Self-Registration config

.gitignore

@@ -2,6 +2,6 @@ api/uploads/*
 api/logs/*
 gui/guienv/*
 *.pyc
-.DS_Store
-api/uploads/*
+**/.DS_Store
+**/config.yaml
 env

api/apiserver.py

@@ -656,30 +656,32 @@ def delete( self ):
         })
 
 def make_app():
-    return tornado.web.Application([
-        (r"/api/register", RegisterHandler),
-        (r"/api/login", LoginHandler),
-        (r"/api/collected_pages", GetCollectedPagesHandler),
-        (r"/api/delete_injection", DeleteInjectionHandler),
-        (r"/api/delete_collected_page", DeleteCollectedPageHandler),
-        (r"/api/user", UserInformationHandler),
-        (r"/api/payloadfires", GetXSSPayloadFiresHandler),
-        (r"/api/contactus", ContactUsHandler),
-        (r"/api/resend_injection_email", ResendInjectionEmailHandler),
-        (r"/api/logout", LogoutHandler),
-        (r"/js_callback", CallbackHandler),
-        (r"/page_callback", CollectPageHandler),
-        (r"/health", HealthHandler),
-        (r"/uploads/(.*)", tornado.web.StaticFileHandler, {"path": "uploads/"}),
-        (r"/api/record_injection", InjectionRequestHandler),
-        (r"/(.*)", HomepageHandler),
-    ], cookie_secret=settings["cookie_secret"])
+    app_routes = [
+            (r"/api/register", RegisterHandler),
+            (r"/api/login", LoginHandler),
+            (r"/api/collected_pages", GetCollectedPagesHandler),
+            (r"/api/delete_injection", DeleteInjectionHandler),
+            (r"/api/delete_collected_page", DeleteCollectedPageHandler),
+            (r"/api/user", UserInformationHandler),
+            (r"/api/payloadfires", GetXSSPayloadFiresHandler),
+            (r"/api/contactus", ContactUsHandler),
+            (r"/api/resend_injection_email", ResendInjectionEmailHandler),
+            (r"/api/logout", LogoutHandler),
+            (r"/js_callback", CallbackHandler),
+            (r"/page_callback", CollectPageHandler),
+            (r"/health", HealthHandler),
+            (r"/uploads/(.*)", tornado.web.StaticFileHandler, {"path": "uploads/"}),
+            (r"/api/record_injection", InjectionRequestHandler),
+            (r"/(.*)", HomepageHandler)]
+    if not settings['self_registration']:
+        app_routes.remove((r"/api/register", RegisterHandler))  
+    return tornado.web.Application(app_routes, cookie_secret=settings["cookie_secret"])
 
 if __name__ == "__main__":
     args = sys.argv
     args.append("--log_file_prefix=logs/access.log")
     tornado.options.parse_command_line(args)
     Base.metadata.create_all(engine)
     app = make_app()
-    app.listen( 8888 )
+    app.listen( 8888, "localhost")
     tornado.ioloop.IOLoop.current().start()

generate_config.py

@@ -99,6 +99,7 @@
     "domain": "",
     "abuse_email": "",
     "cookie_secret": "",
+    "self_registration": "yes",
 }
 
 print """
@@ -173,6 +174,9 @@
 /etc/nginx/ssl/""" + hostname + """.crt; # Wildcard SSL certificate
 /etc/nginx/ssl/""" + hostname + """.key; # Wildcard SSL key
 
+Note: by default self-registration is enabled. You can disable this by changing the 'self_registration' option in the config file to 
+"no".
+
 Good luck hunting for XSS!
 							-mandatory
 """

gui/guiserver.py

@@ -54,18 +54,21 @@ def get(self):
         self.write( loader.load( "contact.htm" ).generate() )
 
 def make_app():
-    return tornado.web.Application([
-        (r"/", HomepageHandler),
-        (r"/app", XSSHunterApplicationHandler),
-        (r"/features", FeaturesHandler),
-        (r"/signup", SignUpHandler),
-        (r"/contact", ContactHandler),
-        (r"/static/(.*)", tornado.web.StaticFileHandler, {"path": "static/"}),
-    ])
+    app_routes = [
+            (r"/", HomepageHandler),
+            (r"/app", XSSHunterApplicationHandler),
+            (r"/features", FeaturesHandler),
+            (r"/contact", ContactHandler),
+            (r"/signup", SignUpHandler),
+            (r"/static/(.*)", tornado.web.StaticFileHandler, {"path": "static/"})
+    ]
+    if not settings['self_registration']:
+        app_routes.remove((r"/signup", SignUpHandler))  
+    return tornado.web.Application(app_routes)
 
 if __name__ == "__main__":
     DOMAIN = settings["domain"]
     API_SERVER = "https://api." + DOMAIN
     app = make_app()
-    app.listen( 1234 )
+    app.listen( 1234, "localhost")
     tornado.ioloop.IOLoop.current().start()