Skip to content

Commit

Permalink
add warning for admin account creation, improve login flow
Browse files Browse the repository at this point in the history
  • Loading branch information
@a1ex4
a1ex4 committed Oct 25, 2023
1 parent 8349c19 commit 8ac69f6
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 9 deletions.
17 changes: 13 additions & 4 deletions app/app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,13 @@ def access_tinfoil_shop(request):

return serve_tinfoil_shop()

def access_shop():
return render_template('index.html', games=get_all_titles(), admin_account_created=admin_account_created(), valid_keys=app_settings['valid_keys'])

@access_required('shop')
def access_shop_auth():
return access_shop()

@app.route('/')
def index():
scan_library()
Expand All @@ -63,17 +70,19 @@ def index():
if all(header in request_headers for header in TINFOIL_HEADERS):
# if True:
print(f"Tinfoil connection from {request.remote_addr}")
return access_tinfoil_shop(request)

return render_template('index.html', games=get_all_titles(), valid_keys=app_settings['valid_keys'])
return access_tinfoil_shop(request)

if not app_settings['shop']['public']:
return access_shop_auth()
return access_shop()

@app.route('/settings')
@access_required('admin')
def settings_page():
with open(os.path.join(TITLEDB_DIR, 'languages.json')) as f:
languages = json.load(f)
languages = dict(sorted(languages.items()))
return render_template('settings.html', languages_from_titledb=languages, valid_keys=app_settings['valid_keys'])
return render_template('settings.html', languages_from_titledb=languages, admin_account_created=admin_account_created(), valid_keys=app_settings['valid_keys'])

@app.get('/api/settings')
def get_settings_api():
Expand Down
24 changes: 22 additions & 2 deletions app/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,24 @@
from db import *
from flask_login import LoginManager

def admin_account_created():
return len(User.query.filter_by(admin_access=True).all())

def unauthorized_json():
response = login_manager.unauthorized()
resp = {
'success': False,
'status_code': response.status_code,
'location': response.location
}
return jsonify(resp)

def access_required(access: str):
def _access_required(f):
@wraps(f)
def decorated_view(*args, **kwargs):
if not current_user.is_authenticated:
if len(User.query.filter_by(admin_access=True).all()):
if admin_account_created():
return login_manager.unauthorized()
else:
return f(*args, **kwargs)
Expand Down Expand Up @@ -141,12 +153,14 @@ def signup_post():
backup_access = data['backup_access']
admin_access = data['admin_access']

user = User.query.filter_by(user=username).first() # if this returns a user, then the email already exists in database
user = User.query.filter_by(user=username).first() # if this returns a user, then the user already exists in database

if user: # if a user is found, we want to redirect back to signup page so user can try again
print('user already exists')
# Todo redirect to incoming page or return success: false
return redirect(url_for('auth.signup'))

existing_admin = admin_account_created()

# create a new user with the form data. Hash the password so the plaintext version isn't saved.
new_user = User(user=username, password=generate_password_hash(password, method='scrypt'), admin_access=admin_access, shop_access=shop_access, backup_access=backup_access)
Expand All @@ -158,6 +172,12 @@ def signup_post():
resp = {
'success': signup_success
}

if not existing_admin and admin_access:
# First admin account created
resp['status_code'] = 302,
resp['location'] = '/settings'

return jsonify(resp)


Expand Down
13 changes: 13 additions & 0 deletions app/templates/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,19 @@
{% block content %}
<div id="content" class="container-fluid mt-3">

{% if admin_account_created == false %}
<div class="alert alert-danger" role="alert">
<h4 class="alert-heading">Missing admin account!</h4>
<p>Ownfoil requires an admin account to enable authentication. Until an account with admin rights is
created, <strong>authentication is disabled, anyone can access and change the configuration of your
shop!</strong>
<br>
Add an admin account <a href="/settings#Authentication" class="alert-link">in the Setting page, under
Authentication</a>.
</p>
</div>
{% endif %}

{% if valid_keys == false %}
<div class="alert alert-warning alert-dismissible fade show" role="alert">
<h4 class="alert-heading">Missing console keys!</h4>
Expand Down
32 changes: 29 additions & 3 deletions app/templates/settings.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,20 @@

<!-- <h1>Settings</h1> -->


{% if admin_account_created == false %}
<div class="alert alert-danger" role="alert">
<h4 class="alert-heading">Missing admin account!</h4>
<p>Ownfoil requires an admin account to enable authentication. Until an account with admin rights is
created, <strong>authentication is disabled, anyone can access and change the configuration of
your shop!</strong>
<br>
Add an admin account <a href="/settings#Authentication" class="alert-link">in the Setting page,
under
Authentication</a>.
</p>
</div>
{% endif %}

{% if valid_keys == false %}
<div id="missingKeysAlert" class="alert alert-warning alert-dismissible fade show" role="alert">
<h4 class="alert-heading">Missing console keys!</h4>
Expand All @@ -35,7 +48,7 @@ <h4 class="alert-heading">Missing console keys!</h4>
</div>
{% endif %}

<h2 class="pb-3">Authentication</h2>
<h2 id="Authentication" class="pb-3">Authentication</h2>

<table class="table table-hover caption-top" id="userTable">
<caption>List of users:</caption>
Expand Down Expand Up @@ -141,7 +154,8 @@ <h2 class="pb-3">Library</h2>

<div class="mb-3">
<label for="consoleKeysInput" class="form-label">Console keys:</label>
<input class="form-control {% if valid_keys == true %}is-valid d-none{% endif %}" type="file" accept=".keys,.txt" id="consoleKeysInput">
<input class="form-control {% if valid_keys == true %}is-valid d-none{% endif %}" type="file"
accept=".keys,.txt" id="consoleKeysInput">
<div class="valid-feedback">
Keys are valid!
</div>
Expand Down Expand Up @@ -219,6 +233,13 @@ <h2 class="pb-3">Shop</h2>
function fillUserTable() {
$('#userTable tbody').empty();
$.getJSON("/api/users", function (result) {
console.log(result)
if (!result['success']) {
if (result['status_code'] == '302') {
window.location.href = result['location']
return
}
}
allUsers = result;
allUsernames = [];
if (!result.length) {
Expand Down Expand Up @@ -347,6 +368,10 @@ <h2 class="pb-3">Shop</h2>
contentType: "application/json",
success: function (result) {
if (result['success']) {
if (result['status_code'] == '302') {
window.location.href = result['location']
return
}
console.log('Signup Success!');
setInputVal("inputNewUser", "")
setInputVal("inputNewUserPassword", "")
Expand Down Expand Up @@ -378,6 +403,7 @@ <h2 class="pb-3">Shop</h2>
success: function (result) {
if (result['success']) {
console.log(result)
$('#consoleKeysInput').removeClass('is-invalid');
$('#consoleKeysInput').addClass('is-valid');
$('#missingKeysAlert').addClass('d-none');
} else {
Expand Down

0 comments on commit 8ac69f6

Please sign in to comment.