I am trying to build a simple numeric captcha for my contact page in Flask. The contact page end-point loads in GET mode and initializes the values of the captcha verification. When I submit the form in POST mode, I expect my user-entered form value to match the captcha value. However, it is not working as expected. I did some troubleshooting with print statements to see how the values are changing and it appears that the captcha variables are getting re-initialised with the POST operation. Can someone please suggest a workaround? My Python code is shared below:
#bp.route('/contact/', methods=('GET', 'POST'))
def contact():
# Initialize captcha values
cap_a = random.randint(0, 9)
cap_b = random.randint(0, 9)
cap_prod = cap_a * cap_b
print(cap_a, cap_b, cap_prod)
if request.method == "POST":
error = None
log_file = current_app.config['LOGFILE']
full_name = request.form['fullname']
email_addr = request.form['email']
phone_no = request.form['phone']
msg_body = request.form['message']
num_prod = request.form['verifycaptcha']
print(cap_a, cap_b, cap_prod)
print(full_name, email_addr, phone_no, msg_body, num_prod)
if not full_name:
error = 'Full name is required.'
elif not email_addr:
error = 'Email address is required.'
elif not msg_body:
error = 'Message body is required.'
if num_prod != cap_prod:
error = 'Incorrect captcha verification.'
if error is None:
# Perform some operations
pass
try:
with current_app.app_context():
mail = Mail()
mail.init_app(current_app)
mail.send(msg)
error = 'Mail sent successfully!'
except:
error = 'Mail engine error encountered. Please retry after some time.'
f = open(log_file, "a")
f.write('['+datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')+'] '+error+'\n')
f.close()
flash(error)
return render_template('contact.html',num_a = cap_a, num_b = cap_b)
cap_a = random.randint(0, 9)
cap_b = random.randint(0, 9)
cap_prod = cap_a * cap_b
these are 2 random numbers and you are creating cap_prod. You are not saving the cap_prod anywhere. You are instead calculating it again when POST request comes (this time it will be 2 new random numbers)
You need to save the captcha that you created during the GET, and then when the POST comes , compare with the value that was originally sent.
If you are going to support refresh-captcha image in the future (you need to have an API call that will generate a new captcha and save it)
I figured out the solution by storing the captcha variables in the session dictionary of Flask and checking for its existence before re-initialising the values.
def contact():
# Initialize captcha values
if 'product' not in session:
cap_a = random.randint(0, 9)
cap_b = random.randint(0, 9)
session['captcha_a'] = cap_a
session['captcha_b'] = cap_b
session['product'] = cap_a * cap_b
else:
cap_a = session.get('captcha_a')
cap_b = session.get('captcha_b')
if request.method == "POST":
pass
# Rest of the code
Working examples of the above solution can be found at Fadmeter.com and FadURL.com.
Related
I am trying to follow along with a couple online tutorials for creating a reset password feature in my app. Both these tutorials use itsdangerous TimedJSONWebSignatureSerializer, which has since been deprecated, so I'm working with an older version of itsdangerous. Probably not best practice, I know.
The issue that I'm running into is that when I'm in the reset_token function and use verify_token(), its supposed to return the variable "email" to me, which I then save in "user". The reset_token function runs through the first time to bring up the html page and on this first run through, user = the email address, as it should. However, then when I hit "submit" on my reset password page, the code runs through a second time and then user = None, which therefore makes my query not work.
How do I make "email" not turn to None on the second run through of my code?
from flask import Flask, request, render_template, session, redirect, url_for
import mysql.connector
from flask_mail import Mail, Message
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
def get_token(user, expires_sec=600):
serial = Serializer(app.config['SECRET_KEY'], expires_in=expires_sec)
return serial.dumps({'user_id': user}).decode('utf-8')
def verify_token(token):
serial = Serializer(app.config['SECRET_KEY'])
try:
email = serial.loads(token)['user_id']
except:
return None
return email
def send_mail(email):
token = get_token(email)
msg = Message('Password Reset Request', recipients=[email], sender='censoring this :)')
msg.body = f'''
To reset your password, please follow the link below.
{url_for('reset_token', token=token, _external=True)}
If you did not request a password reset, please ignore this message.
'''
mail.send(msg)
#app.route('/password_reset', methods=['post', 'get'])
def password_reset():
error = None
success = None
def check(s):
email_format = r'\b[A-Za-z0-9._%+-]+#[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
if re.match(email_format, s):
return True
else:
return False
if request.method == 'POST':
email = request.form.get('email')
if not check(email):
error = "*Invalid email"
else:
query = "SELECT * FROM users WHERE email = %s"
cursor.execute(query, (email,))
cursor.fetchall()
count_rows = cursor.rowcount
if count_rows < 1:
error = "*We do not have that email address on file."
else:
send_mail(email)
success = "*Reset request sent. Please check your email."
return render_template('password_reset.html', error=error, msg=success)
#app.route('/password_reset/<token>', methods=['get', 'post'])
def reset_token(token):
error = None
success = None
user = verify_token(token)
print(user)
if user is None:
error = "That token is either invalid or expired. Please try again."
return redirect(url_for('password_reset'))
if request.method == 'POST':
password = request.form.get('password')
password_2 = request.form.get('password_2')
if len(password) < 6:
error = "*Your password must have at least 6 characters."
elif password != password_2:
error = "*Passwords do not match."
else:
query = "UPDATE users SET password=%s WHERE email=%s"
cursor.execute(query, (password, user))
mydb.commit()
success = "Your password has been created!"
return render_template('change_password.html')
I have written a code for registration and login in django. While doing login, I am getting the error "Invalid salt"
Following is the code:
#api_view(['POST'])
def login(request):
email = request.data.get('email')
mobile_number = request.data.get('mobile_number')
pin = request.data.get('pin')
res = dict()
print(dict, "dictonaryyyyyy")
if email != None:
email_result = Users.objects.filter(email= email).first()
print(email_result.pin, "emaillll")
if email_result != None:
if bcrypt.checkpw(pin.encode("utf-8"), email_result.pin.encode('utf-8')):
# if bcrypt.checkpw(pin, )
print("........")
payload_data = dict()
payload_data['email'] = email_result.email
token = generate_token(payload_data)
print(token, "token.........")
res['messages'] = "Authentication Successful"
res['status'] = 200,
res['token'] = token
return Response(res, status = status.HTTP_200_OK)
...
...
How to get rid of this error?
It got solved, the hashed password was being saved as a binary instead of string at the time of registrattion.
To convert it into a string, the pin is required to be decoded at the time of creating the object.
pin = pin.decode('utf-8'),
I have a problem with users trying to register on my application (which is a Flask app deployed on Pythonanywhere with MongoDB Atlas).
Basically when they register they receive an email with a token that they need to click on to confirm. When they click on that link they should enter the application, but instead they receive an error.
When I check the error log, this is what I see (under "/auth/register") when it calls:
existing_user = User.get_by_email(session["email"])
return super(SecureCookieSession, self).__getitem__(key)
Exception KeyError: 'email' was thrown out.
It seems that somehow the session["email"] does not work?
This is my code:
#app.route('/confirm/<token>')
def confirm_email(token):
try:
email = ts.loads(token, salt="email-confirm-key", max_age=7200)
except:
return render_template("token_expired.html")
user = Database.find_one(collection="users", query={"email": email})
return redirect(url_for("register_user"))
#app.route("/auth/register", methods=["GET", "POST"])
def register_user():
existing_user = User.get_by_email(session["email"])
if existing_user is None:
email = session["email"].lower() # our website is making a request to our app
username = session["username"]
companyname = session["companyname"].lower()
password = session["password"].encode("utf-8")
hashed_password = bcrypt.hashpw(password, bcrypt.gensalt())
User.register(email, username, companyname, hashed_password)
session["companyname"] = companyname
excisting_company = Database.find_one(collection="companies", query={"email": session["email"]})
if excisting_company is None:
new_company = NewCompany(session["companyname"], session["email"])
new_company.company_save_to_mongo()
else:
return "A company has already been registered under your email address"
else:
return render_template("email_already_exists.html")
return redirect(url_for("user_results"))
#classmethod
def get_by_email(cls, email):
find_email = Database.find_one(collection="users", query={"email": email})
if find_email is not None:
return cls(email=find_email["email"], username=find_email["username"],
companyname=find_email["companyname"], hashed_password=find_email["password"],
date=find_email["date"], _id=find_email["_id"])
I cant seem to figure out why, as when I register myself it works just fine.
Your help would be greatly appreciated here, many thanks in advance.
UPDATE:
Here is where I set the session["email"]:
#app.route("/email_confirmation", methods=["GET", "POST"])
def confirmation():
email = request.form["email"].lower()
companyname = request.form["companyname"].lower()
password = request.form["password"]
username = request.form["username"]
session["password"] = password
session["email"] = email
session["companyname"] = companyname
session["username"] = username
existing_user = User.get_by_email(email)
if existing_user is None:
msg = Message("Confirm your email", sender=("hello#weliketalent.com"),
recipients=[email])
token = ts.dumps(email, salt="email-confirm-key")
confirm_url = url_for("confirm_email", token=token, _external=True)
msg.html = render_template("email/activate.html", confirm_url=confirm_url)
mail.send(msg)
The error is telling you that there is no "email" value in session object.
I don't see you setting this value anywhere in your code. How is it supposed to get there? Somebody needs to set it somewhere before this code runs.
In addition to that, you should design your code not to crash in such cases, as this could be a security vulnerability. You can use if "email" not in session for test.
I have a method in Django where I get POST data from a mobile app and all I do is save it and send a Response. The problem is though the the data gets saved but no matter what the app receives the response code 500.
<Response [500]>
code:
#csrf_exempt
def store_recordings(request):
if request.method == 'POST':
print "In POST",request.POST
driverName = request.POST['driverName']
driverMobileNum = request.POST['driverMobileNum']
customerMobileNum = request.POST['customerMobileNum']
salesOrderNo = request.POST['salesOrderNo']
callRecord = request.POST['callRecord']
latitude = request.POST['latitude']
longitude = request.POST['longitude']
callStart = request.POST['callStart']
callEnd = request.POST['callEnd']
callDuration = request.POST['callDuration']
callType = request.POST['callType']
driverrecording = DriverRecording(driverName=driverName,driverMobileNum=driverMobileNum,customerMobileNum=customerMobileNum,salesOrderNo=salesOrderNo,callRecord=callRecord,latitude=latitude,longitude=longitude,callStart=callStart,callEnd=callEnd,callDuration=callDuration,callType=callType)
save_or_not = driverrecording.save()
driverexist = DriverNames.objects.all()
new_driver_flag = False
driverName_list = [each.driverName for each in driverexist]
driverName_list = list(set(driverName_list))
if driverName in driverName_list:
pass
else:
DriverNames(driverName=driverName,driverMobileNum=driverMobileNum).save()
return HttpResponse(status=201)
else:
return HttpResponse(status=400)
I am perplexed what is the problem.
Thanks.
Almost certainly, one or more of those fields is not being sent, so you are getting a KeyError. If you set DEBUG to True you would see the traceback.
You should be using Django's forms framework, instead of directly accessing the POST data. That will validate the input and allow you to display any errors.
I want to test this view:
def register(request):
"""
handle user registration
code variable is for testing purposes
"""
if request.method== 'GET':
form = RegisterForm(auto_id=False)
code = 1
return render_to_response('register_home.html',locals(),context_instance=RequestContext(request))
elif request.method == 'POST':
form = RegisterForm(request.POST)
if form.is_valid():
password = form.cleaned_data['password']
password_confirmation = form.cleaned_data['password_confirmation']
if password == password_confirmation:
#if True:
login = form.cleaned_data['login']
email = form.cleaned_data['email']
newsletter = form.cleaned_data['newsletter']
key = register_user(login,email,password,newsletter)
if key:
#send email
send_mail("Dziękujemy za rejestrację"," Klucz aktywacyjny to " + key,settings.EMAIL_HOST_USER,[email])
request.session['email'] = email
return redirect(register_success)
else:
code = 4
error = "Login /email are taken"
return render_to_response('register_home.html',locals(),context_instance=RequestContext(request))
else:
code = 3
error = "invalid password"
return render_to_response('register_home.html',locals(),context_instance=RequestContext(request))
else:
code = 2
return render_to_response('register_home.html',locals(),context_instance=RequestContext(request))
And here is my part of my test:
def test_valid_credentials(self):
#now try to register valid user
data = {'login':'test','password':'zaq12wsx','password_confirmation':'zaq12wsx','terms':True,'newsletter':True,'email':'test#test.com'}
response = self.c.post(reverse('register'),data)
#our user should be registred
self.assertEquals(302, response.status_code,'We dont have benn redirected')
self.assertEqual(len(mail.outbox), 1,'No activation email was sent')
#clen email box
mail.outbox = []
#now try to add anotheer user with the same data
response = self.c.post(reverse('register'),data)
#template should be rendered with error message about used login and email
self.assertEqual(response.context['code'],4)
And here is the error that I got:
,
in test_valid_credentials
self.assertEqual(response.context['code'],4)
TypeError: 'NoneType' object is not subscriptable
I tried it with get method and it works perfectly. Just with post it don't want to work.What am I doing wrong?Best regards
What is the response status? Redirects doesn't have context. Anyway, printing the response should help.
My guess is
key = register_user(login,email,password,newsletter)
throws an exception on duplicate register attempts and thus the handler does not generate a response.