diff --git a/web.py b/web.py index c1ee3fc..6fdd40b 100755 --- a/web.py +++ b/web.py @@ -57,14 +57,14 @@ def home(): session['cc'] = "None" if session['cc'] == "None": #every time home is rendered without cc being set - cc = c.execute("SELECT cc FROM `data` WHERE client_id LIKE ? AND instance LIKE ?", (session['client_id'], session['instance'])).fetchone()[0] + c.execute("SELECT cc FROM `data` WHERE client_id LIKE %s AND instance LIKE %s", (session['client_id'], session['instance'])) + cc = c.fetchone()[0] if cc != '': session['cc'] = cc if 'last_avi_update' not in session or session['last_avi_update'] + (24 * 60 * 60) < time.time(): - #avatars haven't been updated for over 24 hours - # avis = c.execute("SELECT avi, ccavi FROM `data` WHERE client_id LIKE ?", (session['client_id'],)).fetchone() - client = Mastodon(client_id=session['client_id'], client_secret=session['client_secret'], api_base_url=session['instance']) + #avatars haven't been updated for over 24 hours, update them now + client = Mastodon(client_id=session['client_id'], client_secret=session['client_secret'], access_token=session['secret'], api_base_url=session['instance']) session['avi'] = client.account_verify_credentials()['avatar'] if session['cc'] != None: @@ -72,9 +72,9 @@ def home(): r = requests.get("https://curiouscat.me/api/v2/profile?username={}".format(session['cc'])) j = r.json() session['ccavi'] = j['userData']['avatar'] - c.execute("UPDATE data SET avi = ?, ccavi = ? WHERE client_id LIKE ? AND instance LIKE ?", (session['avi'], session['ccavi'], session['client_id'], session['instance'])) + c.execute("UPDATE data SET avi = %s, ccavi = %s WHERE client_id LIKE %s AND instance LIKE %s", (session['avi'], session['ccavi'], session['client_id'], session['instance'])) else: - c.execute("UPDATE data SET avi = ? WHERE client_id LIKE ? AND instance LIKE ?", (session['avi'], session['client_id'], session['instance'])) + c.execute("UPDATE data SET avi = %s WHERE client_id LIKE %s AND instance LIKE %s", (session['avi'], session['client_id'], session['instance'])) return render_template("home.html") else: return redirect(url_for('main')) @@ -84,6 +84,11 @@ def home(): def print_debug_info(): return json.dumps(session._get_current_object()) +@app.route('/reset') #TODO: ditto +def reset_session(): + session.clear() + return redirect(url_for('main')) + @app.route('/login') def log_in(): if 'acct' in session: @@ -123,13 +128,14 @@ def internal_auth_b(): session['username'] = acct_info['username'] session['avi'] = acct_info['avatar'] session['acct'] = "@{}@{}".format(session['username'], session['instance'].replace("https://", "")) - if c.execute("SELECT COUNT(*) FROM data WHERE username LIKE ? AND instance LIKE ?", (session['username'], session['instance'])).fetchone()[0] > 0: + c.execute("SELECT COUNT(*) FROM data WHERE username LIKE %s AND instance LIKE %s", (session['username'], session['instance'])) + if c.fetchone()[0] > 0: #user already has an account with CG #update the user's info to use the new info we just got, then redirect them to the login page - c.execute("UPDATE data SET client_id = ?, client_secret = ?, secret = ?, avi = ? WHERE username LIKE ? AND instance LIKE ?", (session['client_id'], session['client_secret'], session['secret'], session['avi'], session['username'], session['instance'])) + c.execute("UPDATE data SET client_id = ?, client_secret = ?, secret = ?, avi = ? WHERE username LIKE %s AND instance LIKE %s", (session['client_id'], session['client_secret'], session['secret'], session['avi'], session['username'], session['instance'])) return redirect(url_for('log_in')) else: - return redirect(url_for('home')) + return redirect(url_for('create_password')) @app.route('/internal/do_login') def do_login(): @@ -138,7 +144,7 @@ def do_login(): acct = request.form['acct'] session['username'] = re.match("^@[^@]*", acct).group(0) session['instance'] = "https://{}".format(re.search("@([^@]+)$", acct).group(1)) - data = dc.execute("SELECT * FROM data WHERE username LIKE ? AND password LIKE ?", (session['username'], session['instance'])).fetch_one() + data = dc.execute("SELECT * FROM data WHERE username LIKE %s AND password LIKE %s", (session['username'], session['instance'])).fetch_one() if bcrypt.checkpw(pw_hashed, data['password']): #password is correct, log the user in for item in ['username', 'instance', 'avi', 'secret', 'client_id', 'client_secret', 'cc', 'ccavi']: @@ -149,15 +155,15 @@ def do_login(): @app.route('/create_password') def create_password(): - return render_template("create_password.html", bg = "\"background-image:url('{}')\"".format(session['avi'])) + return render_template("create_password.html", bg = "background-image:url('{}')".format(session['avi'])) @app.route('/internal/create_account', methods=['POST']) def create_account(): pw_in = request.form['pw'] - if len(pw_in < 6) or pw_in == 'password': + if len(pw_in) < 6 or pw_in == 'password': #TODO: this is a pretty crappy check return redirect('/create_password?invalid') - pw_hashed = hashlib.sha256(pw_in.encode('utf-8')) + pw_hashed = hashlib.sha256(pw_in.encode('utf-8')).digest() pw = bcrypt.hashpw(pw_hashed, bcrypt.gensalt(15)) - c.execute("INSERT INTO data (username, instance, avi, password, secret, client_id, client_secret) VALUES (?, ?, ?, ?, ?)", (session['username'], pw, session['instance'], session['secret'], session['client_id'], session['client_secret'])) + c.execute("INSERT INTO data (username, instance, avi, password, secret, client_id, client_secret) VALUES (%s, %s, %s, %s, %s, %s, %s)", (session['username'], session['instance'], session['avi'], pw, session['secret'], session['client_id'], session['client_secret'])) db.commit() return redirect(url_for('home'))