88 lines
2.0 KiB
Python
88 lines
2.0 KiB
Python
#!/usr/bin/python3
|
|
from dreamtown_config import *
|
|
import sys
|
|
import binascii
|
|
import os
|
|
import json
|
|
import sqlite3
|
|
import random
|
|
import hashlib
|
|
|
|
print("Content-Type: application/json")
|
|
print("")
|
|
method = os.environ["REQUEST_METHOD"]
|
|
if method != "POST":
|
|
print("Expected POST")
|
|
os._exit()
|
|
|
|
|
|
content_len = int(os.environ["CONTENT_LENGTH"])
|
|
post = sys.stdin.read(content_len)
|
|
jsonData = json.loads(post)
|
|
result = {"status":SUCCESS}
|
|
|
|
def xor(data, key):
|
|
l = len(key)
|
|
return bytearray((
|
|
(data[i] ^ key[i % l]) for i in range(0,len(data))
|
|
))
|
|
|
|
|
|
def TryRetrive():
|
|
username = jsonData['name'].lower()
|
|
answer = jsonData['answer'].lower()
|
|
authToken = jsonData['authToken']
|
|
|
|
#Check User Exists
|
|
c = db.cursor()
|
|
cur = c.execute('SELECT COUNT(1) from users WHERE Name=?',(username,))
|
|
rows = cur.fetchone()
|
|
count = rows[0]
|
|
|
|
if count == 0:
|
|
result['status'] = USER_DOES_NOT_EXIST
|
|
return 0
|
|
#Check Answer
|
|
cur = c.execute('SELECT AnswerHash from securityQuestion WHERE Name= ?',(username,))
|
|
rows = cur.fetchone()
|
|
AnswerHash = rows[0]
|
|
|
|
cur = c.execute('SELECT Salt from users WHERE Name=?',(username,))
|
|
rows = cur.fetchone()
|
|
Salt = rows[0]
|
|
|
|
|
|
m = hashlib.sha512()
|
|
m.update(answer.encode('utf-8'))
|
|
InputHash = m.digest()
|
|
SaltedHash = binascii.hexlify(xor(bytearray(InputHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8')
|
|
|
|
|
|
if SaltedHash != AnswerHash:
|
|
result['status'] = INVALID_PASSWORD
|
|
return 0
|
|
|
|
# Set new password
|
|
# Unlike bandai, we store our passwords securely
|
|
newPass = answer
|
|
if len(answer) < 9:
|
|
newPass += str(random.randint(0,999))
|
|
|
|
m = hashlib.sha512()
|
|
m.update(newPass.encode('utf-8'))
|
|
InputHash = m.digest()
|
|
SaltedHash = binascii.hexlify(xor(bytearray(InputHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8')
|
|
|
|
c.execute('UPDATE users SET PassHash=? WHERE Name=?',(SaltedHash,username))
|
|
c.execute('UPDATE users SET LastSession=NULL WHERE Name=?',(username,))
|
|
|
|
result['password'] = newPass
|
|
|
|
db = sqlite3.connect(SQLLITE_DB_PATH)
|
|
TryRetrive()
|
|
db.commit()
|
|
db.close()
|
|
print(json.dumps(result))
|
|
|
|
|
|
|