Merge pull request #11 from beackers/securityagain

beackers · web-flow · commit 91029ada809f · 2025-12-11T16:29:18.000-06:00
fix that dumb security problem
diff --git a/app.py b/app.py
@@ -1,8 +1,11 @@
 from flask import Flask, render_template, jsonify, request, session, abort, redirect
+from werkzeug.security import generate_password_hash, check_password_hash
 from flask_socketio import SocketIO, send, emit
-import secrets, time, socket, hashlib, json, logging, sqlite3
+import secrets, time, socket, hashlib, json, logging, sqlite3, functools
 
 
+# -------- SETUP -------- #
+
 # App + WebSocket
 app = Flask(__name__.split(".")[0])
 app.config["SECRET_KEY"] = secrets.token_hex(16)
@@ -16,7 +19,7 @@ def startLogger():
     if not log.handlers:
         handler = logging.FileHandler("static/app.log", encoding="utf-8")
         streamHandler = logging.StreamHandler()
-        fmt = "{asctime} [{levelname}] -- {message}"
+        fmt = "{asctime} [{levelname}]: \n{message}"
         formatter = logging.Formatter(fmt, style="{")
         handler.setFormatter(formatter)
         streamHandler.setFormatter(formatter)
@@ -78,33 +81,65 @@ def coloredText(stuff, colorcode):
         json.dump(data, file)
     log.exception("Error loading config.json")
 
-
+# Check if logged in decorator
+def logged_in(route):
+    @functools.wraps(route)
+    def wrapper_logged_in(*args, **kwargs):
+        # for now just worry about the decorator
+        with sqlite3.connect("myop.db") as c:
+            cur = c.cursor()
+            if session.get("user"):
+                cur.execute("SELECT * FROM users WHERE callsign=?", (session.get("username")))
+                if not session.get("username") in cur.fetchall():
+                    log.debug("user redirected to login")
+                    return redirect("/login")
+                else:
+                    log.debug("user passed")
+                    return route(*args, **kwargs)
+            else:
+                log.info("user passed without login")
+                return route(*args, **kwargs)
+    return wrapper_logged_in
+
+# csrf checking
+def needs_csrf(route):
+    @functools.wraps(route)
+    def wrapper_csrf(*args, **kwargs):
+        if "csrf" in session:
+            return route(*args, **kwargs)
+        else:
+            session["csrf"] = secrets.token_hex(16)
+            return route(*args, **kwargs)
+    return wrapper_csrf
+
+
+# ------------ APP ------------- #
 
 # Misc. routes
 @app.route("/")
+@logged_in
 def main():
     with open("static/config.json", "r") as f:
         title = json.load(f)["title"]
     return render_template("main.html", title=title)
 
 @app.route("/log")
+@logged_in
 def showlog():
     with open("static/app.log", "r") as log:
         return log.read().encode("utf-8"), 200
 
 
 # ======== Control Panel ======== #
-# Can add an admin login page at a later time.
 
 @app.route("/control", methods=['GET'])
+@logged_in
+@needs_csrf
 def control():
-    # check user.logged-in logic, for later
-    # return redirect("/login"), 301
-    if "csrf" not in session:
-        session["csrf"] = secrets.token_hex(16)
     return render_template("control.html", csrf=session["csrf"])
 
 @app.route("/controlapi", methods=['GET', 'POST'])
+@logged_in
 def controlapi():
     if request.method == "GET":
         with open('static/config.json', "r") as file:
@@ -130,24 +165,52 @@ def controlapi():
 
 
 # The actual login page
-# @app.route("/login")
-# def login():
-#     return render_template("login.html")
+# Pro tip: no @logged_in (for obvious reasons)
+@app.route("/login", methods=["GET", "POST"])
+@needs_csrf
+def login():
+    if request.method == "GET":
+        return render_template("login.html", username=session.get("username") or "", csrf=session["csrf"])
+    elif request.method == "POST":
+        u = request.form
+        if ("csrf" or "username" or "password")not in u: abort(403)
+        if session["csrf"] != u["csrf"]: abort(403)
+        log.debug("login form passed basic qualifications")
+        with sqlite3.connect("myop.db") as c:
+            cur = c.cursor()
+            c.row_factory = sqlite3.Row
+            cur.execute("SELECT callsign, pwdhash FROM users WHERE (callsign = ?)", (u["username"].lower(),))
+            row = cur.fetchone()
+            if row is None:
+                log.warning(f"someone tried to log in, but username didn't exist\nusername: {u["username"]}")
+                abort(403)
+            if (row) and (check_password_hash(row["pwdhash"], u["password"])):
+                session["user"] = row["callsign"]
+                log.info("user logged in!")
+                return redirect("/", code=301)
+            else:
+                log.warning(f"someone failed a login!\nusername: {u["username"]}\npassword: {u["password"]}")
+                abort(403)
+    elif request.method == "DELETE":
+        session["user"] = None
+        return redirect("/login", code=301)
+
 
 
 
 # ======== Bulletins ======== #
 
 @app.route("/bulletins", methods=['GET'])
+@logged_in
+@needs_csrf
 def bulletins():
     with open("static/config.json", "r") as f:
         config = json.load(f)
         if not config.get("services").get("bulletins"): return render_template("disabled.html"), 403
-    if "csrf" not in session:
-        session["csrf"] = secrets.token_hex(16)
     return render_template("bulletins.html", csrf=session["csrf"], uname="None")
 
 @app.route("/bulletinsapi", methods=["GET"])
+@logged_in
 def bulletinsapiget():
     with sqlite3.connect("myop.db") as c:
         cur = c.cursor()
@@ -167,6 +230,7 @@ def bulletinsapiget():
     return jsonify(data), 200
 
 @app.route("/bulletinsapi", methods=["POST"])
+@logged_in
 def bulletinsapipost():
     posted = request.form.get("csrf")
     stored = session.get("csrf")
@@ -189,6 +253,7 @@ def bulletinsapipost():
     return redirect("/bulletins"), 301
 
 @app.route("/bulletinsapi", methods=['DELETE'])
+@logged_in
 def bulletinsapidelete():
     with sqlite3.connect("myop.db") as c:
         cur = c.cursor()
@@ -201,6 +266,7 @@ def bulletinsapidelete():
 # ======== Chat Stuff ========== #
 
 @app.route("/chat", methods=['GET'])
+@logged_in
 def chat():
     with open("static/config.json", "r") as f:
         config = json.load(f)
diff --git a/myop.db b/myop.db
diff --git a/static/dompurify.js b/static/dompurify.js
diff --git a/static/nav.js b/static/nav.js
@@ -48,7 +48,8 @@ function addANav() {
 
     sel.addEventListener("change", () => {
         if (sel.value !== current && acceptablePaths.includes(window.location.pathname)) {
-            window.location.href = sel.value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+	    const clean = DOMPurify.sanitize(sel.value);
+            window.location.href = clean;
         }
     });
 
diff --git a/templates/bt.html b/templates/bt.html
@@ -14,6 +14,7 @@
 	Don't forget to add in the website URL into the addANav function!!
 -->
 
+	<script src="{{ url_for('static', filename='dompurify.js') }}"></script>
 	<script src="{{ url_for('static', filename='nav.js') }}"></script>
 	<script>
 		addANav("");
diff --git a/templates/bulletins.html b/templates/bulletins.html
@@ -31,6 +31,7 @@
                 <div id="bulletinList"></div>
         </details>
 
+	<script src="{{ url_for('static', filename='dompurify.js') }}"></script>
         <script src="{{ url_for('static', filename='nav.js') }}"></script>
         <script src="{{ url_for('static', filename='bulletins.js') }}"></script>
     <script>
diff --git a/templates/control.html b/templates/control.html
@@ -13,6 +13,7 @@
 	<div id="config"></div><br>
 	<div id="deletebulletins"></div>
 
+	<script src="{{ url_for('static', filename='dompurify.js') }}"></script>
 	<script src="{{ url_for('static', filename='nav.js') }}"></script>
 	<script src="{{ url_for('static', filename='config.js') }}"></script>
 	<script>
diff --git a/templates/disabled.html b/templates/disabled.html
@@ -16,6 +16,7 @@ <h1>Function Disabled</h1>
 	<p>Sysops chose to disable this function of MyOp. If you need to access it, ask sysop to enable in the control panel.</p><br>
 	<a href="/">go home</a><br>
 	<a href="/control">control panel</a>
+	<script src="{{ url_for('static', filename='dompurify.js') }}"></script>
 	<script src="{{ url_for('static', filename='nav.js') }}"></script>
 	<script>
 		addANav();
diff --git a/templates/login.html b/templates/login.html
@@ -9,11 +9,15 @@
 	<nav>
 		<div id="navdiv"></div>
 	</nav>
-<!--
-	Body goes here.
-	Don't forget to add in the website URL into the addANav function!!
--->
-
+	<form action="/login" method="POST">
+		<label for="username">Call sign:</label>
+		<input type="text" id="username" name="username" value="{{ username }}"><br>
+		<label for="password">Password:</label>
+		<input type="password" id="password" name="password"><br>
+		<input type="hidden" name="csrf" value="{{ csrf }}">
+		<input type="submit">
+	</form>
+	<script src="{{ url_for('static', filename='dompurify.js') }}"></script>
 	<script src="{{ url_for('static', filename='nav.js') }}"></script>
 	<script>
 		addANav("");
diff --git a/templates/main.html b/templates/main.html
@@ -18,6 +18,7 @@ <h2>{{ title }}</h2>
 		<li><a href="/control">control panel</a></li>
 	</ul>
 
+	<script src="{{ url_for('static', filename='dompurify.js') }}"></script>
 	<script src="{{ url_for('static', filename='nav.js') }}"></script>
 	<script>
 		addANav("/");

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,8 @@ function addANav() {`
`48`	`48`
`49`	`49`	`sel.addEventListener("change", () => {`
`50`	`50`	`if (sel.value !== current && acceptablePaths.includes(window.location.pathname)) {`
`51`		`- window.location.href = sel.value.replace(/[.*+?^${}()\|[\]\\]/g, '\\$&');`
	`51`	`+ const clean = DOMPurify.sanitize(sel.value);`
	`52`	`+ window.location.href = clean;`
`52`	`53`	`}`
`53`	`54`	`});`
`54`	`55`