unfixing safe code
This commit is contained in:
63
src/app.py
63
src/app.py
@@ -7,12 +7,14 @@ DB_PATH = "./data/database.db"
|
|||||||
|
|
||||||
conn = sqlite3.connect(DB_PATH)
|
conn = sqlite3.connect(DB_PATH)
|
||||||
cursor = conn.cursor()
|
cursor = conn.cursor()
|
||||||
cursor.execute("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY AUTOINCREMENT, login TEXT NOT NULL UNIQUE, password TEXT NOT NULL)")
|
cursor.execute(
|
||||||
|
"CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY AUTOINCREMENT, login TEXT NOT NULL UNIQUE, password TEXT NOT NULL)"
|
||||||
|
)
|
||||||
|
|
||||||
app = FastAPI(
|
app = FastAPI(
|
||||||
docs_url=None, # Disable Swagger UI
|
docs_url=None, # Disable Swagger UI
|
||||||
redoc_url=None, # Disable ReDoc
|
redoc_url=None, # Disable ReDoc
|
||||||
openapi_url=None # Disable OpenAPI JSON schema
|
openapi_url=None, # Disable OpenAPI JSON schema
|
||||||
)
|
)
|
||||||
|
|
||||||
STYLES = """
|
STYLES = """
|
||||||
@@ -27,6 +29,7 @@ body {
|
|||||||
</style>
|
</style>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
@app.get("/register", response_class=HTMLResponse)
|
@app.get("/register", response_class=HTMLResponse)
|
||||||
async def register_form():
|
async def register_form():
|
||||||
return f"""
|
return f"""
|
||||||
@@ -44,17 +47,21 @@ async def register_form():
|
|||||||
</html>
|
</html>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
@app.post("/register")
|
@app.post("/register")
|
||||||
async def register(login: str = Form(...), password: str = Form(...)):
|
async def register(login: str = Form(...), password: str = Form(...)):
|
||||||
try:
|
try:
|
||||||
cursor.execute("INSERT INTO users (login, password) VALUES (?, ?)", (login, password))
|
cursor.execute(
|
||||||
|
f"INSERT INTO users (login, password) VALUES ('{login}', '{password}')"
|
||||||
|
)
|
||||||
conn.commit()
|
conn.commit()
|
||||||
response = RedirectResponse(url="/welcome", status_code=302)
|
response = RedirectResponse(url="/welcome", status_code=302)
|
||||||
response.set_cookie("login", login)
|
response.set_cookie("login", login)
|
||||||
response.set_cookie("password", password)
|
response.set_cookie("password", password)
|
||||||
return response
|
return response
|
||||||
except sqlite3.IntegrityError:
|
except sqlite3.IntegrityError:
|
||||||
return HTMLResponse(f"""
|
return HTMLResponse(
|
||||||
|
f"""
|
||||||
<html>
|
<html>
|
||||||
<head><title>Ошибка регистрации</title>{STYLES}</head>
|
<head><title>Ошибка регистрации</title>{STYLES}</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -62,7 +69,10 @@ async def register(login: str = Form(...), password: str = Form(...)):
|
|||||||
<a href='/register'>Попробовать снова</a>
|
<a href='/register'>Попробовать снова</a>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
""", status_code=400)
|
""",
|
||||||
|
status_code=400,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@app.get("/login", response_class=HTMLResponse)
|
@app.get("/login", response_class=HTMLResponse)
|
||||||
async def login_form():
|
async def login_form():
|
||||||
@@ -81,17 +91,21 @@ async def login_form():
|
|||||||
</html>
|
</html>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
@app.post("/login")
|
@app.post("/login")
|
||||||
async def login(login: str = Form(...), password: str = Form(...)):
|
async def login(login: str = Form(...), password: str = Form(...)):
|
||||||
cursor.execute("SELECT * FROM users WHERE login=? AND password=?", (login, password))
|
cursor.execute(
|
||||||
user = cursor.fetchone()
|
f"SELECT * FROM users WHERE login='{login}' AND password='{password}'"
|
||||||
|
)
|
||||||
|
user = cursor.fetchall()
|
||||||
if user:
|
if user:
|
||||||
response = RedirectResponse(url="/welcome", status_code=302)
|
response = RedirectResponse(url="/welcome", status_code=302)
|
||||||
response.set_cookie("login", login)
|
response.set_cookie("login", login)
|
||||||
response.set_cookie("password", password)
|
response.set_cookie("password", password)
|
||||||
return response
|
return response
|
||||||
else:
|
else:
|
||||||
return HTMLResponse(f"""
|
return HTMLResponse(
|
||||||
|
f"""
|
||||||
<html>
|
<html>
|
||||||
<head><title>Ошибка входа</title>{STYLES}</head>
|
<head><title>Ошибка входа</title>{STYLES}</head>
|
||||||
<body>
|
<body>
|
||||||
@@ -99,7 +113,10 @@ async def login(login: str = Form(...), password: str = Form(...)):
|
|||||||
<a href='/login'>Попробовать снова</a>
|
<a href='/login'>Попробовать снова</a>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
""", status_code=401)
|
""",
|
||||||
|
status_code=401,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@app.get("/welcome", response_class=HTMLResponse)
|
@app.get("/welcome", response_class=HTMLResponse)
|
||||||
async def welcome(request: Request):
|
async def welcome(request: Request):
|
||||||
@@ -107,29 +124,30 @@ async def welcome(request: Request):
|
|||||||
password = request.cookies.get("password")
|
password = request.cookies.get("password")
|
||||||
if not login or not password:
|
if not login or not password:
|
||||||
return RedirectResponse(url="/login")
|
return RedirectResponse(url="/login")
|
||||||
cursor.execute("SELECT * FROM users WHERE login=? AND password=?", (login, password))
|
cursor.execute(
|
||||||
user = cursor.fetchone()
|
f"SELECT * FROM users WHERE login='{login}' AND password='{password}'"
|
||||||
|
)
|
||||||
|
user = cursor.fetchall()
|
||||||
if user:
|
if user:
|
||||||
return f"""
|
return f"""
|
||||||
<html>
|
<html>
|
||||||
<head><title>Добро пожаловать</title>{STYLES}</head>
|
<head><title>Добро пожаловать</title>{STYLES}</head>
|
||||||
<body>
|
<body>
|
||||||
<h1>Привет, {login}</h1>
|
<h1>Привет, {login}</h1>
|
||||||
<form action="/logout" method="post" onsubmit="return logoutAlert();">
|
<button onclick="
|
||||||
<button type="submit">Выйти</button>
|
document.cookie = 'login=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
|
||||||
</form>
|
document.cookie = 'password=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
|
||||||
<script>
|
window.location.href = '/login';
|
||||||
function logoutAlert() {{
|
">Выйти</button>
|
||||||
alert('Вы вышли из аккаунта');
|
|
||||||
return true;
|
|
||||||
}}
|
|
||||||
</script>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
else:
|
else:
|
||||||
return RedirectResponse(url="/login")
|
return RedirectResponse(url="/login")
|
||||||
|
|
||||||
|
|
||||||
@app.post("/logout")
|
@app.post("/logout")
|
||||||
async def logout():
|
async def logout():
|
||||||
response = RedirectResponse(url="/login", status_code=302)
|
response = RedirectResponse(url="/login", status_code=302)
|
||||||
@@ -137,6 +155,7 @@ async def logout():
|
|||||||
response.delete_cookie("password")
|
response.delete_cookie("password")
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
@app.get("/", include_in_schema=False)
|
@app.get("/", include_in_schema=False)
|
||||||
async def root():
|
async def root():
|
||||||
return RedirectResponse(url="/login")
|
return RedirectResponse(url="/login")
|
||||||
Reference in New Issue
Block a user