From da421769e9d54a6ac5d1fca38967297ef2279c72 Mon Sep 17 00:00:00 2001
From: b3yond <b3yond@riseup.net>
Date: Mon, 8 Jan 2018 22:56:05 +0100
Subject: [PATCH] generating confirmation links

---
 README.md           |  2 +-
 config.toml.example |  3 +++
 frontend/login.py   | 25 ++++++++++++++++++++-----
 static/bot.html     |  3 +--
 4 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index cdbfe97..3ee0530 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ virtualenv -p python3 .
 
 Install the dependencies:
 ```shell
-pip install tweepy pytoml requests Mastodon.py bottle
+pip install tweepy pytoml requests Mastodon.py bottle pyjwt 
 ```
 
 Configure the bot:
diff --git a/config.toml.example b/config.toml.example
index ab040ce..2ce4966 100644
--- a/config.toml.example
+++ b/config.toml.example
@@ -30,6 +30,9 @@ passphrase = "sup3rs3cur3"
 # Mailing list where you want to send warnings to
 #list = "nbg_ticketfrei@lists.links-tech.org"
 
+[web]
+secret = "adoijf83wuc2mwipje8r"
+
 [logging]
 # The directory where logs should be stored.
 logpath = "logs"
diff --git a/frontend/login.py b/frontend/login.py
index a2c79f7..c43b771 100644
--- a/frontend/login.py
+++ b/frontend/login.py
@@ -1,8 +1,13 @@
 #!/usr/bin/env python3
 
+import os
 import bottle
 import sqlite3
 import sendmail
+import pytoml as toml
+import jwt
+import pylibscrypt
+
 
 class Datagetter(object):
     def __init__(self):
@@ -54,7 +59,9 @@ def register():
         return "ERROR: Passwords don't match. Try again."
 
     # needs to be encoded somehow
-    confirmlink = "ticketfrei.links-tech.org/confirm?email=" + email + "&passphrase=" + psw
+    payload = {"email":email, "psw_hashed":pylibscrypt.scrypt_mcf(psw)}  # hash password
+    encoded_jwt = jwt.encode(payload, secret)
+    confirmlink = "ticketfrei.links-tech.org/confirm?" + encoded_jwt
     config = ""
     m = sendmail.Mailer(config)
     m.send("Complete your registration here: " + confirmlink, email, "[Ticketfrei] Confirm your account")
@@ -63,16 +70,19 @@ def register():
 
 # How can I parse the arguments from the URI?
 # https://ticketfrei.links-tech.org/confirm?user=asdf&pass=sup3rs3cur3
-@app.route('/confirm')
+@app.route('/confirm', method="GET")
 def confirmaccount():
     """
     Confirm the account creation and create a database entry.
     :return: Redirection to bot.html
     """
-    uname = "user"      # :todo get user from URI
-    passphrase = "pass" # :todo get passphrase from URI
+    encoded_jwt = bottle.request.forms.get('encoded_jwt')
+    dict = jwt.decode(encoded_jwt, secret)
+    uname = dict["email"]
+    pass_hashed = dict["psw_hashed"]
+    print(uname, pass_hashed)
     active = "1"
-    db.conn.execute("CREATE ?, ?, ? IN user;", (uname, passphrase, active))
+    db.conn.execute("CREATE ?, ?, ? IN user;", (uname, pass_hashed, active))
 
 
 @app.route('/static/<filename:path>')
@@ -105,6 +115,11 @@ class StripPathMiddleware(object):
 
 
 if __name__ == "__main__":
+    with open('../config.toml') as configfile:
+        config = toml.load(configfile)
+
     global db
+    global secret
+    secret = os.urandom(32)
     db = Datagetter()
     bottle.run(app=StripPathMiddleware(app), host='0.0.0.0', port=8080)
\ No newline at end of file
diff --git a/static/bot.html b/static/bot.html
index c08345d..69eabe3 100644
--- a/static/bot.html
+++ b/static/bot.html
@@ -2,8 +2,7 @@
   <title>Ticketfrei</title>
   <link rel='stylesheet' href='static/css/style.css'>
 </head>
-<body>
-    <!--<div class="background" style="background-image: url(static/img/bg_left.jpg)"></div>-->
+<body style="background-image: url(static/img/wallpaper.png)">
     <div class="area">
         <h1><a href="https://ticketfrei.links-tech.org"><img src="/static/img/ticketfrei_logo.png" alt="Ticketfrei" height="150px" align="center" style="float: none;"></a></h1>