The random string token is stored in the database, and is revoked when the user logs out. Fixes #17

5 年前 · ba8b2e6153
--- a/mysql/sql/init.sql
+++ b/mysql/sql/init.sql
@@ -14,6 +14,13 @@ CREATE TABLE users (
  PRIMARY KEY (userid)
 );
 CREATE TABLE cookies (
  token VARCHAR(100) UNIQUE NOT NULL,
  userid INT UNSIGNED NOT NULL,
  PRIMARY KEY (token),
  FOREIGN KEY (userid) REFERENCES users(userid)
 );
 CREATE TABLE project_category (
  categoryid INT UNSIGNED AUTO_INCREMENT,
  category_name VARCHAR(200) UNIQUE NOT NULL,
@@ -84,9 +91,8 @@ insert into project_category values (NULL, "Grocery shopping");
 /*
 Create default database user 
 Create default database user
 */
 CREATE USER 'root'@'10.5.0.6' IDENTIFIED BY 'root';
 GRANT ALL PRIVILEGES ON db.* TO 'root'@'10.5.0.6';
--- a/src/app/models/session.py
+++ b/src/app/models/session.py
@@ -0,0 +1,71 @@
 from models.database import db
 import mysql.connector
 def set_cookie(userid, token):
    """
    Register a persistant login token for an user
    :param userid: The ID of the user
    :param token: A random unique token for the cookie
    """
    db.connect()
    cursor = db.cursor()
    query = ("INSERT INTO cookies (userid, token) VALUES (%s, %s)")
    try:
        cursor.execute(query, (userid, token))
        db.commit()
    except mysql.connector.Error as err:
        print("Failed executing query: {}".format(err))
        cursor.fetchall()
        exit(1)
    finally:
        cursor.close()
        db.close()
 def get_cookie(token):
    """
    Get the userid of the user with the given persistant login token
    :param token: The token to search for
    """
    db.connect()
    cursor = db.cursor()
    query = ("SELECT userid FROM cookies WHERE token = %s")
    userid = None
    try:
        cursor.execute(query, (token,))
        users = cursor.fetchall()
        if len(users):
            userid = users[0][0]
    except mysql.connector.Error as err:
        print("Failed executing query: {}".format(err))
        cursor.fetchall()
        exit(1)
    finally:
        cursor.close()
        db.close()
    return userid
 def delete_cookie(token):
    """
    Get the userid of the user with the given persistant login token
    :param token: The token to delete
    """
    db.connect()
    cursor = db.cursor()
    query = ("DELETE FROM cookies WHERE token = %s")
    try:
        cursor.execute(query, (token,))
        db.commit()
    except mysql.connector.Error as err:
        print("Failed executing query: {}".format(err))
        cursor.fetchall()
        exit(1)
    finally:
        cursor.close()
        db.close()
--- a/src/app/views/login.py
+++ b/src/app/views/login.py
@@ -1,8 +1,10 @@
 import web
 from views.forms import login_form
 import models.session
 import models.user
 from views.utils import get_nav_bar
 import os, hmac, base64, pickle
 import random
 import string
 import hashlib
 # Get html templates
@@ -17,7 +19,7 @@ class Login():
    def GET(self):
        """
        Show the login page
            :return: The login page showing other users if logged in
        """
        session = web.ctx.session
@@ -40,7 +42,7 @@ class Login():
        # Validate login credential with database query
        password_hash = hashlib.md5(b'TDT4237' + data.password.encode('utf-8')).hexdigest()
        user = models.user.match_user(data.username, password_hash)
        # If there is a matching user/password in the database the user is logged in
        if user:
            self.login(user[1], user[0], data.remember)
@@ -63,44 +65,34 @@ class Login():
        """
        Validate the rememberme cookie and log in
        """
        username = ""
        sign = ""
        userid = None
        # If the user selected 'remember me' they log in automatically
        try:
            # Fetch the users cookies if it exists
            cookies = web.cookies()
            # Fetch the remember cookie and convert from string to bytes
            remember_hash = bytes(cookies.remember[2:][:-1], 'ascii')
            # Decode the hash
            decode = base64.b64decode(remember_hash)
            # Load the decoded hash to receive the host signature and the username
            username, sign = pickle.loads(decode)
            remember_token = cookies.remember
            userid = models.session.get_cookie(remember_token)
        except AttributeError as e:
            # The user did not have the stored remember me cookie
            pass
        # If the users signed cookie matches the host signature then log in
        if self.sign_username(username) == sign:
            userid = models.user.get_user_id_by_name(username)
        if userid is not None:
            username = models.user.get_user_name_by_id(userid)
            self.login(username, userid, False)
    def rememberme(self):
        """
        Encode a base64 object consisting of the username signed with the
        host secret key and the username. Can be reassembled with the
        hosts secret key to validate user.
            :return: base64 object consisting of signed username and username
        Generate a random token for the user, and store it in the database.
        """
        session = web.ctx.session
        creds = [ session.username, self.sign_username(session.username) ]
        return base64.b64encode(pickle.dumps(creds))
        alphabet = string.ascii_uppercase + string.digits
    @classmethod
    def sign_username(self, username):
        """
        Sign the current users name with the hosts secret key
            :return: The users signed name
        """
        secret = base64.b64decode(self.secret)
        return hmac.HMAC(secret, username.encode('ascii')).hexdigest()
        while True:
            token = ''.join(random.SystemRandom().choice(alphabet) for _ in range(20))
            if models.session.get_cookie(token) is None:
                break
        models.session.set_cookie(session.userid, token)
        return token
--- a/src/app/views/logout.py
+++ b/src/app/views/logout.py
@@ -1,5 +1,6 @@
 import web
 from views.utils import get_nav_bar
 import models.session
 # Get html templates
 render = web.template.render('templates/')
@@ -12,9 +13,12 @@ class Logout:
        Log out of the application (kill session and reset variables)
            :return: Redirect to main page
        """
        remember_token = web.cookies().remember
        models.session.delete_cookie(remember_token)
        session = web.ctx.session
        session.username = None
        session.userid = None
        web.setcookie('remember', '', 0)
        session.kill()        
        session.kill()
        raise web.seeother('/')