user.py at master · keii.dev/Board-api

keii.dev / Board-api
Board
Board-api / user.py
at master 16 kB view raw
  1from flask import Blueprint, Flask, render_template, request, Response, send_file
  2import mysql.connector
  3import json, time, uuid
  4from markupsafe import escape
  5from functions import isValidSession, getUserPermission
  6
  7user = Blueprint('user', __name__, template_folder='templates')
  8
  9@user.route("/api/v1/user/create", methods=["POST"])
 10def createuser():
 11    if request.json == None:
 12        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
 13
 14    requestUsername = request.json.get("username")
 15    requestEmail = request.json.get("email")
 16    requestPassword = request.json.get("password")
 17
 18    if requestUsername == None:
 19        return Response(json.dumps("No username was provided"), status=400, mimetype="application/json")
 20
 21    if requestEmail == None:
 22        return Response(json.dumps("No email was provided"), status=400, mimetype="application/json")
 23
 24    if requestPassword == None:
 25        return Response(json.dumps("No password was provided"), status=400, mimetype="application/json")
 26
 27
 28    mydb = mysql.connector.connect(
 29        host="localhost",
 30        user="willem",
 31        password="Dinkel2006!",
 32        database="shykeiichicom"
 33    )
 34    
 35    mycursor = mydb.cursor()
 36
 37    mycursor.execute("SELECT * FROM users WHERE email=\"" + requestEmail + "\"")
 38
 39    myresult = mycursor.fetchone()
 40    
 41    if myresult != None:
 42        return Response(json.dumps("User already exists with this email"), status=500, mimetype="application/json")
 43
 44    mycursor.execute("SELECT * FROM users WHERE username=\"" + requestUsername + "\"")
 45
 46    myresult = mycursor.fetchone()
 47    
 48    if myresult != None:
 49        return Response(json.dumps("User already exists with this username"), status=500, mimetype="application/json")
 50
 51    curtime = int( time.time() )
 52
 53    sql = f"INSERT INTO users (username, email, password, registered, passwordchanged) VALUES (\"{requestUsername}\", \"{requestEmail}\", \"{requestPassword}\", \"{curtime}\", \"{curtime}\")"
 54    mycursor.execute(sql)
 55
 56    mydb.commit()
 57    
 58    return Response(json.dumps("User created"), status=201, mimetype="application/json")
 59
 60
 61@user.route("/api/v1/user/login", methods=["POST"])
 62def loginuser():
 63    if request.json == None:
 64        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
 65
 66    requestEmail = request.json.get("email")
 67    requestPassword = request.json.get("password")
 68
 69    if requestEmail == None:
 70        return Response(json.dumps("No email was provided"), status=400, mimetype="application/json")
 71
 72    if requestPassword == None:
 73        return Response(json.dumps("No password was provided"), status=400, mimetype="application/json")
 74
 75
 76    mydb = mysql.connector.connect(
 77        host="localhost",
 78        user="willem",
 79        password="Dinkel2006!",
 80        database="shykeiichicom"
 81    )
 82    
 83    mycursor = mydb.cursor()
 84
 85    mycursor.execute("SELECT * FROM users WHERE email=\"" + requestEmail + "\"")
 86
 87    myresult = mycursor.fetchone()
 88    
 89    if myresult == None:
 90        return Response(json.dumps("No user exists with this email!"), status=400, mimetype="application/json")
 91
 92    if(myresult[3] != requestPassword):
 93        return Response(json.dumps("Invalid password!"), status=400, mimetype="application/json")
 94
 95    curtime = int( time.time() )
 96    sessionid = str(uuid.uuid4())
 97    sql = f"INSERT INTO sessions (sessionid, userid, timestamp) VALUES (\"{sessionid}\", \"{myresult[0]}\", \"{curtime}\")"
 98    mycursor.execute(sql)
 99
100    mydb.commit()
101    
102    return Response(json.dumps(sessionid), status=201, mimetype="application/json")
103
104
105@user.route("/api/v1/user/validatesession", methods=["POST"])
106def validatesession():
107    if request.json == None:
108        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
109
110    requestSessionid = request.json.get("sessionid")
111 
112
113    if requestSessionid == None:
114        return Response(json.dumps("No sessionid was provided"), status=400, mimetype="application/json")
115
116
117    mydb = mysql.connector.connect(
118        host="localhost",
119        user="willem",
120        password="Dinkel2006!",
121        database="shykeiichicom"
122    )
123    
124    mycursor = mydb.cursor()
125
126    if(isValidSession(requestSessionid) == False):
127        return Response(json.dumps("Invalid sessionid"), status=400, mimetype="application/json")
128    
129    mycursor.execute("SELECT * FROM users WHERE id=\"" + str(myresult[1]) + "\"")
130
131    myresult = mycursor.fetchone()
132    
133    mycursor.execute(f"SELECT * FROM elevated_permissions WHERE userid={myresult[0]}")
134    
135    permission = mycursor.fetchone()
136    
137    result = {
138        "id": myresult[0],
139        "username": myresult[1],
140        "email": myresult[2],
141        "registered": myresult[4],
142        "passwordchanged": myresult[5],
143        "permission": 0 if permission == None else permission[2]
144    }
145
146    return Response(json.dumps(result), status=200, mimetype="application/json")
147
148
149@user.route("/api/v1/users/getall", methods=["GET"])
150def usersgetall():
151    if request.args == None:
152        return Response(json.dumps("No arguments were provided"), status=400, mimetype="application/json")
153
154    requestSessionid = request.args.get("sessionid")
155 
156    if 'sessionid' in request.args:
157        requestSessionid = str(escape(request.args["sessionid"])).lower()
158    else:
159        return Response(json.dumps("No sessionid was provided."), status=400, mimetype='application/json')
160
161    mydb = mysql.connector.connect(
162        host="localhost",
163        user="willem",
164        password="Dinkel2006!",
165        database="shykeiichicom"
166    )
167    
168    mycursor = mydb.cursor()
169
170    mycursor.execute("SELECT * FROM sessions WHERE sessionid=\"" + requestSessionid + "\"")
171
172    myresult = mycursor.fetchone()
173    
174    if(isValidSession(requestSessionid) == False):
175        return Response(json.dumps("Invalid sessionid"), status=400, mimetype="application/json")
176    
177    if(getUserPermission(myresult[1]) != 1):
178        return Response(json.dumps("User not admin"), status=400, mimetype="application/json")
179    
180    mycursor.execute("SELECT * FROM users")
181
182    myresult = mycursor.fetchall()
183    
184    users = []
185    
186    for x in myresult:
187        mycursor.execute(f"SELECT * FROM elevated_permissions WHERE userid={x[0]}")
188    
189        permission = mycursor.fetchone()
190    
191        result = {
192            "id": x[0],
193            "username": x[1],
194            "email": x[2],
195            "registered": x[4],
196            "passwordchanged": x[5],
197            "permission": 0 if permission == None else permission[2]
198        }
199
200        users.append(result)
201        
202    return Response(json.dumps(users), status=200, mimetype="application/json")
203
204@user.route("/api/v1/users/get", methods=["GET"])
205def usersget():
206    if request.args == None:
207        return Response(json.dumps("No arguments were provided"), status=400, mimetype="application/json")
208
209    requestSessionid = request.args.get("sessionid")
210    requestUserid = request.args.get("userid")
211 
212
213    if 'sessionid' in request.args:
214        requestSessionid = str(escape(request.args["sessionid"])).lower()
215    else:
216        return Response(json.dumps("No sessionid was provided."), status=400, mimetype='application/json')
217
218    if 'userid' in request.args:
219        requestUserid = str(escape(request.args["userid"])).lower()
220    else:
221        return Response(json.dumps("No userid was provided."), status=400, mimetype='application/json')
222
223    mydb = mysql.connector.connect(
224        host="localhost",
225        user="willem",
226        password="Dinkel2006!",
227        database="shykeiichicom"
228    )
229    
230    mycursor = mydb.cursor()
231
232    mycursor.execute("SELECT * FROM sessions WHERE sessionid=\"" + requestSessionid + "\"")
233
234    myresult = mycursor.fetchone()
235    
236    if(isValidSession(requestSessionid) == False):
237        return Response(json.dumps("Invalid sessionid"), status=400, mimetype="application/json")
238    
239    if(getUserPermission(myresult[1]) != 1):
240        return Response(json.dumps("User not admin"), status=400, mimetype="application/json")
241    
242    mycursor.execute(f"SELECT * FROM users WHERE id={requestUserid}")
243
244    user = mycursor.fetchone()
245
246    mycursor.execute(f"SELECT * FROM elevated_permissions WHERE userid={requestUserid}")
247    
248    permission = mycursor.fetchone()
249    
250    if(user == None):
251        return Response(json.dumps("User not found"), status=400, mimetype="application/json")
252    
253    result = {
254        "id": user[0],
255        "username": user[1],
256        "email": user[2],
257        "registered": user[4],
258        "passwordchanged": user[5],
259        "permission": 0 if permission == None else permission[2]
260    }
261        
262    return Response(json.dumps(result), status=200, mimetype="application/json")
263
264
265@user.route("/api/v1/user/delete", methods=["POST"])
266def userremove():
267    if request.json == None:
268        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
269
270    requestSessionid = request.json.get("sessionid")
271 
272    if requestSessionid == None:
273        return Response(json.dumps("No sessionid was provided"), status=400, mimetype="application/json")
274
275    requestUserID = request.json.get("removeuserid")
276 
277    if requestUserID == None:
278        return Response(json.dumps("No removeuserid was provided"), status=400, mimetype="application/json")
279
280
281    mydb = mysql.connector.connect(
282        host="localhost",
283        user="willem",
284        password="Dinkel2006!",
285        database="shykeiichicom"
286    )
287    
288    mycursor = mydb.cursor()
289
290    if(isValidSession(requestSessionid) == False):
291        return Response(json.dumps("Invalid sessionid"), status=400, mimetype="application/json")
292    
293    if(getUserPermission(myresult[1]) != 1):
294        return Response(json.dumps("User not admin"), status=400, mimetype="application/json")
295    
296    mycursor.execute(f"SELECT * FROM users WHERE id=\"{requestUserID}\"")
297    
298    myresult = mycursor.fetchone()
299    
300    if(myresult == None):
301        return Response(json.dumps("Userid to remove is not valid"), status=400, mimetype="application/json")
302
303    mycursor.execute(f"DELETE FROM users WHERE id={requestUserID}")
304    
305    mydb.commit()
306        
307    return Response(json.dumps("User removed"), status=200, mimetype="application/json")
308
309
310@user.route("/api/v1/admin/user/edit", methods=["POST"])
311def userupdate():
312    if request.json == None:
313        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
314
315    requestSessionid = request.json.get("sessionid")
316 
317    if requestSessionid == None:
318        return Response(json.dumps("No sessionid was provided"), status=400, mimetype="application/json")
319
320
321    requestEditUserIDOriginal = request.json.get("edituserid")
322 
323    if requestEditUserIDOriginal == None:
324        return Response(json.dumps("No userid to edit was provided"), status=400, mimetype="application/json")
325
326    requestEditUserID = request.json.get("userid")
327    requestEditUsername = request.json.get("username")
328    requestEditEmail = request.json.get("email")
329    requestEditPermission = request.json.get("permission")
330    requestEditPassword = request.json.get("password")
331
332    mydb = mysql.connector.connect(
333        host="localhost",
334        user="willem",
335        password="Dinkel2006!",
336        database="shykeiichicom"
337    )
338    
339    mycursor = mydb.cursor()
340
341    if(isValidSession(requestSessionid) == False):
342        return Response(json.dumps("Invalid sessionid"), status=400, mimetype="application/json")
343    
344    if(getUserPermission(myresult[1]) != 1):
345        return Response(json.dumps("User not admin"), status=400, mimetype="application/json")
346    
347    mycursor.execute(f"SELECT * FROM users WHERE id=\"{requestEditUserIDOriginal}\"")  
348    
349    myresult = mycursor.fetchone()
350    
351    if(myresult == None):
352        return Response(json.dumps("Userid to edit is not valid"), status=400, mimetype="application/json")
353
354    if requestEditUsername != None:
355        mycursor.execute(f"UPDATE users SET username={requestEditUsername} where id={requestEditUserIDOriginal}")
356    if requestEditEmail != None:
357        mycursor.execute(f"UPDATE users SET email={requestEditEmail} where id={requestEditUserIDOriginal}")
358    if requestEditPassword != None:
359        curtime = int( time.time() )
360        mycursor.execute(f"UPDATE users SET password={requestEditPassword} where id={requestEditUserIDOriginal}")
361        mycursor.execute(f"UPDATE users SET passwordchanged={curtime} where id={requestEditUserIDOriginal}")
362    if requestEditUserID != None:
363        mycursor.execute(f"UPDATE users SET id={requestEditUserID} where id={requestEditUserIDOriginal}")
364    
365    mydb.commit()
366        
367    return Response(json.dumps("User edit"), status=200, mimetype="application/json")
368
369
370@user.route("/api/v1/user/forgotpassword", methods=["POST"])
371def userforgotpassword():
372    if request.json == None:
373        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
374
375    requestSessionid = request.json.get("sessionid")
376 
377    if requestSessionid == None:
378        return Response(json.dumps("No sessionid was provided"), status=400, mimetype="application/json")
379
380    requestUserID = request.json.get("userid")
381 
382    if requestUserID == None:
383        return Response(json.dumps("No userid was provided"), status=400, mimetype="application/json")
384
385    mydb = mysql.connector.connect(
386        host="localhost",
387        user="willem",
388        password="Dinkel2006!",
389        database="shykeiichicom"
390    )
391    
392    mycursor = mydb.cursor()
393
394    if(isValidSession(requestSessionid) == False):
395        return Response(json.dufmps("Invalid sessionid"), status=400, mimetype="application/json")
396    
397    if(getUserPermission(myresult[1]) != 1):
398        return Response(json.dumps("User not admin"), status=400, mimetype="application/json")
399    
400    mycursor.execute(f"SELECT * FROM users WHERE id=\"{requestUserID}\"")  
401    
402    myresult = mycursor.fetchone()
403    
404    if(myresult == None):
405        return Response(json.dumps("Userid is not valid"), status=400, mimetype="application/json")
406
407    address = uuid.uuid4().hex
408    curtime = int( time.time() )
409    sql = f"INSERT INTO forgot_password (userid, address, timestamp) VALUES (\"{requestUserID}\", \"{address}\", \"{curtime}\")"
410    mycursor.execute(sql)
411
412    mydb.commit()
413        
414    return Response(json.dumps(f"https://22widi.ssis.nu/forgotpasswd.html?id={address}"), status=200, mimetype="application/json")
415
416
417@user.route("/api/v1/user/changepassword", methods=["POST"])
418def userchangepassword():
419    if request.json == None:
420        return Response(json.dumps("No body was provided"), status=400, mimetype="application/json")
421
422    requestAddress = request.json.get("address")
423 
424    if requestAddress == None:
425        return Response(json.dumps("No address was provided"), status=400, mimetype="application/json")
426
427    requestPassword = request.json.get("password")
428 
429    if requestPassword == None:
430        return Response(json.dumps("No password was provided"), status=400, mimetype="application/json")
431
432    mydb = mysql.connector.connect(
433        host="localhost",
434        user="willem",
435        password="Dinkel2006!",
436        database="shykeiichicom"
437    )
438    
439    mycursor = mydb.cursor()
440
441    mycursor.execute(f"SELECT * FROM forgot_password WHERE address=\"{requestAddress}\"")
442
443    forgot_password_object = mycursor.fetchone()
444    
445    if forgot_password_object == None:
446        return Response(json.dumps("Invalid address"), status=400, mimetype="application/json")
447
448    curtime = int( time.time() )
449    mycursor.execute(f"UPDATE users SET password=\"{requestPassword}\" WHERE id=\"{forgot_password_object[1]}\"")
450    mycursor.execute(f"UPDATE users SET passwordchanged=\"{curtime}\" WHERE id=\"{forgot_password_object[1]}\"")
451    mycursor.execute(f"DELETE FROM forgot_password WHERE address=\"{requestAddress}\"")
452    mycursor.execute(f"DELETE FROM sessions WHERE userid=\"{forgot_password_object[1]}\"")
453
454    mydb.commit()
455        
456    return Response(json.dumps("Password Update"), status=200, mimetype="application/json")