generating confirmation links

README.md

@@ -26,7 +26,7 @@ virtualenv -p python3 .
 
 Install the dependencies:
 ```shell
-pip install tweepy pytoml requests Mastodon.py bottle
+pip install tweepy pytoml requests Mastodon.py bottle pyjwt 
 ```
 
 Configure the bot:

config.toml.example

@@ -30,6 +30,9 @@ passphrase = "sup3rs3cur3"
 # Mailing list where you want to send warnings to
 #list = "nbg_ticketfrei@lists.links-tech.org"
 
+[web]
+secret = "adoijf83wuc2mwipje8r"
+
 [logging]
 # The directory where logs should be stored.
 logpath = "logs"

frontend/login.py

@@ -1,8 +1,13 @@
 #!/usr/bin/env python3
 
+import os
 import bottle
 import sqlite3
 import sendmail
+import pytoml as toml
+import jwt
+import pylibscrypt
+
 
 class Datagetter(object):
     def __init__(self):
@@ -54,7 +59,9 @@ def register():
         return "ERROR: Passwords don't match. Try again."
 
     # needs to be encoded somehow
-    confirmlink = "ticketfrei.links-tech.org/confirm?email=" + email + "&passphrase=" + psw
+    payload = {"email":email, "psw_hashed":pylibscrypt.scrypt_mcf(psw)}  # hash password
+    encoded_jwt = jwt.encode(payload, secret)
+    confirmlink = "ticketfrei.links-tech.org/confirm?" + encoded_jwt
     config = ""
     m = sendmail.Mailer(config)
     m.send("Complete your registration here: " + confirmlink, email, "[Ticketfrei] Confirm your account")
@@ -63,16 +70,19 @@ def register():
 
 # How can I parse the arguments from the URI?
 # https://ticketfrei.links-tech.org/confirm?user=asdf&pass=sup3rs3cur3
-@app.route('/confirm')
+@app.route('/confirm', method="GET")
 def confirmaccount():
     """
     Confirm the account creation and create a database entry.
     :return: Redirection to bot.html
     """
-    uname = "user"      # :todo get user from URI
+    encoded_jwt = bottle.request.forms.get('encoded_jwt')
-    passphrase = "pass" # :todo get passphrase from URI
+    dict = jwt.decode(encoded_jwt, secret)
+    uname = dict["email"]
+    pass_hashed = dict["psw_hashed"]
+    print(uname, pass_hashed)
     active = "1"
-    db.conn.execute("CREATE ?, ?, ? IN user;", (uname, passphrase, active))
+    db.conn.execute("CREATE ?, ?, ? IN user;", (uname, pass_hashed, active))
 
 
 @app.route('/static/<filename:path>')
@@ -105,6 +115,11 @@ class StripPathMiddleware(object):
 
 
 if __name__ == "__main__":
+    with open('../config.toml') as configfile:
+        config = toml.load(configfile)
+
     global db
+    global secret
+    secret = os.urandom(32)
     db = Datagetter()
     bottle.run(app=StripPathMiddleware(app), host='0.0.0.0', port=8080)

static/bot.html

@@ -2,8 +2,7 @@
   <title>Ticketfrei</title>
   <link rel='stylesheet' href='static/css/style.css'>
 </head>
-<body>
+<body style="background-image: url(static/img/wallpaper.png)">
-    <!--<div class="background" style="background-image: url(static/img/bg_left.jpg)"></div>-->
     <div class="area">
         <h1><a href="https://ticketfrei.links-tech.org"><img src="/static/img/ticketfrei_logo.png" alt="Ticketfrei" height="150px" align="center" style="float: none;"></a></h1>