if i enter write password i enter in 0website but if i enter a wrong password then a error generates says list index out of range .
def login(request):
if request.method == 'GET':
print("get request")
return render(request,"login.html",{'curl':curl})
else:
uname = request.POST.get("uname")
password = request.POST.get('password')
user=md.signup.objects.filter(email=uname,passw=password,status=0)
# pdb.set_trace()
# r=md.signup.objects.get(role='user',email=uname)
# print(connection.queries[-1])
# print(user.query)
if user==None:
print("user==NONE")
return render(request,"login.html",{'curl':curl,'msg':'INVALID PASSWORD OR USERNAME'})
else:
if user[0].role == 'user' and user[0].passw==password:
print("user==USER")
return render(request,"user.html",{'curl':curl})
elif user[0].role == 'admin' and user[0].passw==password:
print("user==ADMIN")
return render(request,'adminn.html',{'curl':curl})
else:
return render(request,"login.html",{'curl':curl,'msg':'INVALID PASSWORD OR USERNAME'})
Related
i am creating an app with flask login and sqlite3, but after successful login the user continues to be anonymous
this is my login page source code:
#app.route("/login", methods=["POST", "GET"])
def data():
if request.method == 'GET':
if current_user.is_authenticated:
return redirect("/control-panel")
else:
return render_template("login.html")
if request.method == 'POST':
if current_user.is_authenticated:
return redirect("/control-panel")
else:
print(request.form["username"])
username = request.form["username"]
#print(request.form["password"])
password = request.form["password"]
if search.login_user() == True:
username_to = load_user(username)
login_user(username_to, remember='y')
print(user)
return redirect("/control-panel")
else:
return render_template("incorrect-login-credentials.html")
else:
return redirect("/request-error")
practically, after logging in the user is redirected to the control panel only if he is authenticated, otherwise he is redirected to login.
each time, however, he is redirected to the login page.
this is my user class
class User(UserMixin):
def __init__(self, id):
self.id = str(id)
self.authenticated = True
self.active = True
def is_authenticated(self):
return True
def is_active(self):
return True
def is_anonymous(self):
return False
def get_id(self):
return str(self.id)
I hope I was clear enough, thanks in advance =)
Im trying to make and endpoint (addurl) which will be only avaliable for logged in users. The problem that occurs is that when Im loggin in on /login endpoint current_user.is_authenticated returns '<bound method User.is_authenticated of <User 2>>' (after login_user(user)). However while redirecting to /addurl current_user.is_authenticated is somehow overwritten and changes to False. How can i solve this?
CODE
model:
from app import db, login_manager
#login_manager.user_loader
def load_user(user_id):
return User.query.get(user_id)
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(50), unique=True)
password = db.Column(db.String(1024))
def is_active(self):
"""True, as all users are active."""
return True
def get_id(self):
"""Return the email to satisfy Flask-Login's requirements."""
return self.email
def is_authenticated(self):
"""Return True if the user is authenticated."""
return self.authenticated
def is_anonymous(self):
"""False, as anonymous users aren't supported."""
return False
form:
class LoginForm(FlaskForm):
email = StringField('Your Username: ', validators=[DataRequired()])
password = PasswordField('password', validators=[DataRequired()])
submit = SubmitField('Log In')
views:
#app.route("/login", methods=["GET", "POST"])
def login():
form = LoginForm()
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if user and bcrypt.check_password_hash(user.password, form.password.data):
login_user(user)
return redirect('/addurl')
else:
return render_template('login.html', form=form)
return render_template('login.html', form=form)
#app.route('/addurl', methods=['GET', 'POST'])
def addurl():
form = CompanyForm()
if current_user.is_authenticated:
if form.validate_on_submit():
foo()
return redirect('/base')
else:
flash('you have to be logged in')
return render_template('AddUrl.html', form=form)
It looks like you have forgotten to make addurl a 'login_required' route. Try something like this:
from flask_login import login_required
# original source code...
#app.route('/addurl', methods=['GET', 'POST'])
#login_required
def addurl():
# original source code...
The #login_required decorator should do all the magic you need.
Also, be sure to initialize the LoginManager correctly in app.py:
from flask_login import LoginManager
login_manager = LoginManager()
login_manager.init_app(app)
Using the FLASK framework in Python, my application needs to:
register and log in users (with either a sqlite or postgres database)
access a specific google spreadsheet that the logged in user owns and output that data in a json format.
I am required to have my own authorization & authentication system
I am having a lot of trouble figuring out how to even structure the application - what directories and sub-directories should I have?
I have done A LOT of playing around (about 1 months worth). I am using a virtual environment but don't know how to test my code well either. In general, my code runs but I have no idea how they work together really.** I am completely new to flask.**
Structuring the app:
|app
|----run.py
|----config.py
|----database
|---------database.db
|----app
|---------views.py
|---------models.py
|---------forms.py
|---------extensions.py
|----templates
|---------....
|----static
|--------....
Authorization / Authentication:
I have looked at Flask-Login, Flask-Auth, Flask-Security. I understand the general idea but do not know how to securely implement a complete authorization & authentication system.
app = Flask(__name__)
app.config.from_object(config)
login_manager = LoginManager()
login_manager.init_app(app)
def create_app():
db.init_app()
db.app = app
db.create_all()
return app
#app.route('/')
def index():
#needs to render the homepage template
#app.route('/signup', methods = ['GET', 'POST'])
def register():
form = SignupForm()
if request.method == 'GET':
return render_template('signup.html', form=form)
elif request.method == 'POST':
if form.validate_on_submit():
if User.query.filter_by(email=form.email.data).first():
return "email exists"
else:
newuser = User(form.email.data, form.password.data)
db.session.add(newuser)
db.session.commit()
login_user(newuser)
return "New User created"
else:
return "form didn't validate"
return "Signup"
#app.route('/login', methods = ['GET', 'POST'])
def login():
form = SignupForm()
if request.method == 'GET':
return render_template('login.html', form=form)
elif request.method == 'POST':
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if user:
if user.password == form.password.data:
login_user(user)
return "you are logged in"
else:
return "wrong password"
else:
return "user doesnt exist"
else:
return "form did not validate"
#login_manager.user_loader
def load_user(email):
return User.query.filter_by(email = email).first()
#app.route('/protected')
#login_required
def protected():
return "protected area for logged in users only"
if __name__ == '__main__':
#app.create_app()
app.run(port=5000, host='localhost')`
from flask_security import Security, SQLAlchemyUserDatastore, UserMixin, RoleMixin, login_required
import os
# Create app
app = Flask(__name__)
#app.config['DEBUG'] = True
app.config['SECRET_KEY'] = ''
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:////'
app.config['SECURITY_PASSWORD_HASH'] = 'sha512_crypt'
app.config['SECURITY_PASSWORD_SALT'] = str(os.urandom(24))
# Create database connection object
db = SQLAlchemy(app)
# Define models
roles_users = db.Table('roles_users',
db.Column('user_id', db.Integer(), db.ForeignKey('user.id')),
db.Column('role_id', db.Integer(), db.ForeignKey('role.id')))
class Role(db.Model, RoleMixin):
id = db.Column(db.Integer(), primary_key=True)
name = db.Column(db.String(80), unique=True)
description = db.Column(db.String(255))
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(255), unique=True)
password = db.Column(db.String(255))
active = db.Column(db.Boolean())
confirmed_at = db.Column(db.DateTime())
roles = db.relationship('Role', secondary=roles_users, backref=db.backref('users', lazy='dynamic'))
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
security = Security(app, user_datastore)
# Create a user to test with
#app.before_first_request
def create_user():
db.create_all()
user_datastore.create_user(email='', password='')
db.session.commit()
#app.route('/')
#login_required
def home():
#password = encrypt_password('mypass')
#print verify_and_update_password('mypass', password)
return "hello"
if __name__ == '__main__':
app.run(debug=True, use_reloader=False)
** I would really appreciate any guidance!**
Project structure:
If you're planning to build a larger Flask application, you should consider decomposing the functionality into Blueprints.
The official Flask documentation has a tutorial on how to structure larger applications:
http://flask.pocoo.org/docs/0.12/patterns/packages/
Also, take a look at the Hitchhiker's guide to organizing your project. It has some very good points: http://python-guide-pt-br.readthedocs.io/en/latest/writing/structure/
If you're designing an REST API consider using Flask-RESTful (which also works nicely with Blueprints)
ya'll, i figured it out & my app is LOOKING GOOD :)I am using blueprints & an application factory pattern.
APP
|_runserver.py
|_/app
|---__init__.py
|---config.py
|---extensions.py
|---forms.py
|---models.py
|---/login_dashboard #blueprint
|------__init__.py
|------views.py
|------/templates
|---------base.html
.
.
|------/static
|-----------/css
.
.
|-----------/js
.
.
|-----------/img
.
.
I'm writing a fairly simple internal application (currently prototyped in Bottle) which will send notification for incidents and change management events to an internal mailing list while forcing these notices to conform to a couple of standard templates (and ensuring, through the Python Jira API that the required issue references exist and are in the appropriate state).
Naturally we require that users authenticate to my application before I send messages which will be attributed to them. We use LDAP and all password hashes are stored in {SSHA} format.
I've found at least three different ways to perform the authentication:
bind to LDAP with a service account with sufficient LDAP ACIs to fetch password hashes (same as our /etc/sssd/sssd.conf systems level authentication), use that to find the dn and extract the 'userPassword' attribute; then validate that against the proposed password using hashlib
bind to LDAP with a service account with limited search privileges, use that to find the user's dn and then attempt to bind to LDAP using that dn and the users proposed password
Use the authenticate() functions from either the simplepam (pure Python/ctypes wrapper) or python-pam modules
Here's code which seems to correctly implement the first of these:
#!python
import hashlib
import ConfigParser, os
from base64 import encodestring as encode
from base64 import decodestring as decode
import ldap
config = ConfigParser.ConfigParser()
config.read(os.path.expanduser('~/.creds.ini'))
uid = config.get('LDAP', 'uid')
pwd = config.get('LDAP', 'pwd')
svr = config.get('LDAP', 'svr')
bdn = config.get('LDAP', 'bdn')
ld = ldap.initialize(svr)
ld.protocol_version = ldap.VERSION3
ld.simple_bind_s(uid, pwd)
def chk(prop, pw):
pw=decode(pw[6:]) # Base64 decode after stripping off {SSHA}
digest = pw[:20] # Split digest/hash of PW from salt
salt = pw[20:] # Extract salt
chk = hashlib.sha1(prop) # Hash the string presented
chk.update(salt) # Salt to taste:
return chk.digest() == digest
if __name__ == '__main__':
import sys
from getpass import getpass
max_attempts = 3
if len(sys.argv) < 2:
print 'Must supply username against which to authenticate'
sys.exit(127)
name = sys.argv[1]
user_dn = ld.search_s(bdn, ldap.SCOPE_SUBTREE, '(uid=%s)' % name)
if len(user_dn) < 1:
print 'No DN found for %s' % name
sys.exit(126)
pw = user_dn[0][1].get('userPassword', [''])[0]
exit_value = 1
attempts = 0
while attempts < max_attempts:
prop = getpass('Password: ')
if chk(prop, pw):
print 'Authentication successful'
exit_value = 0
break
else:
print 'Authentication failed'
attempts += 1
else:
print 'Maximum retries exceeded'
sys.exit(exit_value)
This seems to work (assuming we have the appropriate values in our .creds.ini).
Here's a bit of code implementing the second option:
#!python
# ...
### Same ConfigParser and LDAP initialization as before
# ...
def chk(prop, dn):
chk = ldap.initialize(svr)
chk.protocol_version = ldap.VERSION3
try:
chk.simple_bind_s(dn, prop)
except ldap.INVALID_CREDENTIALS:
return False
chk.unbind()
return True
if __name__ == '__main__':
import sys
from getpass import getpass
max_attempts = 3
if len(sys.argv) < 2:
print 'Must supply username against which to authenticate'
sys.exit(127)
name = sys.argv[1]
user_dn = ld.search_s(bdn, ldap.SCOPE_SUBTREE, '(uid=%s)' % name)
if len(user_dn) < 1:
print 'No distinguished name (DN) found for %s' % name
sys.exit(126)
dn = user_dn[0][0]
exit_value = 1
attempts = 0
while attempts < max_attempts:
prop = getpass('Password: ')
if chk(prop, dn):
print 'Authentication successful'
exit_value = 0
break
else:
print 'Authentication failed'
attempts += 1
else:
print 'Maximum retries exceeded'
sys.exit(exit_value)
Not shown here but I also tested that I can continue to use the ld LDAP connection independently of the transient chk LDAP object. So my long-running web service can keep re-using the one connection.
The last options are almost identical regardless of which of the two PAM modules I use. Here's an example using python-pam:
#!/usr/bin/env python
import pam
pam_conn = pam.pam()
def chk(prop, name):
return pam_conn.authenticate(name, prop)
if __name__ == '__main__':
import sys
from getpass import getpass
max_attempts = 3
if len(sys.argv) < 2:
print 'Must supply username against which to authenticate'
sys.exit(127)
name = sys.argv[1]
exit_value = 1
attempts = 0
while attempts < max_attempts:
prop = getpass('Password: ')
if chk(prop, name):
print 'Authentication successful'
exit_value = 0
break
else:
print 'Authentication failed'
attempts += 1
else:
print 'Maximum retries exceeded'
sys.exit(exit_value)
My question is: which of these should I use. Are any of them particularly less secure than the others? Is there any consensus on "best practices" for this?
Definitely use a bind as the userDN and password presented by the user.
"bind to LDAP with a service account with limited search privileges, use that to find the user's dn and then attempt to bind to LDAP using that dn and the users proposed password"
Sorry, I do not know how the "Authenticate() functions" behave.
Not binding as the userDN, may bypass the builtin server functions that apply to password policy or account restrictions and intruder detection.
-jim
I'm currently trying to get my Flask app working with Appfog. I'm having 500 error every time I'm trying to do something with my DB. My connection code looks like:
services = json.loads(os.environ.get("VCAP_SERVICES"))
pg = services["postgresql-9.1"][0]["credentials"]
app.config.update({
'SQLALCHEMY_DATABASE_URI': "postgresql://%s:%s#%s:%i/%s" % \
(pg["username"], pg["password"], pg["host"], pg["port"], pg["name"])
})
# I've tried MySQL too
Model:
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(40), unique=True)
passhash = db.Column(db.String(140))
def __init__(self, username, password):
self.username = username
self.passhash = pwd_context.encrypt(password)
def check_password(self, password):
return pwd_context.verify(password, self.passhash) # from passlib
# Flask-Login properties
def is_authenticated(self): return True
def is_active(self): return True
def is_anonymous(self): return False
def get_id(self): return unicode(self.id)
And some example route that utilizes DB:
#app.route("/login", methods=['GET', 'POST'])
def login():
if current_user.is_authenticated():
logout_user()
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
user = User.query.filter_by(username=username).first()
if not user or not user.check_password(password):
flash('Wrong username or password.')
return render_template('login.html')
else:
login_user(user)
return redirect(request.args.get("next") or "/")
else:
return render_template('login.html')
This works with sqlite database on localhost. So, am I doing something wrong?