diff --git a/app/app.py b/app/app.py index a74ba35..dbaf9df 100644 --- a/app/app.py +++ b/app/app.py @@ -11,7 +11,7 @@ from werkzeug.utils import secure_filename from docx import Document import yaml - +import secrets from tornado.wsgi import WSGIContainer from tornado.httpserver import HTTPServer from tornado.ioloop import IOLoop @@ -20,12 +20,11 @@ app_port = os.environ.get('APP_PORT', 5050) - app = Flask(__name__, template_folder='templates') app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///test.db' -app.config['SECRET_KEY_HMAC'] = 'secret' -app.config['SECRET_KEY_HMAC_2'] = 'am0r3C0mpl3xK3y' -app.secret_key = 'F12Zr47j\3yX R~X@H!jmM]Lwf/,?KT' +app.config['SECRET_KEY_HMAC'] = secrets.token_urlsafe(16) +app.config['SECRET_KEY_HMAC_2'] = secrets.token_urlsafe(16) +app.secret_key = secrets.token_urlsafe(16) app.config['STATIC_FOLDER'] = None db = SQLAlchemy(app) @@ -138,14 +137,14 @@ def reg_customer(): if content: username = content['username'] password = content['password'] - hash_pass = hashlib.md5(password).hexdigest() + hash_pass = hashlib.sha256(password.encode()).hexdigest() new_user = User(username, hash_pass) db.session.add(new_user) db.session.commit() user_created = 'User: {0} has been created'.format(username) return jsonify({'Created': user_created}),200 except Exception as e: - return jsonify({'Error': str(e.message)}),404 + return jsonify({'Error': str(e)}),404 @app.route('/register/customer', methods = ['POST']) def reg_user(): @@ -164,7 +163,7 @@ def reg_user(): user_created = 'Customer: {0} has been created'.format(username) return jsonify({'Created': user_created}),200 except Exception as e: - return jsonify({'Error': str(e.message)}),404 + return jsonify({'Error': str(e)}),404 @app.route('/login', methods = ['POST']) @@ -179,8 +178,8 @@ def login(): print(content) username = content['username'] password = content['password'] - auth_user = User.query.filter_by(username = username, password = password).first() - if auth_user: + auth_user = User.query.filter_by(username = username).first() + if auth_user and auth_user.password == hashlib.sha256(password.encode()).hexdigest(): auth_token = jwt.encode({'user': username, 'exp': get_exp_date(), 'nbf': datetime.datetime.utcnow(), 'iss': 'we45', 'iat': datetime.datetime.utcnow()}, app.config['SECRET_KEY_HMAC'], algorithm='HS256') resp = Response(json.dumps({'Authenticated': True, "User": username})) #resp.set_cookie('SESSIONID', auth_token) @@ -258,14 +257,9 @@ def search_customer(): try: search_term = content['search'] print(search_term) - str_query = "SELECT first_name, last_name, username FROM customer WHERE username = '%s';" % search_term - # mycust = Customer.query.filter_by(username = search_term).first() - # return jsonify({'Customer': mycust.username, 'First Name': mycust.first_name}),200 - - search_query = db.engine.execute(str_query) - for result in search_query: - results.append(list(result)) - print(results) + mycust = Customer.query.filter_by(username = search_term).first() + if mycust: + results.append({'Customer': mycust.username, 'First Name': mycust.first_name}) return jsonify(results),200 except Exception as e: template = ''' @@ -292,7 +286,7 @@ def hello(): if request.method == 'POST': f = request.files['file'] - rand = random.randint(1, 100) + rand = secrets.randbelow(1000) fname = secure_filename(f.filename) fname = str(rand) + fname # change file name cwd = os.getcwd() @@ -316,7 +310,7 @@ def yaml_upload(): def yaml_hammer(): if request.method == "POST": f = request.files['file'] - rand = random.randint(1, 100) + rand = secrets.randbelow(1000) fname = secure_filename(f.filename) fname = str(rand) + fname # change file name cwd = os.getcwd() @@ -326,7 +320,7 @@ def yaml_hammer(): with open(file_path, 'r') as yfile: y = yfile.read() - ydata = yaml.load(y) + ydata = yaml.safe_load(y) return render_template('view.html', name = json.dumps(ydata)) @@ -336,4 +330,4 @@ def yaml_hammer(): http_server = HTTPServer(WSGIContainer(app)) http_server.listen(app_port) IOLoop.instance().start() - # app.run(debug = True, host = '0.0.0.0', port = app_port) + # app.run(debug = True, host = '0.0.0.0', port = app_port) \ No newline at end of file