From 3d4153f941a5a6460abe18db178b1edfc7203ee8 Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Tue, 16 Jan 2024 15:36:14 -0500 Subject: [PATCH 01/14] Add lockout user for forgot password Hide lockout user from users list --- app/classes/controllers/users_controller.py | 43 +++++++++++++++++++ app/classes/models/users.py | 4 +- app/classes/web/base_handler.py | 6 ++- app/classes/web/routes/api/api_handlers.py | 6 +++ .../routes/api/crafty/antilockout/index.py | 24 +++++++++++ app/frontend/templates/public/login.html | 21 ++++++++- main.py | 2 + 7 files changed, 102 insertions(+), 4 deletions(-) create mode 100644 app/classes/web/routes/api/crafty/antilockout/index.py diff --git a/app/classes/controllers/users_controller.py b/app/classes/controllers/users_controller.py index 87cc513c..510c562e 100644 --- a/app/classes/controllers/users_controller.py +++ b/app/classes/controllers/users_controller.py @@ -1,5 +1,9 @@ import logging import typing as t +import datetime +import os +import json +from apscheduler.schedulers.background import BackgroundScheduler from app.classes.models.servers import HelperServers from app.classes.models.users import HelperUsers @@ -22,6 +26,7 @@ class UsersController: self.helper = helper self.users_helper = users_helper self.authentication = authentication + self.scheduler = BackgroundScheduler(timezone="Etc/UTC") _permissions_props = { "name": { @@ -353,3 +358,41 @@ class UsersController: def delete_user_api_key(self, key_id: str): return self.users_helper.delete_user_api_key(key_id) + + # ********************************************************************************** + # Lockout Methods + # ********************************************************************************** + def start_anti_lockout(self, app_dir): + lockout_pass = self.helper.create_pass() + self.users_helper.add_user( + "anti-lockout-user", + None, + password=lockout_pass, + email="", + enabled=True, + superuser=True, + theme="ronald", + ) + with open( + os.path.join(app_dir, "app", "config", "anti-lockout.txt"), + "w", + encoding="utf-8", + ) as cred_file: + cred_file.write( + json.dumps( + {"username": "anti-lockout-user", "password": lockout_pass}, + indent=4, + ) + ) + os.chmod(os.path.join(app_dir, "app", "config", "anti-lockout.txt"), 0o600) + self.scheduler.add_job( + self.stop_anti_lockout, + "interval", + hours=1, + id="anti-lockout-watcher", + start_date=datetime.datetime.now(), + ) + + def stop_anti_lockout(self): + self.scheduler.remove_all_jobs() + self.users_helper.remove_user(self.get_id_by_name("anti-lockout-user")) diff --git a/app/classes/models/users.py b/app/classes/models/users.py index ccd8f1b0..e44d06fb 100644 --- a/app/classes/models/users.py +++ b/app/classes/models/users.py @@ -103,7 +103,9 @@ class HelperUsers: @staticmethod def get_all_users(): - query = Users.select().where(Users.username != "system") + query = Users.select().where( + Users.username != "system", Users.username != "anti-lockout-user" + ) return query @staticmethod diff --git a/app/classes/web/base_handler.py b/app/classes/web/base_handler.py index d8181b94..ad490c2f 100644 --- a/app/classes/web/base_handler.py +++ b/app/classes/web/base_handler.py @@ -12,6 +12,7 @@ from app.classes.shared.file_helpers import FileHelpers from app.classes.shared.main_controller import Controller from app.classes.shared.translation import Translation from app.classes.shared.main_models import DatabaseShortcuts +from app.classes.models.users import DoesNotExist logger = logging.getLogger(__name__) auth_log = logging.getLogger("auth") @@ -91,7 +92,10 @@ class BaseHandler(tornado.web.RequestHandler): t.Dict[str, t.Any]: The token's payload. t.Dict[str, t.Any]: The user's data from the database. """ - return self.controller.authentication.check(self.get_cookie("token")) + try: + return self.controller.authentication.check(self.get_cookie("token")) + except DoesNotExist: + return None def autobleach(self, name, text): for r in self.redactables: diff --git a/app/classes/web/routes/api/api_handlers.py b/app/classes/web/routes/api/api_handlers.py index 706c346f..21c78c04 100644 --- a/app/classes/web/routes/api/api_handlers.py +++ b/app/classes/web/routes/api/api_handlers.py @@ -79,6 +79,7 @@ from app.classes.web.routes.api.crafty.stats.stats import ApiCraftyHostStatsHand from app.classes.web.routes.api.crafty.clogs.index import ApiCraftyLogIndexHandler from app.classes.web.routes.api.crafty.imports.index import ApiImportFilesIndexHandler from app.classes.web.routes.api.crafty.exe_cache import ApiCraftyJarCacheIndexHandler +from app.classes.web.routes.api.crafty.antilockout.index import ApiCraftyLockoutHandler def api_handlers(handler_args): @@ -94,6 +95,11 @@ def api_handlers(handler_args): ApiAuthInvalidateTokensHandler, handler_args, ), + ( + r"/api/v2/crafty/resetPass/?", + ApiCraftyLockoutHandler, + handler_args, + ), ( r"/api/v2/crafty/announcements/?", ApiAnnounceIndexHandler, diff --git a/app/classes/web/routes/api/crafty/antilockout/index.py b/app/classes/web/routes/api/crafty/antilockout/index.py new file mode 100644 index 00000000..099f5a47 --- /dev/null +++ b/app/classes/web/routes/api/crafty/antilockout/index.py @@ -0,0 +1,24 @@ +import logging +from app.classes.web.base_api_handler import BaseApiHandler + +logger = logging.getLogger(__name__) + + +class ApiCraftyLockoutHandler(BaseApiHandler): + def get(self): + if self.controller.users.get_id_by_name("anti-lockout-user"): + return self.finish_json( + 425, {"status": "error", "data": "Lockout recovery already in progress"} + ) + self.controller.users.start_anti_lockout(self.controller.project_root) + lockout_msg = ( + "Lockout account has been activated for 1 hour." + " Please find credentials in confg/anti-lockout.txt" + ) + return self.finish_json( + 200, + { + "status": "ok", + "data": lockout_msg, + }, + ) diff --git a/app/frontend/templates/public/login.html b/app/frontend/templates/public/login.html index f66b6c53..1b39d8c4 100644 --- a/app/frontend/templates/public/login.html +++ b/app/frontend/templates/public/login.html @@ -112,8 +112,8 @@
 
- {{ translate('login', 'forgotPassword', - data['lang']) }} +
@@ -146,6 +146,7 @@ + + \ No newline at end of file diff --git a/main.py b/main.py index 75997247..ebaf7806 100644 --- a/main.py +++ b/main.py @@ -388,6 +388,8 @@ if __name__ == "__main__": # Master config.json in helpers.py Console.info("Checking for remote changes to config.json") controller.get_config_diff() + # Delete anti-lockout-user + controller.users.stop_anti_lockout() Console.info("Remote change complete.") # startup the web server From d82ee0fa3160e0272b4f8b434b6a61f9aacf5719 Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Tue, 16 Jan 2024 18:01:22 -0500 Subject: [PATCH 02/14] start schedule --- app/classes/controllers/users_controller.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/classes/controllers/users_controller.py b/app/classes/controllers/users_controller.py index 510c562e..bc143c31 100644 --- a/app/classes/controllers/users_controller.py +++ b/app/classes/controllers/users_controller.py @@ -27,6 +27,7 @@ class UsersController: self.users_helper = users_helper self.authentication = authentication self.scheduler = BackgroundScheduler(timezone="Etc/UTC") + self.scheduler.start() _permissions_props = { "name": { From f800933799a04fd9f85ef8009b41e29cf5123843 Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Tue, 16 Jan 2024 23:09:04 -0500 Subject: [PATCH 03/14] Fix typo --- app/classes/web/routes/api/crafty/antilockout/index.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/classes/web/routes/api/crafty/antilockout/index.py b/app/classes/web/routes/api/crafty/antilockout/index.py index 099f5a47..41493f88 100644 --- a/app/classes/web/routes/api/crafty/antilockout/index.py +++ b/app/classes/web/routes/api/crafty/antilockout/index.py @@ -13,7 +13,7 @@ class ApiCraftyLockoutHandler(BaseApiHandler): self.controller.users.start_anti_lockout(self.controller.project_root) lockout_msg = ( "Lockout account has been activated for 1 hour." - " Please find credentials in confg/anti-lockout.txt" + " Please find credentials in config/anti-lockout.txt" ) return self.finish_json( 200, From 665997c34cb2a42f2e4654b79956e6720a32c309 Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Mon, 22 Jan 2024 19:51:57 -0500 Subject: [PATCH 04/14] Print to terminal not file --- app/classes/controllers/users_controller.py | 26 ++++++++----------- .../routes/api/crafty/antilockout/index.py | 4 +-- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/app/classes/controllers/users_controller.py b/app/classes/controllers/users_controller.py index bc143c31..eb74f15c 100644 --- a/app/classes/controllers/users_controller.py +++ b/app/classes/controllers/users_controller.py @@ -1,8 +1,6 @@ import logging import typing as t import datetime -import os -import json from apscheduler.schedulers.background import BackgroundScheduler from app.classes.models.servers import HelperServers @@ -12,6 +10,7 @@ from app.classes.models.crafty_permissions import ( PermissionsCrafty, EnumPermissionsCrafty, ) +from app.classes.shared.console import Console logger = logging.getLogger(__name__) @@ -363,7 +362,7 @@ class UsersController: # ********************************************************************************** # Lockout Methods # ********************************************************************************** - def start_anti_lockout(self, app_dir): + def start_anti_lockout(self): lockout_pass = self.helper.create_pass() self.users_helper.add_user( "anti-lockout-user", @@ -374,18 +373,15 @@ class UsersController: superuser=True, theme="ronald", ) - with open( - os.path.join(app_dir, "app", "config", "anti-lockout.txt"), - "w", - encoding="utf-8", - ) as cred_file: - cred_file.write( - json.dumps( - {"username": "anti-lockout-user", "password": lockout_pass}, - indent=4, - ) - ) - os.chmod(os.path.join(app_dir, "app", "config", "anti-lockout.txt"), 0o600) + + Console.yellow( + f""" + Anti-lockout recovery account enabled! + {'/' * 74} + Username: anti-lockout-user + Password: {lockout_pass} + {'/' * 74}""" + ) self.scheduler.add_job( self.stop_anti_lockout, "interval", diff --git a/app/classes/web/routes/api/crafty/antilockout/index.py b/app/classes/web/routes/api/crafty/antilockout/index.py index 41493f88..0a9ab03a 100644 --- a/app/classes/web/routes/api/crafty/antilockout/index.py +++ b/app/classes/web/routes/api/crafty/antilockout/index.py @@ -10,10 +10,10 @@ class ApiCraftyLockoutHandler(BaseApiHandler): return self.finish_json( 425, {"status": "error", "data": "Lockout recovery already in progress"} ) - self.controller.users.start_anti_lockout(self.controller.project_root) + self.controller.users.start_anti_lockout() lockout_msg = ( "Lockout account has been activated for 1 hour." - " Please find credentials in config/anti-lockout.txt" + " Please find temporary credentials in the terminal" ) return self.finish_json( 200, From 9fed45d147f33ce632b1c11ab8152a1491b6f8de Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Fri, 26 Jan 2024 15:29:12 -0500 Subject: [PATCH 05/14] Only allow access to panel config --- app/classes/web/panel_handler.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 8ac827c3..52d85acf 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -286,6 +286,8 @@ class PanelHandler(BaseHandler): ) tz = "Europe/London" + page = "panel_config" + page_data: t.Dict[str, t.Any] = { # todo: make this actually pull and compare version data "update_available": self.helper.update_available, From bb18400b90dfbd8b9bb8769c29d22a082b8e827e Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Fri, 26 Jan 2024 15:29:25 -0500 Subject: [PATCH 06/14] Fix schedule firing too early --- app/classes/controllers/users_controller.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/classes/controllers/users_controller.py b/app/classes/controllers/users_controller.py index eb74f15c..80a431bf 100644 --- a/app/classes/controllers/users_controller.py +++ b/app/classes/controllers/users_controller.py @@ -1,6 +1,7 @@ import logging import typing as t import datetime +from datetime import timedelta from apscheduler.schedulers.background import BackgroundScheduler from app.classes.models.servers import HelperServers @@ -384,12 +385,12 @@ class UsersController: ) self.scheduler.add_job( self.stop_anti_lockout, - "interval", - hours=1, + "date", id="anti-lockout-watcher", - start_date=datetime.datetime.now(), + run_date=datetime.datetime.now() + timedelta(hours=1), ) def stop_anti_lockout(self): + print("IN STOP") self.scheduler.remove_all_jobs() self.users_helper.remove_user(self.get_id_by_name("anti-lockout-user")) From 0fa7b592cc789912271535bbe23dcdf4ad39fa3b Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Sun, 28 Jan 2024 12:58:02 -0500 Subject: [PATCH 07/14] Burn retinas - add warning banner Make warning system more robust --- app/frontend/templates/base.html | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/app/frontend/templates/base.html b/app/frontend/templates/base.html index 48c6ee95..546502a2 100755 --- a/app/frontend/templates/base.html +++ b/app/frontend/templates/base.html @@ -1,5 +1,5 @@ - + @@ -256,8 +256,9 @@ const sendWssError = () => wsOpen || warn( 'WebSockets are required for Crafty to work. This websocket connection has been closed. Are you using a reverse proxy?', - 'https://docs.craftycontrol.com/pages/getting-started/proxies/', - 'wssError' + link='https://docs.craftycontrol.com/pages/getting-started/proxies/', + link_msg="See our documentation for details", + className='wssError' ) function startWebSocket() { @@ -459,7 +460,7 @@ } - function warn(message, link = null, className = null) { + function warn(message, link = null, link_msg=null, className = null, bg_color="#f7970f") { var closeEl = document.createElement('span'); var strongEL = document.createElement('strong'); var msgEl = document.createElement('div'); @@ -481,14 +482,14 @@ var parentEl = document.createElement('div'); parentEl.style.padding = '20px'; - parentEl.style.backgroundColor = '#f7970f'; + parentEl.style.backgroundColor = bg_color; parentEl.appendChild(closeEl); parentEl.appendChild(msgEl); if (link) { let linkEl = document.createElement('a') linkEl.href = link; - linkEl.innerHTML = "See our documentation for details."; + linkEl.innerHTML = link_msg; linkEl.style.color = 'white'; linkEl.style.textDecoration = 'underline'; linkEl.target = "_blank"; @@ -580,6 +581,15 @@ $(document).ready(function () { console.log('%c[Crafty Controller] %cReady for JS!', 'font-weight: 900; color: #800080;', 'font-weight: 900; color: #eee;'); + if ($(document.documentElement).data("username") === "anti-lockout-user"){ + warn( + '⚠️You are in a recovery account. Access is limited!', + link='/logout', + link_msg="Click here to log out after you change your password. ⚠️", + className='anti-lockout', + bg_color='#2090d6' + ) + } $('#support_logs').click(function () { var dialog = bootbox.dialog({ message: "

{{ translate('notify', 'preparingLogs', data['lang']) }}

", From 854a9643e5fa176c4b8f32c991df402404c5d1b7 Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Sun, 28 Jan 2024 12:58:18 -0500 Subject: [PATCH 08/14] Fix bug where panel_config would always be loaded --- app/classes/web/panel_handler.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 52d85acf..3cc276f2 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -285,8 +285,8 @@ class PanelHandler(BaseHandler): "Could not capture time zone from system. Falling back to Europe/London" ) tz = "Europe/London" - - page = "panel_config" + if exec_user["username"] == "anti-lockout-user": + page = "panel_config" page_data: t.Dict[str, t.Any] = { # todo: make this actually pull and compare version data From 5422915335a7b3a1d5019f203377b3199385825b Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Sun, 28 Jan 2024 13:44:44 -0500 Subject: [PATCH 09/14] Delete user on logout --- app/classes/web/public_handler.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/classes/web/public_handler.py b/app/classes/web/public_handler.py index 57e6ddd8..7df88f68 100644 --- a/app/classes/web/public_handler.py +++ b/app/classes/web/public_handler.py @@ -61,7 +61,11 @@ class PublicHandler(BaseHandler): template = "public/offline.html" elif page == "logout": + exec_user = self.get_current_user() self.clear_cookie("token") + # Delete anti-lockout-user on lockout...it's one time use + if exec_user[2]["username"] == "anti-lockout-user": + self.controller.users.stop_anti_lockout() # self.clear_cookie("user") # self.clear_cookie("user_data") self.redirect("/login") From a112bc3e579ca6d0dab2d20bb5d722f613597534 Mon Sep 17 00:00:00 2001 From: Andrew Date: Sun, 28 Jan 2024 16:51:54 -0500 Subject: [PATCH 10/14] Set time to UTC for schedule remove prints --- app/classes/controllers/users_controller.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/classes/controllers/users_controller.py b/app/classes/controllers/users_controller.py index 80a431bf..c478f887 100644 --- a/app/classes/controllers/users_controller.py +++ b/app/classes/controllers/users_controller.py @@ -2,6 +2,7 @@ import logging import typing as t import datetime from datetime import timedelta +from zoneinfo import ZoneInfo from apscheduler.schedulers.background import BackgroundScheduler from app.classes.models.servers import HelperServers @@ -387,10 +388,9 @@ class UsersController: self.stop_anti_lockout, "date", id="anti-lockout-watcher", - run_date=datetime.datetime.now() + timedelta(hours=1), + run_date=datetime.datetime.now(ZoneInfo("Etc/UTC")) + timedelta(hours=1), ) def stop_anti_lockout(self): - print("IN STOP") self.scheduler.remove_all_jobs() self.users_helper.remove_user(self.get_id_by_name("anti-lockout-user")) From 68b0e611be8273844cba44c32348bc580e2159ba Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 31 Jan 2024 22:00:45 -0500 Subject: [PATCH 11/14] Add new theme for lockout user --- app/frontend/static/assets/css/dark/style.css | 45 ++++++++++++++++++- app/frontend/templates/base.html | 2 +- .../templates/panel/panel_config.html | 2 +- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/app/frontend/static/assets/css/dark/style.css b/app/frontend/static/assets/css/dark/style.css index 12320636..cae93650 100755 --- a/app/frontend/static/assets/css/dark/style.css +++ b/app/frontend/static/assets/css/dark/style.css @@ -55,6 +55,49 @@ root, --font-family-monospace: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace; } +:root.anti-lockout { + /*CHANGE THESE FOR THEMES*/ + --tooltip-bg: rgb(215, 82, 0); + --select-bg: #b8772c; + --ram-bg: #4d4d4e; + --base-text: white; + --outline: #c73929; + --card-banner-bg: #de7c26; + --deep-bg: #912f2f; + --dropdown-bg: #c83b3b; + /*END THEME VARIATION*/ + --blue: #00aeef; + --indigo: #6610f2; + --purple: #ab8ce4; + --pink: #E91E63; + --red: #ff0017; + --orange: #fb9678; + --yellow: #ffd500; + --green: #3bd949; + --teal: #58d8a3; + --cyan: #57c7d4; + --white: #ffffff; + --white-smoke: #f3f5f6; + --gray: #6c757d; + --gray-light: #8ba2b5; + --gray-lightest: #f7f7f9; + --primary: #dbc900; + --secondary: #dde4eb; + --success: #adff84; + --info: #dbc900; + --warning: #ffaf00; + --danger: #ff6258; + --light: #fbfbfb; + --dark: #252C46; + --breakpoint-xs: 0; + --breakpoint-sm: 576px; + --breakpoint-md: 768px; + --breakpoint-lg: 992px; + --breakpoint-xl: 1200px; + --font-family-sans-serif: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; + --font-family-monospace: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace; +} + :root.light { /*CHANGE THESE FOR THEMES*/ --tooltip-bg: white; @@ -322,7 +365,7 @@ sup { } a { - color: #007bff; + color: var(--primary); text-decoration: none; background-color: transparent; } diff --git a/app/frontend/templates/base.html b/app/frontend/templates/base.html index 546502a2..8d72ece6 100755 --- a/app/frontend/templates/base.html +++ b/app/frontend/templates/base.html @@ -587,7 +587,7 @@ link='/logout', link_msg="Click here to log out after you change your password. ⚠️", className='anti-lockout', - bg_color='#2090d6' + bg_color='#6887dc' ) } $('#support_logs').click(function () { diff --git a/app/frontend/templates/panel/panel_config.html b/app/frontend/templates/panel/panel_config.html index 5e9623b1..fee5c65d 100644 --- a/app/frontend/templates/panel/panel_config.html +++ b/app/frontend/templates/panel/panel_config.html @@ -281,7 +281,7 @@