From 849cb07b7bdfa0e8a7e770ad1590f605451793cf Mon Sep 17 00:00:00 2001 From: Antonio de la Rosa Date: Wed, 5 Nov 2025 13:24:17 +0100 Subject: [PATCH] Fixes in security --- paramecio2/modules/admin/app.py | 18 +++---- .../modules/admin/libraries/admin_auth.py | 53 +++++++++++++++---- paramecio2/modules/admin/models/admin.py | 2 +- pyproject.toml | 2 +- 4 files changed, 55 insertions(+), 20 deletions(-) diff --git a/paramecio2/modules/admin/app.py b/paramecio2/modules/admin/app.py index 04857e1..78813ed 100644 --- a/paramecio2/modules/admin/app.py +++ b/paramecio2/modules/admin/app.py @@ -17,6 +17,10 @@ from paramecio2.libraries.sendmail import SendMail from paramecio2.libraries.formsutils import check_csrf from hmac import compare_digest as compare_hash from paramecio2.modules.admin.libraries.admin_auth import admin_prepare, admin_finished, modules_access +try: + import ujson as json +except: + import json try: import crypt @@ -168,14 +172,14 @@ def login(): timestamp=int(time())+315360000 - resp.set_cookie('remember_login_admin', value=remember_key, max_age=315360000, expires=timestamp, path=config.application_root) + user_admin.fields['token_login'].protected=False + + resp.set_cookie('remember_login_admin', value=json.dumps((arr_user['id'], remember_key)), max_age=315360000, expires=timestamp, path=config.application_root) if arr_user['double_auth']: token_auth=create_key(8) session['verify_auth']=False - - #user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update({'token_auth': token_auth}) user_admin.fields['token_auth'].protected=False @@ -185,8 +189,6 @@ def login(): sendmail=SendMail(ssl=True) - # def send(self, from_address, to_address: list, subject, message, content_type='plain', attachments=[]): - sendmail.send(config.portal_email, [arr_user['email']], _('Code for complete login'), _('We send to you a code for activate your account using double authentication:')+"\n"+token_auth, content_type='plain', attachments=[]) if arr_user['dark_theme']: @@ -206,9 +208,9 @@ def login(): user_admin.fields['password'].protected=False arr_update['password']=password - + user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update(arr_update) - + return resp else: @@ -228,8 +230,6 @@ def login(): you_cannot_login=check_login_tries() return {'error': 1, 'you_cannot_login': you_cannot_login} - - #if else: diff --git a/paramecio2/modules/admin/libraries/admin_auth.py b/paramecio2/modules/admin/libraries/admin_auth.py index 1e19f84..5151605 100644 --- a/paramecio2/modules/admin/libraries/admin_auth.py +++ b/paramecio2/modules/admin/libraries/admin_auth.py @@ -1,6 +1,13 @@ from flask import g, request, redirect, session, url_for from paramecio2.libraries.db.webmodel import WebModel from settings import config +from paramecio2.libraries.db.extrafields.passwordfield import PasswordField +from paramecio2.libraries.i18n import I18n, PGetText + +try: + import ujson as json +except: + import json modules_access=[] @@ -14,19 +21,47 @@ def admin_prepare(): if 'remember_login_admin' in request.cookies: - with g.connection.query('select count(id) as count_id from useradmin where token_login=%s', [request.cookies['remember_login_admin']]) as cursor: + try: + + arr_cookie=json.loads(request.cookies['remember_login_admin']) - arr_count=cursor.fetchone() - - if arr_count['count_id']==0: + except: + + arr_cookie=(0, '') + + #print(arr_cookie) + #with g.connection.query('select count(id) as count_id from useradmin where token_login=%s', [request.cookies['remember_login_admin']]) as cursor: + with g.connection.query('select id, token_login, dark_theme from useradmin where id=%s', [arr_cookie[0]]) as cursor: + + arr_user=cursor.fetchone() + + if arr_user: + + passfield=PasswordField('token_login') - url_redirect=config.domain_url+url_for('admin_app.login', _external=False) - - return redirect(url_redirect) + if passfield.verify(arr_cookie[1], arr_user['token_login']): + + session['login_admin']=True + session['user_id']=arr_user['id'] + + if arr_user['dark_theme']: + session['theme']='1' + else: + session['theme']='0' + + session['lang']=arr_user.get('lang', I18n.default_lang) + + else: + + url_redirect=config.domain_url+url_for('admin_app.logout', _external=False) + + return redirect(url_redirect) else: - session['login_admin']=True - + url_redirect=config.domain_url+url_for('admin_app.logout', _external=False) + + return redirect(url_redirect) + else: url_redirect=config.domain_url+url_for('admin_app.login', _external=False) diff --git a/paramecio2/modules/admin/models/admin.py b/paramecio2/modules/admin/models/admin.py index 2cc93b3..6d7cfa8 100644 --- a/paramecio2/modules/admin/models/admin.py +++ b/paramecio2/modules/admin/models/admin.py @@ -82,7 +82,7 @@ class UserAdmin(UserModel): self.register(corefields.CharField('token_recovery')) - self.register(corefields.CharField('token_login')) + self.register(PasswordField('token_login')) self.register(PasswordField('token_auth')) diff --git a/pyproject.toml b/pyproject.toml index 1a53626..091c964 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "flit_core.buildapi" name = "paramecio2" authors = [{name = "Antonio de la Rosa", email = "antonio.delarosa@salirdelhoyo.com"}] readme = "README.md" -version = "2.0.37" +version = "2.0.38" description = "A simple framework using flask and mako" # dynamic = ["version", "description"]