From 5bb16e6d98287c2c205ffe0cc7f1ec7b24dccd95 Mon Sep 17 00:00:00 2001 From: H4CK3R-01 Date: Wed, 16 Mar 2022 14:47:25 +0100 Subject: [PATCH 1/5] Try to fix cors issue --- webservice/app.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/webservice/app.py b/webservice/app.py index 6963bfa..ee1a7cf 100644 --- a/webservice/app.py +++ b/webservice/app.py @@ -34,6 +34,14 @@ def create_app(): # interface blueprint application.register_blueprint(interface_blueprint) + # CORS: Allow * for developing + @application.after_request # blueprint can also be app~~ + def after_request(response): + header = response.headers + header['Access-Control-Allow-Headers'] = 'Content-Type' + header['Access-Control-Allow-Origin'] = '*' + return response + return application -- 2.45.2 From 290672cee44cbfbde38a529b417de00daf17ab69 Mon Sep 17 00:00:00 2001 From: H4CK3R-01 Date: Thu, 17 Mar 2022 09:26:25 +0100 Subject: [PATCH 2/5] Rewrite api from Flask to APIFlask --- webservice/api_blueprint_keyword.py | 61 ++++++++++------ webservice/api_blueprint_portfolio.py | 16 +++-- webservice/api_blueprint_shares.py | 59 ++++++++++------ webservice/api_blueprint_transactions.py | 74 +++++++++++++------- webservice/api_blueprint_user.py | 89 +++++++++++++++--------- webservice/app.py | 9 ++- webservice/auth.py | 18 +++++ webservice/config.py | 31 +++++++++ webservice/helper_functions.py | 14 ++-- webservice/requirements.txt | 4 +- webservice/scheme.py | 62 +++++++++++++++++ 11 files changed, 322 insertions(+), 115 deletions(-) create mode 100644 webservice/auth.py create mode 100644 webservice/scheme.py diff --git a/webservice/api_blueprint_keyword.py b/webservice/api_blueprint_keyword.py index 2b27a40..7474bcb 100644 --- a/webservice/api_blueprint_keyword.py +++ b/webservice/api_blueprint_keyword.py @@ -1,24 +1,29 @@ import os -from flask import Blueprint, jsonify, request +from apiflask import APIBlueprint, abort +from flask import jsonify from db import db -from helper_functions import get_username_from_token_data, extract_token_data, get_token, get_user_id_from_username, return_401 +from helper_functions import get_user_id_from_username, get_username_or_abort_401 +from auth import auth +from scheme import KeywordResponseSchema, KeywordSchema, DeleteSuccessfulSchema from models import Keyword -keyword_blueprint = Blueprint('keyword', __name__, url_prefix='/api') +keyword_blueprint = APIBlueprint('keyword', __name__, url_prefix='/api') __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) @keyword_blueprint.route('/keyword', methods=['POST']) -def add_keyword(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() +@keyword_blueprint.output(KeywordResponseSchema(many=True), 200) +@keyword_blueprint.input(schema=KeywordSchema) +@keyword_blueprint.auth_required(auth) +@keyword_blueprint.doc(summary="Add new keyword", description="Adds new keyword for current user") +def add_keyword(data): + username = get_username_or_abort_401() - request_data = request.get_json() - key = request_data['keyword'] + check_if_keyword_data_exists(data) + + key = data['keyword'] check_keyword = db.session.query(Keyword).filter_by(keyword=key, user_id=get_user_id_from_username(username)).first() if check_keyword is None: @@ -32,31 +37,33 @@ def add_keyword(): return jsonify({"status": 200, "text": "Successfully added keyword", "data": new_keyword.as_dict()}) else: - return jsonify({"status": 500, "text": "Keyword already exist for this user"}) + abort(500, message="Keyword already exist for this user") @keyword_blueprint.route('/keyword', methods=['DELETE']) -def remove_keyword(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() +@keyword_blueprint.output(DeleteSuccessfulSchema, 200) +@keyword_blueprint.input(schema=KeywordSchema) +@keyword_blueprint.auth_required(auth) +@keyword_blueprint.doc(summary="Removes existing keyword", description="Removes existing keyword for current user") +def remove_keyword(data): + username = get_username_or_abort_401() - request_data = request.get_json() - key = request_data['keyword'] + check_if_keyword_data_exists(data) + + key = data['keyword'] db.session.query(Keyword).filter_by(keyword=key, user_id=get_user_id_from_username(username)).delete() db.session.commit() - return jsonify({"status": 200, "text": "Successfully removed keyword"}) + return jsonify({"status": 200, "text": "Successfully removed keyword", "data": {}}) @keyword_blueprint.route('/keywords', methods=['GET']) +@keyword_blueprint.output(KeywordResponseSchema(many=True), 200) +@keyword_blueprint.auth_required(auth) +@keyword_blueprint.doc(summary="Returns all keywords", description="Returns all keywords for current user") def get_keywords(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() + username = get_username_or_abort_401() return_keywords = [] keywords = db.session.query(Keyword).filter_by(user_id=get_user_id_from_username(username)).all() @@ -66,3 +73,11 @@ def get_keywords(): return_keywords.append(row.as_dict()) return jsonify({"status": 200, "text": "Successfully loaded keywords", "data": return_keywords}) + + +def check_if_keyword_data_exists(data): + if "keyword" not in data: + abort(400, message="Keyword missing") + + if data['keyword'] == "" or data['keyword'] is None: + abort(400, message="Keyword missing") diff --git a/webservice/api_blueprint_portfolio.py b/webservice/api_blueprint_portfolio.py index 6ee8a37..2a54275 100644 --- a/webservice/api_blueprint_portfolio.py +++ b/webservice/api_blueprint_portfolio.py @@ -1,21 +1,23 @@ import os -from flask import Blueprint, jsonify +from apiflask import APIBlueprint +from flask import jsonify from db import db -from helper_functions import get_username_from_token_data, extract_token_data, get_token, get_user_id_from_username, return_401 +from helper_functions import get_user_id_from_username, get_username_or_abort_401 from models import Transaction +from auth import auth -portfolio_blueprint = Blueprint('portfolio', __name__, url_prefix='/api') +portfolio_blueprint = APIBlueprint('portfolio', __name__, url_prefix='/api') __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) @portfolio_blueprint.route('/portfolio', methods=['GET']) +@portfolio_blueprint.output(200) +@portfolio_blueprint.auth_required(auth) +@portfolio_blueprint.doc(summary="Returns portfolio", description="Returns all shares of current user") def get_portfolio(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() + username = get_username_or_abort_401() return_portfolio = {} transactions = db.session.query(Transaction).filter_by(user_id=get_user_id_from_username(username)).all() diff --git a/webservice/api_blueprint_shares.py b/webservice/api_blueprint_shares.py index cbde440..ef68d99 100644 --- a/webservice/api_blueprint_shares.py +++ b/webservice/api_blueprint_shares.py @@ -1,24 +1,29 @@ import os -from flask import Blueprint, jsonify, request +from apiflask import APIBlueprint, abort +from flask import jsonify +from auth import auth from db import db -from helper_functions import get_username_from_token_data, extract_token_data, get_token, get_user_id_from_username, return_401 +from helper_functions import get_user_id_from_username, get_username_or_abort_401 from models import Share +from scheme import SymbolSchema, SymbolResponseSchema, DeleteSuccessfulSchema -shares_blueprint = Blueprint('share', __name__, url_prefix='/api') +shares_blueprint = APIBlueprint('share', __name__, url_prefix='/api') __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) @shares_blueprint.route('/share', methods=['POST']) -def add_symbol(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() +@shares_blueprint.output(SymbolResponseSchema(many=True), 200) +@shares_blueprint.input(schema=SymbolSchema) +@shares_blueprint.auth_required(auth) +@shares_blueprint.doc(summary="Add new symbol", description="Adds new symbol for current user") +def add_symbol(data): + username = get_username_or_abort_401() - request_data = request.get_json() - symbol = request_data['symbol'] + check_if_symbol_data_exists(data) + + symbol = data['symbol'] check_share = db.session.query(Share).filter_by(symbol=symbol, user_id=get_user_id_from_username(username)).first() if check_share is None: @@ -36,27 +41,29 @@ def add_symbol(): @shares_blueprint.route('/share', methods=['DELETE']) -def remove_symbol(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() +@shares_blueprint.output(DeleteSuccessfulSchema, 200) +@shares_blueprint.input(schema=SymbolSchema) +@shares_blueprint.auth_required(auth) +@shares_blueprint.doc(summary="Removes existing symbol", description="Removes existing symbol for current user") +def remove_symbol(data): + username = get_username_or_abort_401() - request_data = request.get_json() - symbol = request_data['symbol'] + check_if_symbol_data_exists(data) + + symbol = data['symbol'] db.session.query(Share).filter_by(symbol=symbol, user_id=get_user_id_from_username(username)).delete() db.session.commit() - return jsonify({"status": 200, "text": "Successfully removed symbol"}) + return jsonify({"status": 200, "text": "Successfully removed symbol", "data": {}}) @shares_blueprint.route('/shares', methods=['GET']) +@shares_blueprint.output(SymbolResponseSchema(many=True), 200) +@shares_blueprint.auth_required(auth) +@shares_blueprint.doc(summary="Returns all symbols", description="Returns all symbols for current user") def get_symbol(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() + username = get_username_or_abort_401() return_symbols = [] symbols = db.session.query(Share).filter_by(user_id=get_user_id_from_username(username)).all() @@ -66,3 +73,11 @@ def get_symbol(): return_symbols.append(row.as_dict()) return jsonify({"status": 200, "text": "Successfully loaded symbols", "data": return_symbols}) + + +def check_if_symbol_data_exists(data): + if "symbol" not in data: + abort(400, message="Symbol missing") + + if data['symbol'] == "" or data['symbol'] is None: + abort(400, message="Symbol missing") diff --git a/webservice/api_blueprint_transactions.py b/webservice/api_blueprint_transactions.py index ff01a09..2a8fed2 100644 --- a/webservice/api_blueprint_transactions.py +++ b/webservice/api_blueprint_transactions.py @@ -1,48 +1,48 @@ import os import datetime -from flask import Blueprint, jsonify, request +from apiflask import abort, APIBlueprint +from flask import jsonify from db import db -from helper_functions import get_username_from_token_data, extract_token_data, get_token, get_user_id_from_username, return_401 +from helper_functions import get_user_id_from_username, get_username_or_abort_401 from models import Transaction +from scheme import TransactionSchema +from auth import auth -transaction_blueprint = Blueprint('transaction', __name__, url_prefix='/api') +transaction_blueprint = APIBlueprint('transaction', __name__, url_prefix='/api') __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) @transaction_blueprint.route('/transaction', methods=['POST']) -def add_transaction(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() +@transaction_blueprint.output((), 200) +@transaction_blueprint.input(schema=TransactionSchema) +@transaction_blueprint.auth_required(auth) +@transaction_blueprint.doc(summary="Adds new transaction", description="Adds new transaction for current user") +def add_transaction(data): + username = get_username_or_abort_401() - request_data = request.get_json() - symbol = request_data['symbol'] - time = datetime.datetime.strptime(request_data['time'], '%Y-%m-%dT%H:%M:%S.%fZ') - count = request_data['count'] - price = request_data['price'] + check_if_transaction_data_exists(data) - new_transcation = Transaction( + new_transaction = Transaction( user_id=get_user_id_from_username(username), - symbol=symbol, - time=time, - count=count, - price=price + symbol=data['symbol'], + time=datetime.datetime.strptime(data['time'], '%Y-%m-%dT%H:%M:%S.%fZ'), + count=data['count'], + price=data['price'] ) - db.session.add(new_transcation) + db.session.add(new_transaction) db.session.commit() - return jsonify({"status": 200, "text": "Successfully added transaction", "data": new_transcation.as_dict()}) + return jsonify({"status": 200, "text": "Successfully added transaction", "data": new_transaction.as_dict()}) @transaction_blueprint.route('/transactions', methods=['GET']) +@transaction_blueprint.output(TransactionSchema(), 200) +@transaction_blueprint.auth_required(auth) +@transaction_blueprint.doc(summary="Returns all transactions", description="Returns all transactions for current user") def get_transaction(): - # get username from jwt token - username = get_username_from_token_data(extract_token_data(get_token())) - if username is None: # If token not provided or invalid -> return 401 code - return return_401() + username = get_username_or_abort_401() return_transactions = [] transactions = db.session.query(Transaction).filter_by(user_id=get_user_id_from_username(username)).all() @@ -52,3 +52,29 @@ def get_transaction(): return_transactions.append(row.as_dict()) return jsonify({"status": 200, "text": "Successfully loaded transactions", "data": return_transactions}) + + +def check_if_transaction_data_exists(data): + if "symbol" not in data: + abort(400, message="Symbol missing") + + if data['symbol'] == "" or data['symbol'] is None: + abort(400, message="Symbol missing") + + if "time" not in data: + abort(400, message="Time missing") + + if data['time'] == "" or data['time'] is None: + abort(400, message="Time missing") + + if "count" not in data: + abort(400, message="Count missing") + + if data['count'] == "" or data['count'] is None: + abort(400, message="Count missing") + + if "price" not in data: + abort(400, message="Price missing") + + if data['price'] == "" or data['price'] is None: + abort(400, message="Price missing") diff --git a/webservice/api_blueprint_user.py b/webservice/api_blueprint_user.py index 5024281..57b291a 100644 --- a/webservice/api_blueprint_user.py +++ b/webservice/api_blueprint_user.py @@ -2,17 +2,23 @@ import datetime import os import jwt -from flask import Blueprint, jsonify, request +from apiflask import APIBlueprint, abort +from flask import jsonify from db import db -from helper_functions import check_password, hash_password, get_token, extract_token_data +from helper_functions import check_password, hash_password from models import User +from scheme import UsersSchema, Token, LoginData +from auth import auth -users_blueprint = Blueprint('users', __name__, url_prefix='/api') +users_blueprint = APIBlueprint('users', __name__, url_prefix='/api') __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file__))) @users_blueprint.route('/users', methods=['GET']) +@users_blueprint.output(UsersSchema(many=True), 200) +@users_blueprint.auth_required(auth) +@users_blueprint.doc(summary="Get all users", description="Returns all existing users as array") def users(): res = [] for i in User.query.all(): @@ -22,43 +28,62 @@ def users(): @users_blueprint.route('/login', methods=['POST']) -def login(): - request_data = request.get_json() - username = request_data['username'] - password = request_data['password'] +@users_blueprint.output(Token(), 200) +@users_blueprint.input(schema=LoginData) +@users_blueprint.doc(summary="Login", description="Returns jwt token if username and password match, otherwise returns error") +def login(data): + check_if_user_data_exists(data) + + username = data['username'] + password = data['password'] user = db.session.query(User).filter_by(username=username).first() - if check_password(user.password, password): - token = jwt.encode({'username': user.username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=45)}, os.getenv('SECRET_KEY'), "HS256") - return jsonify({"status": 200, "text": "Successfully logged in", "data": token}) - else: - return jsonify({"status": 500, "text": "Unable to login"}) + if user is None: # Username doesn't exist + abort(500, message="Unable to login") + if not check_password(user.password, password): # Password incorrect + abort(500, message="Unable to login") -@users_blueprint.route('/logout', methods=['GET']) -def logout(): - # TODO - return jsonify({"status": 200, "text": "Successfully logged out"}) + token = jwt.encode({'username': user.username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=45)}, os.getenv('SECRET_KEY'), "HS256") + return jsonify({"status": 200, "text": "Successfully logged in", "data": {"token": token}}) @users_blueprint.route('/register', methods=['POST']) -def register(): - request_data = request.get_json() - username = request_data['username'] - password = request_data['password'] +@users_blueprint.output(UsersSchema(), 200) +@users_blueprint.input(schema=LoginData) +@users_blueprint.doc(summary="Register", description="Registers user") +def register(data): + check_if_user_data_exists(data) + + username = data['username'] + password = data['password'] user = db.session.query(User).filter_by(username=username).first() - if user is None: - # Username doesn't exist yet - user = User( - username=username, - password=hash_password(password), - admin=False - ) - db.session.add(user) - db.session.commit() - return jsonify({"status": 200, "text": "Successfully registered user", "data": user.as_dict()}) - else: - return jsonify({"status": 500, "text": "Username already exist"}) + if user is not None: # Username already exist + abort(500, message="Username already exist") + + user = User( + username=username, + password=hash_password(password), + admin=False + ) + db.session.add(user) + db.session.commit() + + return jsonify({"status": 200, "text": "Successfully registered user", "data": user.as_dict()}) + + +def check_if_user_data_exists(data): + if "username" not in data: + abort(400, message="Username missing") + + if data['username'] == "" or data['username'] is None: + abort(400, message="Username missing") + + if "password" not in data: + abort(400, message="Password missing") + + if data['password'] == "" or data['password'] is None: + abort(400, message="Password missing") diff --git a/webservice/app.py b/webservice/app.py index 6963bfa..370fd20 100644 --- a/webservice/app.py +++ b/webservice/app.py @@ -1,4 +1,9 @@ -from flask import Flask +# TODO +# Change password, username +# Endpoints for news, shares + +from apiflask import APIFlask + from dotenv import load_dotenv from models import * @@ -14,7 +19,7 @@ def create_app(): load_dotenv() # Create Flask app load app.config - application = Flask(__name__) + application = APIFlask(__name__) application.config.from_object("config.ConfigClass") application.app_context().push() diff --git a/webservice/auth.py b/webservice/auth.py new file mode 100644 index 0000000..7db89a7 --- /dev/null +++ b/webservice/auth.py @@ -0,0 +1,18 @@ +import os + +import jwt +from apiflask import HTTPTokenAuth + +auth = HTTPTokenAuth() + + +@auth.verify_token +def verify_token(token): + if token is None: + return False + + try: + jwt.decode(token, os.getenv('SECRET_KEY'), algorithms=["HS256"]) + return True + except jwt.exceptions.DecodeError: + return False diff --git a/webservice/config.py b/webservice/config.py index 070af07..e7f323c 100644 --- a/webservice/config.py +++ b/webservice/config.py @@ -2,6 +2,8 @@ import os from dotenv import load_dotenv +from scheme import BaseResponseSchema + load_dotenv() @@ -19,3 +21,32 @@ class ConfigClass(object): (os.getenv("MYSQL_PORT") or str(3306)) + "/" + \ os.getenv('MYSQL_DATABASE') SQLALCHEMY_TRACK_MODIFICATIONS = False # Avoids SQLAlchemy warning + + # openapi/Swagger config + SPEC_FORMAT = 'yaml' + SERVERS = [ + { + "name": "Production", + "url": "https://aktienbot.flokaiser.com" + }, + { + "name": "Local", + "url": "http://127.0.0.1:5000" + } + ] + INFO = { + 'description': 'Webengineering 2 | Telegram Aktienbot', + 'version': '0.0.1' + # 'termsOfService': 'http://example.com', + # 'contact': { + # 'name': 'API Support', + # 'url': 'http://www.example.com/support', + # 'email': 'support@example.com' + # }, + # 'license': { + # 'name': 'Apache 2.0', + # 'url': 'http://www.apache.org/licenses/LICENSE-2.0.html' + # } + } + BASE_RESPONSE_DATA_KEY = "data" + BASE_RESPONSE_SCHEMA = BaseResponseSchema diff --git a/webservice/helper_functions.py b/webservice/helper_functions.py index f081182..b6c4b77 100644 --- a/webservice/helper_functions.py +++ b/webservice/helper_functions.py @@ -3,7 +3,8 @@ import os import uuid import jwt -from flask import request, jsonify +from apiflask import abort +from flask import request from db import db from models import User @@ -31,7 +32,7 @@ def extract_token_data(token): if token is not None: try: return jwt.decode(token, os.getenv('SECRET_KEY'), algorithms=["HS256"]) - except: + except jwt.exceptions.DecodeError: return None else: return None @@ -51,5 +52,10 @@ def get_user_id_from_username(username): return None -def return_401(): - return jsonify({"status": 401, "text": "Authorization token not provided or not valid"}) +def get_username_or_abort_401(): + # get username from jwt token + username = get_username_from_token_data(extract_token_data(get_token())) + if username is None: # If token not provided or invalid -> return 401 code + abort(401, message="Unable to login") + + return username diff --git a/webservice/requirements.txt b/webservice/requirements.txt index 5aa48e2..33fd798 100644 --- a/webservice/requirements.txt +++ b/webservice/requirements.txt @@ -5,4 +5,6 @@ uwsgi==2.0.20 Flask_SQLAlchemy==2.5.1 python-dotenv==0.19.2 pymysql==1.0.2 -pyjwt==2.0.0 \ No newline at end of file +pyjwt==2.0.0 +apiflask==0.12.0 +flask-swagger-ui==3.36.0 diff --git a/webservice/scheme.py b/webservice/scheme.py new file mode 100644 index 0000000..fba27f7 --- /dev/null +++ b/webservice/scheme.py @@ -0,0 +1,62 @@ +from apiflask import Schema +from apiflask.fields import Integer, String, Boolean, Field, Float + + +class BaseResponseSchema(Schema): + text = String() + status = Integer() + data = Field() + + +class UsersSchema(Schema): + admin = Boolean() + password = String() + telegram_name = String() + user_id = Integer() + username = String() + + +class Token(Schema): + token = String() + + +class LoginData(Schema): + username = String() + password = String() + + +class KeywordSchema(Schema): + keyword = String() + + +class KeywordResponseSchema(Schema): + keyword = String() + s_id = Integer() + user_id = Integer() + + +class SymbolSchema(Schema): + symbol = String() + + +class SymbolResponseSchema(Schema): + symbol = String() + s_id = Integer() + user_id = Integer() + + +class PortfolioShareResponseSchema(Schema): + count = Integer() + last_transaction = String() + + +class TransactionSchema(Schema): + user_id = Integer() + symbol = String() + time = String() + count = Integer() + price = Float() + + +class DeleteSuccessfulSchema(Schema): + pass -- 2.45.2 From 317a585f529888ef7ca7dcbe4de2a67d6a22f893 Mon Sep 17 00:00:00 2001 From: H4CK3R-01 Date: Thu, 17 Mar 2022 11:05:28 +0100 Subject: [PATCH 3/5] Added api endpoints: - delete user - get current user - update user password and username - set admin rights - refactoring --- webservice/api_blueprint_user.py | 142 +++++++++++++++++++++++++++---- webservice/app.py | 6 +- webservice/helper_functions.py | 12 +++ webservice/scheme.py | 22 ++++- 4 files changed, 163 insertions(+), 19 deletions(-) diff --git a/webservice/api_blueprint_user.py b/webservice/api_blueprint_user.py index 57b291a..c7e6940 100644 --- a/webservice/api_blueprint_user.py +++ b/webservice/api_blueprint_user.py @@ -6,9 +6,9 @@ from apiflask import APIBlueprint, abort from flask import jsonify from db import db -from helper_functions import check_password, hash_password +from helper_functions import check_password, hash_password, get_username_or_abort_401, abort_if_no_admin from models import User -from scheme import UsersSchema, Token, LoginData +from scheme import UsersSchema, TokenSchema, LoginDataSchema, AdminDataSchema, DeleteUserSchema from auth import auth users_blueprint = APIBlueprint('users', __name__, url_prefix='/api') @@ -20,6 +20,8 @@ __location__ = os.path.realpath(os.path.join(os.getcwd(), os.path.dirname(__file @users_blueprint.auth_required(auth) @users_blueprint.doc(summary="Get all users", description="Returns all existing users as array") def users(): + abort_if_no_admin() + res = [] for i in User.query.all(): res.append(i.as_dict()) @@ -27,9 +29,21 @@ def users(): return jsonify({"status": 200, "data": res}) -@users_blueprint.route('/login', methods=['POST']) -@users_blueprint.output(Token(), 200) -@users_blueprint.input(schema=LoginData) +@users_blueprint.route('/user', methods=['GET']) +@users_blueprint.output(UsersSchema(), 200) +@users_blueprint.auth_required(auth) +@users_blueprint.doc(summary="Get current user", description="Returns current user") +def user(): + username = get_username_or_abort_401() + + res = db.session.query(User).filter_by(username=username).first().as_dict() + + return jsonify({"status": 200, "data": res}) + + +@users_blueprint.route('/user/login', methods=['POST']) +@users_blueprint.output(TokenSchema(), 200) +@users_blueprint.input(schema=LoginDataSchema) @users_blueprint.doc(summary="Login", description="Returns jwt token if username and password match, otherwise returns error") def login(data): check_if_user_data_exists(data) @@ -37,21 +51,21 @@ def login(data): username = data['username'] password = data['password'] - user = db.session.query(User).filter_by(username=username).first() + query_user = db.session.query(User).filter_by(username=username).first() - if user is None: # Username doesn't exist + if query_user is None: # Username doesn't exist abort(500, message="Unable to login") - if not check_password(user.password, password): # Password incorrect + if not check_password(query_user.password, password): # Password incorrect abort(500, message="Unable to login") - token = jwt.encode({'username': user.username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=45)}, os.getenv('SECRET_KEY'), "HS256") + token = jwt.encode({'username': query_user.username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=45)}, os.getenv('SECRET_KEY'), "HS256") return jsonify({"status": 200, "text": "Successfully logged in", "data": {"token": token}}) -@users_blueprint.route('/register', methods=['POST']) +@users_blueprint.route('/user/register', methods=['POST']) @users_blueprint.output(UsersSchema(), 200) -@users_blueprint.input(schema=LoginData) +@users_blueprint.input(schema=LoginDataSchema) @users_blueprint.doc(summary="Register", description="Registers user") def register(data): check_if_user_data_exists(data) @@ -59,20 +73,94 @@ def register(data): username = data['username'] password = data['password'] - user = db.session.query(User).filter_by(username=username).first() + query_user = db.session.query(User).filter_by(username=username).first() - if user is not None: # Username already exist + if query_user is not None: # Username already exist abort(500, message="Username already exist") - user = User( + new_user = User( username=username, password=hash_password(password), admin=False ) - db.session.add(user) + db.session.add(new_user) db.session.commit() - return jsonify({"status": 200, "text": "Successfully registered user", "data": user.as_dict()}) + return jsonify({"status": 200, "text": "Successfully registered user", "data": new_user.as_dict()}) + + +@users_blueprint.route('/user', methods=['PUT']) +@users_blueprint.output({}, 200) +@users_blueprint.input(schema=LoginDataSchema) +@users_blueprint.auth_required(auth) +@users_blueprint.doc(summary="Update user", description="Changes password and/or username of current user") +def update_user(data): + username = get_username_or_abort_401() + + check_if_user_data_exists(data) + + new_username = data['username'] + new_password = data['password'] + + query_user = db.session.query(User).filter_by(username=username).first() + + if query_user is None: # Username doesn't exist + abort(500, message="Unable to login") + + if new_password is not None: + query_user.password = hash_password(new_password) + if new_username is not None: + query_user.username = new_username + + db.session.commit() + + return jsonify({"status": 200, "text": "Successfully updated user", "data": {}}) + + +@users_blueprint.route('/user/setAdmin', methods=['PUT']) +@users_blueprint.output({}, 200) +@users_blueprint.input(schema=AdminDataSchema) +@users_blueprint.auth_required(auth) +@users_blueprint.doc(summary="Set user admin state", description="Set admin state of specified user") +def set_admin(data): + abort_if_no_admin() # Only admin users can do this + + check_if_admin_data_exists(data) + + username = data['username'] + admin = data['admin'] + + query_user = db.session.query(User).filter_by(username=username).first() + + if query_user is None: # Username doesn't exist + abort(500, message="Unable to login") + + query_user.admin = admin + db.session.commit() + + return jsonify({"status": 200, "text": "Successfully updated users admin rights", "data": {}}) + + +@users_blueprint.route('/user', methods=['DELETE']) +@users_blueprint.output({}, 200) +@users_blueprint.input(schema=DeleteUserSchema) +@users_blueprint.auth_required(auth) +@users_blueprint.doc(summary="Delete user", description="Deletes user by username") +def delete_user(data): + check_if_delete_data_exists(data) + + username = data['username'] + + if username == get_username_or_abort_401(): # Username is same as current user + db.session.query(User).filter_by(username=username).delete() + db.session.commit() + else: # Delete different user than my user -> only admin users + abort_if_no_admin() + + db.session.query(User).filter_by(username=username).delete() + db.session.commit() + + return jsonify({"status": 200, "text": "Successfully removed user", "data": {}}) def check_if_user_data_exists(data): @@ -87,3 +175,25 @@ def check_if_user_data_exists(data): if data['password'] == "" or data['password'] is None: abort(400, message="Password missing") + + +def check_if_admin_data_exists(data): + if "username" not in data: + abort(400, message="Username missing") + + if data['username'] == "" or data['username'] is None: + abort(400, message="Username missing") + + if "admin" not in data: + abort(400, message="Admin state missing") + + if data['admin'] == "" or data['admin'] is None: + abort(400, message="Admin state missing") + + +def check_if_delete_data_exists(data): + if "username" not in data: + abort(400, message="Username missing") + + if data['username'] == "" or data['username'] is None: + abort(400, message="Username missing") diff --git a/webservice/app.py b/webservice/app.py index 370fd20..4b1687e 100644 --- a/webservice/app.py +++ b/webservice/app.py @@ -1,5 +1,9 @@ # TODO -# Change password, username +# Roles -> Admin Non-Admin +# Delete all users Delete only me +# Set Admin - +# Show all users - +# # Endpoints for news, shares from apiflask import APIFlask diff --git a/webservice/helper_functions.py b/webservice/helper_functions.py index b6c4b77..2791494 100644 --- a/webservice/helper_functions.py +++ b/webservice/helper_functions.py @@ -55,7 +55,19 @@ def get_user_id_from_username(username): def get_username_or_abort_401(): # get username from jwt token username = get_username_from_token_data(extract_token_data(get_token())) + if username is None: # If token not provided or invalid -> return 401 code abort(401, message="Unable to login") return username + + +def abort_if_no_admin(): + if not is_user_admin(): + abort(401, message="Only admin users can access this") + + +def is_user_admin(): + username = get_username_or_abort_401() + + return db.session.query(User).filter_by(username=username).first().admin diff --git a/webservice/scheme.py b/webservice/scheme.py index fba27f7..bb1371a 100644 --- a/webservice/scheme.py +++ b/webservice/scheme.py @@ -16,15 +16,33 @@ class UsersSchema(Schema): username = String() -class Token(Schema): +class AdminDataSchema(Schema): + username = String() + admin = Boolean() + + +class TokenSchema(Schema): token = String() -class LoginData(Schema): +class LoginDataSchema(Schema): username = String() password = String() +class DeleteUserSchema(Schema): + username = String() + + +class ChangePasswordSchema(Schema): + old_password = String() + new_password = String() + + +class ChangeUsernameSchema(Schema): + new_username = String() + + class KeywordSchema(Schema): keyword = String() -- 2.45.2 From 793d816e57f814e4a231ca8062b8488ffcf2aa59 Mon Sep 17 00:00:00 2001 From: H4CK3R-01 Date: Thu, 17 Mar 2022 13:33:19 +0100 Subject: [PATCH 4/5] Added flask cors --- webservice/app.py | 3 +++ webservice/requirements.txt | 2 ++ 2 files changed, 5 insertions(+) diff --git a/webservice/app.py b/webservice/app.py index 4b1687e..b15f49b 100644 --- a/webservice/app.py +++ b/webservice/app.py @@ -9,6 +9,7 @@ from apiflask import APIFlask from dotenv import load_dotenv +from flask_cors import CORS from models import * from blueprint_interface import interface_blueprint @@ -26,6 +27,8 @@ def create_app(): application = APIFlask(__name__) application.config.from_object("config.ConfigClass") + CORS(application) + application.app_context().push() db.init_app(application) diff --git a/webservice/requirements.txt b/webservice/requirements.txt index 33fd798..d37bc8e 100644 --- a/webservice/requirements.txt +++ b/webservice/requirements.txt @@ -8,3 +8,5 @@ pymysql==1.0.2 pyjwt==2.0.0 apiflask==0.12.0 flask-swagger-ui==3.36.0 +flask-cors==3.0.10 + -- 2.45.2 From 8cbb70ce6d926e7dfb7acbb52e0c0d20070f86fa Mon Sep 17 00:00:00 2001 From: H4CK3R-01 Date: Thu, 17 Mar 2022 14:27:48 +0100 Subject: [PATCH 5/5] Removed TODO --- webservice/app.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/webservice/app.py b/webservice/app.py index b15f49b..1172492 100644 --- a/webservice/app.py +++ b/webservice/app.py @@ -1,11 +1,3 @@ -# TODO -# Roles -> Admin Non-Admin -# Delete all users Delete only me -# Set Admin - -# Show all users - -# -# Endpoints for news, shares - from apiflask import APIFlask from dotenv import load_dotenv -- 2.45.2