canaille-globuzma/canaille/account.py

import base64
import email.message
import hashlib
import logging
import smtplib
import urllib.request

from flask import Blueprint, request, flash, url_for, current_app
from flask import render_template, redirect
from flask_babel import gettext as _

from .forms import LoginForm, ProfileForm, PasswordResetForm, ForgottenPasswordForm
from .flaskutils import current_user, user_needed
from .models import User


bp = Blueprint(__name__, "home")


@bp.route("/")
def index():
    if not current_user():
        return redirect(url_for("canaille.account.login"))
    return redirect(url_for("canaille.account.profile"))


@bp.route("/login", methods=("GET", "POST"))
def login():
    form = LoginForm(request.form or None)

    if request.form:
        if not form.validate() or not User.authenticate(
            form.login.data, form.password.data, True
        ):
            flash(_("Login failed, please check your information"), "error")
            return render_template("login.html", form=form)

        return redirect(url_for("canaille.account.index"))

    return render_template("login.html", form=form)


@bp.route("/logout")
def logout():
    if current_user():
        current_user().logout()
    return redirect("/")


@bp.route("/profile", methods=("GET", "POST"))
@user_needed()
def profile(user):
    claims = current_app.config["JWT"]["MAPPING"]
    data = {
        k.lower(): getattr(user, v)[0]
        if getattr(user, v) and isinstance(getattr(user, v), list)
        else getattr(user, v) or ""
        for k, v in claims.items()
    }
    form = ProfileForm(request.form or None, data=data)
    form.sub.render_kw["readonly"] = "true"

    if request.form:
        if not form.validate():
            flash(_("Profile edition failed."), "error")

        else:
            for attribute in form:
                model_attribute_name = claims.get(attribute.name.upper())
                if not model_attribute_name or not hasattr(user, model_attribute_name):
                    continue

                user[model_attribute_name] = [attribute.data]

            if not form.password1.data or user.set_password(form.password1.data):
                flash(_("Profile updated successfuly."), "success")

            user.save()

    return render_template("profile.html", form=form, menuitem="profile")


def profile_hash(user, password):
    return hashlib.sha256(
        current_app.config["SECRET_KEY"].encode("utf-8")
        + user.encode("utf-8")
        + password.encode("utf-8")
    ).hexdigest()


@bp.route("/reset", methods=["GET", "POST"])
def forgotten():
    form = ForgottenPasswordForm(request.form)
    if not request.form:
        return render_template("forgotten-password.html", form=form)

    if not form.validate():
        flash(_("Could not send the password reset link."), "error")
        return render_template("forgotten-password.html", form=form)

    user = User.get(form.login.data)

    if not user:
        flash(
            _("A password reset link has been sent at your email address."), "success"
        )
        return render_template("forgotten-password.html", form=form)

    recipient = user.mail
    base_url = url_for("canaille.account.index", _external=True)
    reset_url = url_for(
        "canaille.account.reset",
        uid=user.uid[0],
        hash=profile_hash(user.uid[0], user.userPassword[0]),
        _external=True,
    )
    logo = None
    logo_extension = None
    if current_app.config.get("LOGO"):
        logo_extension = current_app.config["LOGO"].split(".")[-1]
        try:
            with urllib.request.urlopen(current_app.config.get("LOGO")) as f:
                logo = base64.b64encode(f.read()).decode("utf-8")
        except (urllib.error.HTTPError, urllib.error.URLError):
            pass

    subject = _("Password reset on {website_name}").format(
        website_name=current_app.config.get("NAME", reset_url)
    )

    text_body = render_template(
        "mail/reset.txt",
        site_name=current_app.config.get("NAME", reset_url),
        site_url=base_url,
        reset_url=reset_url,
    )
    html_body = render_template(
        "mail/reset.html",
        site_name=current_app.config.get("NAME", reset_url),
        site_url=base_url,
        reset_url=reset_url,
        logo=logo,
        logo_extension=logo_extension,
    )

    msg = email.message.EmailMessage()
    msg.set_content(text_body)
    msg.add_alternative(html_body, subtype="html")
    msg["Subject"] = subject
    msg["From"] = current_app.config["SMTP"]["FROM_ADDR"]
    msg["To"] = recipient

    success = True
    try:
        with smtplib.SMTP(
            host=current_app.config["SMTP"]["HOST"],
            port=current_app.config["SMTP"]["PORT"],
        ) as smtp:
            if current_app.config["SMTP"].get("TLS"):
                smtp.starttls()
            if current_app.config["SMTP"].get("LOGIN"):
                smtp.login(
                    user=current_app.config["SMTP"]["LOGIN"],
                    password=current_app.config["SMTP"].get("PASSWORD"),
                )
            smtp.send_message(msg)

    except smtplib.SMTPRecipientsRefused:
        pass

    except OSError:
        flash(_("Could not reset your password"), "error")
        logging.exception("Could not send password reset email")
        success = False

    if success:
        flash(
            _("A password reset link has been sent at your email address."), "success"
        )

    return render_template("forgotten-password.html", form=form)


@bp.route("/reset/<uid>/<hash>", methods=["GET", "POST"])
def reset(uid, hash):
    form = PasswordResetForm(request.form)
    user = User.get(uid)

    if not user or hash != profile_hash(user.uid[0], user.userPassword[0]):
        flash(
            _("The password reset link that brought you here was invalid."),
            "error",
        )
        return redirect(url_for("canaille.account.index"))

    if request.form and form.validate():
        user.set_password(form.password.data)
        user.login()

        flash(_("Your password has been updated successfuly"), "success")
        return redirect(url_for("canaille.account.profile", user_id=uid))

    return render_template("reset-password.html", form=form, uid=uid, hash=hash)
Base64 logo in emails. Fixes #26 2020-10-29 11:59:18 +00:00			`import base64`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`import email.message`
			`import hashlib`
Minor fixes 2020-10-29 12:43:53 +00:00			`import logging`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`import smtplib`
Base64 logo in emails. Fixes #26 2020-10-29 11:59:18 +00:00			`import urllib.request`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
Simple profile edition form 2020-10-20 09:44:45 +00:00			`from flask import Blueprint, request, flash, url_for, current_app`
			`from flask import render_template, redirect`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`from flask_babel import gettext as _`
Admin login 2020-08-19 14:20:57 +00:00
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`from .forms import LoginForm, ProfileForm, PasswordResetForm, ForgottenPasswordForm`
Simple profile edition form 2020-10-20 09:44:45 +00:00			`from .flaskutils import current_user, user_needed`
Admin login 2020-08-19 14:20:57 +00:00			`from .models import User`
draft 2020-08-14 11:18:08 +00:00

Fixed password flow 2020-08-16 17:39:14 +00:00			`bp = Blueprint(__name__, "home")`
draft 2020-08-14 11:18:08 +00:00

Admin login 2020-08-19 14:20:57 +00:00			`@bp.route("/")`
			`def index():`
			`if not current_user():`
Renamed the project 'canaille' 2020-10-21 12:04:40 +00:00			`return redirect(url_for("canaille.account.login"))`
			`return redirect(url_for("canaille.account.profile"))`
Admin login 2020-08-19 14:20:57 +00:00

			`@bp.route("/login", methods=("GET", "POST"))`
			`def login():`
			`form = LoginForm(request.form or None)`
wip 2020-08-14 13:26:14 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`if request.form:`
User refactoring 2020-08-21 08:23:39 +00:00			`if not form.validate() or not User.authenticate(`
			`form.login.data, form.password.data, True`
			`):`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`flash(_("Login failed, please check your information"), "error")`
Admin login 2020-08-19 14:20:57 +00:00			`return render_template("login.html", form=form)`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00
Renamed the project 'canaille' 2020-10-21 12:04:40 +00:00			`return redirect(url_for("canaille.account.index"))`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`return render_template("login.html", form=form)`
draft 2020-08-14 11:18:08 +00:00
Fixed password flow 2020-08-16 17:39:14 +00:00
			`@bp.route("/logout")`
wip 2020-08-14 13:26:14 +00:00			`def logout():`
User refactoring 2020-08-21 08:23:39 +00:00			`if current_user():`
			`current_user().logout()`
Fixed password flow 2020-08-16 17:39:14 +00:00			`return redirect("/")`
Simple profile edition form 2020-10-20 09:44:45 +00:00

			`@bp.route("/profile", methods=("GET", "POST"))`
			`@user_needed()`
			`def profile(user):`
			`claims = current_app.config["JWT"]["MAPPING"]`
			`data = {`
			`k.lower(): getattr(user, v)[0]`
			`if getattr(user, v) and isinstance(getattr(user, v), list)`
			`else getattr(user, v) or ""`
			`for k, v in claims.items()`
			`}`
			`form = ProfileForm(request.form or None, data=data)`
Minor profile form improvement 2020-10-30 19:22:31 +00:00			`form.sub.render_kw["readonly"] = "true"`
Password edition in user profile 2020-10-21 08:26:31 +00:00
Simple profile edition form 2020-10-20 09:44:45 +00:00			`if request.form:`
			`if not form.validate():`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`flash(_("Profile edition failed."), "error")`
Simple profile edition form 2020-10-20 09:44:45 +00:00
			`else:`
			`for attribute in form:`
			`model_attribute_name = claims.get(attribute.name.upper())`
			`if not model_attribute_name or not hasattr(user, model_attribute_name):`
			`continue`

			`user[model_attribute_name] = [attribute.data]`

Password edition in user profile 2020-10-21 08:26:31 +00:00			`if not form.password1.data or user.set_password(form.password1.data):`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`flash(_("Profile updated successfuly."), "success")`
Password edition in user profile 2020-10-21 08:26:31 +00:00
Simple profile edition form 2020-10-20 09:44:45 +00:00			`user.save()`

Menu items activity 2020-10-21 10:14:35 +00:00			`return render_template("profile.html", form=form, menuitem="profile")`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00

			`def profile_hash(user, password):`
			`return hashlib.sha256(`
			`current_app.config["SECRET_KEY"].encode("utf-8")`
			`+ user.encode("utf-8")`
			`+ password.encode("utf-8")`
			`).hexdigest()`


			`@bp.route("/reset", methods=["GET", "POST"])`
			`def forgotten():`
			`form = ForgottenPasswordForm(request.form)`
			`if not request.form:`
			`return render_template("forgotten-password.html", form=form)`

			`if not form.validate():`
			`flash(_("Could not send the password reset link."), "error")`
			`return render_template("forgotten-password.html", form=form)`

			`user = User.get(form.login.data)`

			`if not user:`
			`flash(`
			`_("A password reset link has been sent at your email address."), "success"`
			`)`
			`return render_template("forgotten-password.html", form=form)`

			`recipient = user.mail`
Use SERVER_NAME instead of URL. Fixes #24 2020-10-29 12:20:27 +00:00			`base_url = url_for("canaille.account.index", _external=True)`
			`reset_url = url_for(`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`"canaille.account.reset",`
Fixed password reset link 2020-10-29 08:37:19 +00:00			`uid=user.uid[0],`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`hash=profile_hash(user.uid[0], user.userPassword[0]),`
Use SERVER_NAME instead of URL. Fixes #24 2020-10-29 12:20:27 +00:00			`_external=True,`
			`)`
Base64 logo in emails. Fixes #26 2020-10-29 11:59:18 +00:00			`logo = None`
			`logo_extension = None`
			`if current_app.config.get("LOGO"):`
			`logo_extension = current_app.config["LOGO"].split(".")[-1]`
			`try:`
			`with urllib.request.urlopen(current_app.config.get("LOGO")) as f:`
			`logo = base64.b64encode(f.read()).decode("utf-8")`
			`except (urllib.error.HTTPError, urllib.error.URLError):`
			`pass`

Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`subject = _("Password reset on {website_name}").format(`
HTML password recovery email. Fixes #14 2020-10-29 11:00:19 +00:00			`website_name=current_app.config.get("NAME", reset_url)`
			`)`

			`text_body = render_template(`
			`"mail/reset.txt",`
			`site_name=current_app.config.get("NAME", reset_url),`
Use SERVER_NAME instead of URL. Fixes #24 2020-10-29 12:20:27 +00:00			`site_url=base_url,`
HTML password recovery email. Fixes #14 2020-10-29 11:00:19 +00:00			`reset_url=reset_url,`
			`)`
			`html_body = render_template(`
			`"mail/reset.html",`
			`site_name=current_app.config.get("NAME", reset_url),`
Use SERVER_NAME instead of URL. Fixes #24 2020-10-29 12:20:27 +00:00			`site_url=base_url,`
HTML password recovery email. Fixes #14 2020-10-29 11:00:19 +00:00			`reset_url=reset_url,`
Base64 logo in emails. Fixes #26 2020-10-29 11:59:18 +00:00			`logo=logo,`
			`logo_extension=logo_extension,`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`)`

			`msg = email.message.EmailMessage()`
			`msg.set_content(text_body)`
HTML password recovery email. Fixes #14 2020-10-29 11:00:19 +00:00			`msg.add_alternative(html_body, subtype="html")`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`msg["Subject"] = subject`
			`msg["From"] = current_app.config["SMTP"]["FROM_ADDR"]`
			`msg["To"] = recipient`

			`success = True`
			`try:`
			`with smtplib.SMTP(`
			`host=current_app.config["SMTP"]["HOST"],`
			`port=current_app.config["SMTP"]["PORT"],`
			`) as smtp:`
			`if current_app.config["SMTP"].get("TLS"):`
			`smtp.starttls()`
			`if current_app.config["SMTP"].get("LOGIN"):`
			`smtp.login(`
			`user=current_app.config["SMTP"]["LOGIN"],`
			`password=current_app.config["SMTP"].get("PASSWORD"),`
			`)`
			`smtp.send_message(msg)`

			`except smtplib.SMTPRecipientsRefused:`
			`pass`

			`except OSError:`
			`flash(_("Could not reset your password"), "error")`
Minor fixes 2020-10-29 12:43:53 +00:00			`logging.exception("Could not send password reset email")`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`success = False`

			`if success:`
			`flash(`
			`_("A password reset link has been sent at your email address."), "success"`
			`)`

			`return render_template("forgotten-password.html", form=form)`


			`@bp.route("/reset/<uid>/<hash>", methods=["GET", "POST"])`
			`def reset(uid, hash):`
			`form = PasswordResetForm(request.form)`
			`user = User.get(uid)`

			`if not user or hash != profile_hash(user.uid[0], user.userPassword[0]):`
			`flash(`
			`_("The password reset link that brought you here was invalid."),`
			`"error",`
			`)`
			`return redirect(url_for("canaille.account.index"))`

			`if request.form and form.validate():`
			`user.set_password(form.password.data)`
			`user.login()`

			`flash(_("Your password has been updated successfuly"), "success")`
			`return redirect(url_for("canaille.account.profile", user_id=uid))`

			`return render_template("reset-password.html", form=form, uid=uid, hash=hash)`