Fixes in security

paramecio2/modules/admin/app.py

@@ -17,6 +17,10 @@ from paramecio2.libraries.sendmail import SendMail
 from paramecio2.libraries.formsutils import check_csrf
 from hmac import compare_digest as compare_hash
 from paramecio2.modules.admin.libraries.admin_auth import admin_prepare, admin_finished, modules_access
+try:
+    import ujson as json
+except:
+    import json
 
 try:
     import crypt
@@ -168,14 +172,14 @@ def login():
                         
                         timestamp=int(time())+315360000
                         
-                        resp.set_cookie('remember_login_admin', value=remember_key, max_age=315360000, expires=timestamp, path=config.application_root)
+                        user_admin.fields['token_login'].protected=False
+                        
+                        resp.set_cookie('remember_login_admin', value=json.dumps((arr_user['id'], remember_key)), max_age=315360000, expires=timestamp, path=config.application_root)
                         
                     if arr_user['double_auth']:
                         
                         token_auth=create_key(8)
                         session['verify_auth']=False
-                    
-                        #user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update({'token_auth': token_auth})
                         
                         user_admin.fields['token_auth'].protected=False
                         
@@ -185,8 +189,6 @@ def login():
                         
                         sendmail=SendMail(ssl=True)
                         
-                        # def send(self, from_address, to_address: list, subject, message, content_type='plain', attachments=[]):
-                        
                         sendmail.send(config.portal_email, [arr_user['email']], _('Code for complete login'), _('We send to you a code for activate your account using double authentication:')+"\n"+token_auth, content_type='plain', attachments=[])
                         
                     if arr_user['dark_theme']:
@@ -206,9 +208,9 @@ def login():
                             user_admin.fields['password'].protected=False
                             
                             arr_update['password']=password
-                            
+                        
                         user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update(arr_update)
-                    
+                        
                     return resp
             
                 else:
@@ -228,8 +230,6 @@ def login():
             you_cannot_login=check_login_tries()
             
             return {'error': 1, 'you_cannot_login': you_cannot_login}
-        
-        #if
     
     else:
     

paramecio2/modules/admin/libraries/admin_auth.py

@@ -1,6 +1,13 @@
 from flask import g, request, redirect, session, url_for
 from paramecio2.libraries.db.webmodel import WebModel
 from settings import config
+from paramecio2.libraries.db.extrafields.passwordfield import PasswordField
+from paramecio2.libraries.i18n import I18n, PGetText
+
+try:
+    import ujson as json
+except:
+    import json
 
 modules_access=[]
 
@@ -14,19 +21,47 @@ def admin_prepare():
             
             if 'remember_login_admin' in request.cookies:
                 
-                with g.connection.query('select count(id) as count_id from useradmin where token_login=%s', [request.cookies['remember_login_admin']]) as cursor:
+                try:
+                
+                    arr_cookie=json.loads(request.cookies['remember_login_admin'])
                     
-                    arr_count=cursor.fetchone()
-
-                    if arr_count['count_id']==0:
+                except:
+                    
+                    arr_cookie=(0, '')
+                    
+                #print(arr_cookie)
+                #with g.connection.query('select count(id) as count_id from useradmin where token_login=%s', [request.cookies['remember_login_admin']]) as cursor:
+                with g.connection.query('select id, token_login, dark_theme from useradmin where id=%s', [arr_cookie[0]]) as cursor:
+                    
+                    arr_user=cursor.fetchone()
+                    
+                    if arr_user:
+                    
+                        passfield=PasswordField('token_login')
                         
-                        url_redirect=config.domain_url+url_for('admin_app.login', _external=False)
-                        
-                        return redirect(url_redirect)   
+                        if passfield.verify(arr_cookie[1], arr_user['token_login']):
+                            
+                            session['login_admin']=True
+                            session['user_id']=arr_user['id']
+                            
+                            if arr_user['dark_theme']:
+                                session['theme']='1'
+                            else:
+                                session['theme']='0'
+                            
+                            session['lang']=arr_user.get('lang', I18n.default_lang)
+                            
+                        else:
+                            
+                            url_redirect=config.domain_url+url_for('admin_app.logout', _external=False)
+                            
+                            return redirect(url_redirect)   
                     else:
                         
-                        session['login_admin']=True
-            
+                        url_redirect=config.domain_url+url_for('admin_app.logout', _external=False)
+                            
+                        return redirect(url_redirect)   
+                        
             else:
                 
                 url_redirect=config.domain_url+url_for('admin_app.login', _external=False)

paramecio2/modules/admin/models/admin.py

@@ -82,7 +82,7 @@ class UserAdmin(UserModel):
         
         self.register(corefields.CharField('token_recovery'))
 
-        self.register(corefields.CharField('token_login'))
+        self.register(PasswordField('token_login'))
         
         self.register(PasswordField('token_auth'))
         

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "flit_core.buildapi"
 name = "paramecio2"
 authors = [{name = "Antonio de la Rosa", email = "antonio.delarosa@salirdelhoyo.com"}]
 readme = "README.md"
-version = "2.0.37"
+version = "2.0.38"
 description = "A simple framework using flask and mako"
 # dynamic = ["version", "description"]