 +01:00
|
|
|
else:
|
2024-03-31 13:24:09 +01:00
|
|
|
return {}, 501
|
2024-03-31 13:01:41 +01:00
|
|
|
else:
|
2024-03-31 13:01:43 +01:00
|
|
|
if not oauth_data["secret"] == secret:
|
2024-03-31 13:01:41 +01:00
|
|
|
return {}, 401
|
2024-03-31 12:38:29 +01:00
|
|
|
|
2024-03-29 11:02:22 +00:00
|
|
|
newkey = str(secrets.token_hex(512))
|
2024-03-31 13:24:09 +01:00
|
|
|
conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(code)))
|
2024-03-29 11:02:22 +00:00
|
|
|
|
2024-03-30 19:44:52 +00:00
|
|
|
conn.close()
|
|
|
|
|
2024-03-30 09:04:11 +00:00
|
|
|
if login_data:
|
|
|
|
access_token = {
|
|
|
|
"access_token": str(login_data["code"]),
|
|
|
|
"token_type": "bearer",
|
|
|
|
"expires_in": 3600,
|
|
|
|
"refresh_token": newkey,
|
|
|
|
"id_token": str(login_data["openid"])
|
|
|
|
}
|
|
|
|
asyncio.create_task(oauth2_token_refresh(login_data["openid"], appId))
|
2024-03-28 17:07:30 +00:00
|
|
|
return access_token, 200
|
|
|
|
else:
|
|
|
|
return {}, 400
|
|
|
|
|
2024-04-02 16:57:19 +01:00
|
|
|
@app.route("/api/deleteauth", methods=("GET", "POST"))
|
|
|
|
async def apideleteauth():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
appId = data["appId"]
|
|
|
|
secretKey = data["secretKey"]
|
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
2024-04-02 16:56:03 +01:00
|
|
|
|
2024-04-02 16:57:19 +01:00
|
|
|
try:
|
2024-04-02 18:25:49 +01:00
|
|
|
conn.execute("DELETE FROM oauth WHERE appId = ? AND creator = ?", (str(appId), int(user["id"])))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
2024-04-02 16:57:19 +01:00
|
|
|
except:
|
2024-04-02 18:25:49 +01:00
|
|
|
return {}, 400
|
2024-04-02 16:57:19 +01:00
|
|
|
else:
|
2024-04-02 18:25:49 +01:00
|
|
|
return {}, 200
|
2024-04-02 16:57:19 +01:00
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
@app.route("/api/newauth", methods=("GET", "POST"))
|
|
|
|
async def apicreateauth():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
appId = data["appId"]
|
|
|
|
secretKey = data["secretKey"]
|
2024-03-28 17:07:30 +00:00
|
|
|
secret = str(secrets.token_hex(512))
|
2024-04-18 16:42:13 +01:00
|
|
|
rdiruri = data["rdiruri"]
|
2024-03-28 17:55:01 +00:00
|
|
|
conn = get_db_connection()
|
2024-03-28 17:07:30 +00:00
|
|
|
while True:
|
2024-03-29 11:54:15 +00:00
|
|
|
try:
|
|
|
|
conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()[0]
|
|
|
|
except:
|
2024-03-28 17:07:30 +00:00
|
|
|
break
|
|
|
|
else:
|
|
|
|
secret = str(secrets.token_hex(512))
|
|
|
|
continue
|
|
|
|
|
2024-03-29 11:54:15 +00:00
|
|
|
try:
|
|
|
|
conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0]
|
|
|
|
except:
|
|
|
|
print("New Oauth added with ID", appId)
|
|
|
|
else:
|
2024-04-02 18:25:49 +01:00
|
|
|
return {}, 401
|
2024-03-27 18:51:52 +00:00
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
|
2024-04-18 16:42:13 +01:00
|
|
|
conn.execute("INSERT INTO oauth (appId, creator, secret, rdiruri) VALUES (?, ?, ?, ?)",
|
2024-04-20 16:13:15 +01:00
|
|
|
(str(appId),int(user["id"]),str(secret),str(quote(rdiruri))))
|
2024-03-27 18:51:52 +00:00
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
2024-03-27 19:19:00 +00:00
|
|
|
secretkey = {
|
|
|
|
"key": secret
|
|
|
|
}
|
|
|
|
return secretkey, 200
|
2024-03-27 18:51:52 +00:00
|
|
|
|
2024-04-02 16:57:19 +01:00
|
|
|
@app.route("/api/listauth", methods=("GET", "POST"))
|
|
|
|
async def apiauthlist():
|
2024-03-27 18:51:52 +00:00
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
secretKey = data["secretKey"]
|
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
2024-04-02 17:35:35 +01:00
|
|
|
oauths = conn.execute("SELECT * FROM oauth WHERE creator = ? ORDER BY creator DESC;", (user["id"],)).fetchall()
|
2024-03-27 18:51:52 +00:00
|
|
|
conn.close()
|
|
|
|
|
2024-04-02 16:57:19 +01:00
|
|
|
datatemplate = []
|
|
|
|
|
|
|
|
for i in oauths:
|
|
|
|
template = {
|
|
|
|
"appId": i["appId"]
|
|
|
|
}
|
|
|
|
datatemplate.append(template)
|
|
|
|
|
|
|
|
return datatemplate, 200
|
|
|
|
|
|
|
|
@app.route("/api/deleteaccount", methods=("GET", "POST"))
|
|
|
|
async def apideleteaccount():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
secretKey = data["secretKey"]
|
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
conn = get_db_connection()
|
2024-04-02 16:57:19 +01:00
|
|
|
try:
|
|
|
|
conn.execute("DELETE FROM userdata WHERE creator = ?", (userCookie["id"],))
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
pass
|
|
|
|
|
|
|
|
try:
|
|
|
|
conn.execute("DELETE FROM logins WHERE creator = ?", (userCookie["id"],))
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
pass
|
|
|
|
|
|
|
|
try:
|
|
|
|
conn.execute("DELETE FROM oauth WHERE creator = ?", (userCookie["id"],))
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
pass
|
|
|
|
|
|
|
|
try:
|
|
|
|
conn.execute("DELETE FROM users WHERE id = ?", (userCookie["id"],))
|
|
|
|
except:
|
|
|
|
return {}, 400
|
|
|
|
else:
|
|
|
|
pass
|
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
return {}, 200
|
|
|
|
|
|
|
|
@app.route("/api/sessions/list", methods=("GET", "POST"))
|
|
|
|
async def apisessionslist():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
secretKey = data["secretKey"]
|
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
|
|
|
|
conn = get_db_connection()
|
|
|
|
sessions = conn.execute("SELECT * FROM sessions WHERE id = ? ORDER BY id DESC;", (user["id"],)).fetchall()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
datatemplate = []
|
|
|
|
|
|
|
|
for x in sessions:
|
|
|
|
device = x["device"]
|
|
|
|
thisSession = False
|
|
|
|
if (x["session"] == secretKey):
|
|
|
|
thisSession = True
|
|
|
|
sessiontemplate = {
|
|
|
|
"id": x["sessionid"],
|
|
|
|
"thisSession": thisSession,
|
|
|
|
"device": device
|
|
|
|
}
|
|
|
|
datatemplate.append(sessiontemplate)
|
|
|
|
|
|
|
|
return datatemplate, 200
|
|
|
|
|
|
|
|
@app.route("/api/sessions/remove", methods=("GET", "POST"))
|
|
|
|
async def apisessionsremove():
|
|
|
|
if request.method == "POST":
|
|
|
|
data = await request.get_json()
|
|
|
|
secretKey = data["secretKey"]
|
|
|
|
sessionId = data["sessionId"]
|
|
|
|
|
|
|
|
userCookie = get_session(secretKey)
|
|
|
|
user = get_user(userCookie["id"])
|
|
|
|
|
|
|
|
session = get_session_from_sessionid(sessionId)
|
|
|
|
|
|
|
|
if (session != None):
|
|
|
|
if (user["id"] == session["id"]):
|
|
|
|
conn = get_db_connection()
|
|
|
|
conn.execute("DELETE FROM sessions WHERE sessionid = ?", (session["sessionid"],))
|
|
|
|
conn.commit()
|
|
|
|
conn.close()
|
|
|
|
|
|
|
|
return {}, 200
|
|
|
|
else:
|
|
|
|
return {}, 403
|
|
|
|
else:
|
|
|
|
return {}, 422
|
|
|
|
|
|
|
|
|
|
|
|
@app.route("/listusers/<secretkey>", methods=("GET", "POST"))
|
|
|
|
def listusers(secretkey):
|
|
|
|
if secretkey == SECRET_KEY:
|
|
|
|
conn = get_db_connection()
|
|
|
|
users = conn.execute("SELECT * FROM users").fetchall()
|
|
|
|
conn.close()
|
|
|
|
thing = ""
|
|
|
|
for x in users:
|
|
|
|
thing = str(x["id"]) + " - " + x["username"] + " - " + str(get_space(x["id"])) + "<br>" + thing
|
|
|
|
|
|
|
|
return thing
|
|
|
|
else:
|
|
|
|
return redirect("/")
|
|
|
|
|
|
|
|
@app.errorhandler(500)
|
|
|
|
async def burger(e):
|
|
|
|
return {}, 500
|
|
|
|
|
|
|
|
@app.errorhandler(404)
|
|
|
|
async def burger(e):
|
|
|
|
return {}, 404
|
|
|
|
|
|
|
|
@app.route("/")
|
|
|
|
async def index():
|
|
|
|
return redirect("/login", code=302)
|
|
|
|
|
|
|
|
@app.route("/login")
|
|
|
|
async def login():
|
|
|
|
return await render_template("login.html")
|
|
|
|
|
|
|
|
@app.route("/signup")
|
|
|
|
async def signup():
|
|
|
|
return await render_template("signup.html")
|
|
|
|
|
|
|
|
@app.route("/logout")
|
|
|
|
async def logout():
|
|
|
|
return await render_template("logout.html")
|
|
|
|
|
|
|
|
@app.route("/app")
|
|
|
|
async def mainapp():
|
|
|
|
return await render_template("main.html")
|
|
|
|
|
2024-04-02 18:31:06 +01:00
|
|
|
@app.route("/dashboard")
|
|
|
|
async def dashboard():
|
|
|
|
return await render_template("dashboard.html")
|
|
|
|
|
2024-03-28 18:13:24 +00:00
|
|
|
@app.route("/.well-known/openid-configuration")
|
|
|
|
async def openid():
|
|
|
|
return await render_template("openid.json")
|
|
|
|
|
2024-03-27 18:51:52 +00:00
|
|
|
# Start server
|
|
|
|
hypercornconfig = Config()
|
|
|
|
hypercornconfig.bind = (HOST + ":" + PORT)
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
print("[INFO] Server started")
|
|
|
|
asyncio.run(serve(app, hypercornconfig))
|
|
|
|
print("[INFO] Server stopped")
|