# HG changeset patch # User paulo # Date 1464852470 25200 # Node ID f833a888c5489dbeffe9a6fd888a138360a38e57 # Parent 6ede61cb9d1286ca0fc3d823ebf33233afbef63f add cookie-based PIN system, and update laterlinks to use it diff -r 6ede61cb9d12 -r f833a888c548 cs/cookies.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cs/cookies.js Thu Jun 02 00:27:50 2016 -0700 @@ -0,0 +1,63 @@ +/*\ +|*| +|*| :: cookies.js :: +|*| +|*| A complete cookies reader/writer framework with full unicode support. +|*| +|*| Revision #1 - September 4, 2014 +|*| +|*| https://developer.mozilla.org/en-US/docs/Web/API/document.cookie +|*| https://developer.mozilla.org/User:fusionchess +|*| +|*| This framework is released under the GNU Public License, version 3 or later. +|*| http://www.gnu.org/licenses/gpl-3.0-standalone.html +|*| +|*| Syntaxes: +|*| +|*| * docCookies.setItem(name, value[, end[, path[, domain[, secure]]]]) +|*| * docCookies.getItem(name) +|*| * docCookies.removeItem(name[, path[, domain]]) +|*| * docCookies.hasItem(name) +|*| * docCookies.keys() +|*| +\*/ + +var docCookies = { + getItem: function (sKey) { + if (!sKey) { return null; } + return decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*" + encodeURIComponent(sKey).replace(/[\-\.\+\*]/g, "\\$&") + "\\s*\\=\\s*([^;]*).*$)|^.*$"), "$1")) || null; + }, + setItem: function (sKey, sValue, vEnd, sPath, sDomain, bSecure) { + if (!sKey || /^(?:expires|max\-age|path|domain|secure)$/i.test(sKey)) { return false; } + var sExpires = ""; + if (vEnd) { + switch (vEnd.constructor) { + case Number: + sExpires = vEnd === Infinity ? "; expires=Fri, 31 Dec 9999 23:59:59 GMT" : "; max-age=" + vEnd; + break; + case String: + sExpires = "; expires=" + vEnd; + break; + case Date: + sExpires = "; expires=" + vEnd.toUTCString(); + break; + } + } + document.cookie = encodeURIComponent(sKey) + "=" + encodeURIComponent(sValue) + sExpires + (sDomain ? "; domain=" + sDomain : "") + (sPath ? "; path=" + sPath : "") + (bSecure ? "; secure" : ""); + return true; + }, + removeItem: function (sKey, sPath, sDomain) { + if (!this.hasItem(sKey)) { return false; } + document.cookie = encodeURIComponent(sKey) + "=; expires=Thu, 01 Jan 1970 00:00:00 GMT" + (sDomain ? "; domain=" + sDomain : "") + (sPath ? "; path=" + sPath : ""); + return true; + }, + hasItem: function (sKey) { + if (!sKey) { return false; } + return (new RegExp("(?:^|;\\s*)" + encodeURIComponent(sKey).replace(/[\-\.\+\*]/g, "\\$&") + "\\s*\\=")).test(document.cookie); + }, + keys: function () { + var aKeys = document.cookie.replace(/((?:^|\s*;)[^\=]+)(?=;|$)|^\s*|\s*(?:\=[^;]*)?(?:\1|$)/g, "").split(/\s*(?:\=[^;]*)?;\s*/); + for (var nLen = aKeys.length, nIdx = 0; nIdx < nLen; nIdx++) { aKeys[nIdx] = decodeURIComponent(aKeys[nIdx]); } + return aKeys; + } +}; diff -r 6ede61cb9d12 -r f833a888c548 cs/index.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cs/index.html Thu Jun 02 00:27:50 2016 -0700 @@ -0,0 +1,74 @@ + + + + + + + +

Cookies set

+
+
+ + + +
+ + + diff -r 6ede61cb9d12 -r f833a888c548 laterlinks2/laterlinks_app.py --- a/laterlinks2/laterlinks_app.py Tue May 31 23:40:17 2016 -0600 +++ b/laterlinks2/laterlinks_app.py Thu Jun 02 00:27:50 2016 -0700 @@ -6,10 +6,11 @@ import html +import pinlib + DEBUG = True STRTIME_FMT = "%Y-%m-%d %H:%M:%S" -MY_PIN = "qworpy" class LLDialect(csv.Dialect): @@ -79,24 +80,17 @@ return urlparse.parse_qs(environ["wsgi.input"].read()) -def get_pin(inp): - if "pin" not in inp: - raise PinFailError() - - pin = inp["pin"][0] - if pin != MY_PIN: - raise PinFailError() - - return pin - def main(environ): - pin = '' is_post = (environ["REQUEST_METHOD"] == "POST") + cookies = pinlib.parse_cookies(environ) inp = parse_wsgi_input(environ) if is_post: - pin = get_pin(inp) + try: + pinlib.check(cookies) + except pinlib.PinFailError: + raise PinFailError if inp["submit"][0] == "Add": lldb_add(inp) elif inp["submit"][0] == "Delete": @@ -118,7 +112,8 @@ for i in environ.items(): debug += cgi.escape("%s = %s \n" % i) - debug += cgi.escape("wsgi.input.read = %s" % inp) + debug += cgi.escape("wsgi.input.read = %s \n" % inp) + debug += cgi.escape("cookies = %s \n" % cookies) form = body.form(action="index.fcgi", method="post") @@ -142,9 +137,6 @@ p1.br p1.input(type="submit", name="submit", value="Add") - p2 = form.p - p2.input(type="password", name="pin", value=pin) - return unicode(root).encode("utf-8") @@ -154,7 +146,7 @@ try: response_body = main(environ) - response_code = "200 OK" + response_code = "200 OK" response_type = "text/html; charset=UTF-8" except LLError as e: response_body = str(e) diff -r 6ede61cb9d12 -r f833a888c548 laterlinks2/pinlib.py --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/laterlinks2/pinlib.py Thu Jun 02 00:27:50 2016 -0700 @@ -0,0 +1,36 @@ +import urlparse + + +PIN_KEY = "llpin" +PIN_FN = "_%s" % PIN_KEY + + +class PinFailError(Exception): + pass + + +def load(): + ret = None + + try: + with open(PIN_FN) as pin_f: + ret = pin_f.read().strip() + except IOError: + pass + + return ret + + +def parse_cookies(environ): + return urlparse.parse_qs(environ.get("HTTP_COOKIE", "")) + + +def check(cookies): + if PIN_KEY not in cookies: + raise PinFailError() + + pin = cookies[PIN_KEY][0] + if pin != load(): + raise PinFailError() + + return pin