Implement basic authentication (#59)

* feat: moved advent folder -> puzzles, added some comments

* feat(docker): start separation of dev and prod builds, add pytest functionality to backend

* feat(docker): added dev/prod to frontend, transition frontend to yarn

* fix: remove .vscode folder

* fix(makefile): restructured makefile a bit

* feat: removed .vscode folder from git

* feat(auth): get rudimentary autotesting in place, created clear_database function

* feat(test): added all tests for auth/register

* fix(puzzle): changed blueprint in routes/puzzle.py

* feat(auth): refactored registration system, database connections

* fix(auth): minor changes to constructor

* feat(auth): implement email verification endpoints

* feat(test): using fixtures

* feat(auth): finish autotests, still needs commenting

* feat(auth): finished writing tests for the most part

* feat(auth): complete tests for basic auth system

* fix(auth): removed duplicate clear_database function

Author: hanyuone

Makefile

@@ -39,4 +39,4 @@ restart:
 .PHONY: test-backend
 
 test-backend:
-	docker-compose exec backend pytest .
+	docker-compose exec backend pytest . $(args)

backend/Pipfile

@@ -15,10 +15,14 @@ redis = "*"
 flask-cors = "*"
 flask-mail = "*"
 gunicorn = "*"
+itsdangerous = "*"
 
 [dev-packages]
 pytest = "*"
 requests = "*"
+freezegun = "*"
+fakeredis = "*"
+pytest-mock = "*"
 
 [requires]
 python_version = "3.8"

backend/Pipfile.lock

@@ -23,6 +23,7 @@ def handle_exception(error):
 
     return response
 
+
 def create_app():
     app = Flask(__name__)
     CORS(app)
@@ -60,6 +61,7 @@ def create_app():
 
     return app
 
+
 if __name__ == "__main__":
     app = create_app()
     app.run(host="0.0.0.0", port=5001)

backend/app.py

@@ -203,15 +203,3 @@ def dropDatabase():
     """
     cur.execute(query)
     conn.commit()
-
-def clear_database():
-    conn = get_connection()
-    cursor = conn.cursor()
-
-    for table in TABLES:
-        cursor.execute(f"TRUNCATE TABLE {table} CASCADE")
-
-    conn.commit()
-
-    cursor.close()
-    conn.close()

backend/auth/__init__.py

@@ -1,7 +1,7 @@
 from flask_jwt_extended import JWTManager
 from flask_mail import Mail
 
-from auth.user import User
+from models.user import User
 
 # JWT plugin
 

backend/common/database.py

@@ -0,0 +1,30 @@
+import os
+from psycopg2.pool import ThreadedConnectionPool
+
+user = os.environ["POSTGRES_USER"]
+password = os.environ["POSTGRES_PASSWORD"]
+host = os.environ["POSTGRES_HOST"]
+port = os.environ["POSTGRES_PORT"]
+database = os.environ["POSTGRES_DB"]
+
+TABLES = ["Users", "Questions", "Competitions", "Inputs", "Solves"]
+
+db = ThreadedConnectionPool(
+    1, 20,
+    user=user,
+    password=password,
+    host=host,
+    port=port,
+    database=database
+)
+
+def clear_database():
+    conn = db.getconn()
+
+    with conn.cursor() as cursor:
+        for table in TABLES:
+            cursor.execute(f"TRUNCATE TABLE {table} CASCADE")
+
+        conn.commit()
+    
+    db.putconn(conn)

backend/common/plugins.py

@@ -0,0 +1,57 @@
+from database.database import db
+
+
+def add_user(email, username, password, stars, score) -> int:
+    """Adds a user to the database, returning their ID."""
+
+    conn = db.getconn()
+
+    with conn.cursor() as cursor:
+        cursor.execute("INSERT INTO Users (email, username, password, numStars, score) VALUES (%s, %s, %s, %s, %s)",
+                       (email, username, password, stars, score))
+        conn.commit()
+
+        cursor.execute("SELECT uid FROM Users WHERE email = %s", (email,))
+        id = cursor.fetchone()[0]
+
+    db.putconn(conn)
+    return id
+
+
+def fetch_user(email: str):
+    """Given a user's email, fetches their content from the database."""
+
+    conn = db.getconn()
+
+    with conn.cursor() as cursor:
+        cursor.execute("SELECT * FROM Users WHERE email = %s", (email,))
+        result = cursor.fetchone()
+
+    db.putconn(conn)
+    return result
+
+
+def email_exists(email: str) -> bool:
+    """Checks if an email exists in the users table."""
+
+    conn = db.getconn()
+
+    with conn.cursor() as cursor:
+        cursor.execute("SELECT * FROM Users WHERE email = %s", (email,))
+        results = cursor.fetchall()
+
+    db.putconn(conn)
+    return results != []
+
+
+def username_exists(username: str) -> bool:
+    """Checks if a username is already used."""
+
+    conn = db.getconn()
+
+    with conn.cursor() as cursor:
+        cursor.execute("SELECT * FROM Users WHERE username = %s", (username,))
+        results = cursor.fetchall()
+
+    db.putconn(conn)
+    return results != []

backend/database/database.py

@@ -0,0 +1,128 @@
+from datetime import timedelta
+import os
+
+from argon2 import PasswordHasher
+from argon2.exceptions import VerificationError
+from email_validator import validate_email, EmailNotValidError
+from itsdangerous import URLSafeTimedSerializer
+
+from common.exceptions import AuthError, InvalidError, RequestError
+from common.redis import cache
+from database.database import db
+from database.user import add_user, email_exists, fetch_user, username_exists
+
+hasher = PasswordHasher(
+    time_cost=2,
+    memory_cost=2**15,
+    parallelism=1
+)
+
+verify_serialiser = URLSafeTimedSerializer(os.environ["FLASK_SECRET"], salt="verify")
+
+class User:
+    def __init__(self, id, email, username, password, stars=0, score=0):
+        self.id = id
+        self.email = email
+        self.username = username
+        self.password = password
+        self.stars = stars
+        self.score = score
+
+    # Helper methods
+
+    @staticmethod
+    def hash_password(password):
+        return hasher.hash(password)
+
+    # API-facing methods
+
+    @staticmethod
+    def register(email, username, password):
+        """Given an email, username and password, creates a verification code
+           for that user in Redis such that we can verify that user's email."""
+
+        # Check for malformed input
+        try:
+            normalised = validate_email(email).email
+        except EmailNotValidError as e:
+            raise RequestError(description="Invalid email") from e
+
+        if email_exists(normalised):
+            raise RequestError(description="Email already registered")
+
+        if username_exists(username):
+            raise RequestError(description="Username already used")
+        
+        # Our account is good, we hash the password
+        hashed = hasher.hash(password)
+
+        # Add verification code to Redis cache, with expiry date of 1 hour
+        code = verify_serialiser.dumps(normalised)
+
+        data = {
+            "email": normalised,
+            "username": username,
+            "password": hashed
+        }
+
+        # We use a pipeline here to ensure these instructions are atomic
+        pipeline = cache.pipeline()
+
+        pipeline.hset(f"register:{code}", mapping=data)
+        pipeline.expire(f"register:{code}", timedelta(hours=1))
+
+        pipeline.execute()
+
+        return code
+
+    @staticmethod
+    def register_verify(token):
+        cache_key = f"register:{token}"
+
+        if not cache.exists(cache_key):
+            raise AuthError("Token expired or does not correspond to registering user")
+
+        result = cache.hgetall(cache_key)
+        stringified = {}
+        
+        for key, value in result.items():
+            stringified[key.decode()] = value.decode()
+
+        id = add_user(stringified["email"], stringified["username"], stringified["password"], 0, 0)
+        return User(id, stringified["email"], stringified["username"], stringified["password"])
+
+    @staticmethod
+    def login(email, password):
+        """Logs user in with their credentials (currently email and password)."""
+        try:
+            normalised = validate_email(email).email
+        except EmailNotValidError as e:
+            raise AuthError(description="Invalid email or password") from e
+
+        result = fetch_user(normalised)
+
+        try:
+            id, email, username, stars, score, hashed = result
+            hasher.verify(hashed, password)
+        except (TypeError, VerificationError) as e:
+            raise AuthError(description="Invalid email or password") from e
+
+        return User(id, email, username, hashed, stars, score)
+
+    @staticmethod
+    def get(id):
+        """Given a user's ID, fetches all of their information from the database."""
+        conn = db.getconn()
+
+        with conn.cursor() as cursor:
+            cursor.execute("SELECT * FROM Users WHERE uid = %s", (id,))
+            fetched = cursor.fetchall()
+
+            if fetched == []:
+                raise InvalidError(description=f"Requested user ID {id} doesn't exist")
+
+            id, email, username, stars, score, password = fetched[0]
+
+        db.putconn(conn)
+
+        return User(id, email, username, password, stars, score)

backend/database/user.py

@@ -1,17 +1,17 @@
-from flask import Blueprint, request, jsonify
+import os
+from flask import Blueprint, render_template, request, jsonify
 from flask_mail import Message
-from flask_jwt_extended import jwt_required, create_access_token, set_access_cookies, unset_jwt_cookies, verify_jwt_in_request
-
-from auth.user import User
+from flask_jwt_extended import create_access_token, set_access_cookies, unset_jwt_cookies, verify_jwt_in_request
 from common.exceptions import AuthError
 from common.plugins import mail
+from models.user import User
 
 # Constants
 
 auth = Blueprint("auth", __name__)
 
 # Routes (fairly temporary here)
-# TODO: update once CSESoc federated auth is set up, do proper research
+# TODO: add invalid login attempt protection
 
 @auth.route("/login", methods=["POST"])
 def login():
@@ -32,16 +32,18 @@ def register():
 
     # Fetch verification code
     code = User.register(json["email"], json["username"], json["password"])
+    # TODO: convert to domain of verification page once we have its address
+    url = f"{os.environ['TESTING_ADDRESS']}/verify/{code}"
+
+    html = render_template("activate.html", confirm_url=url)
 
     # Send it over to email
     message = Message(
         "Account registered for Week in Wonderland",
         sender="[email protected]",
-        recipients=[json["email"]]
+        recipients=[json["email"]],
+        html=html
     )
-    
-    # TODO: convert to HTML message
-    message.body = f"Your code is: {code}"
 
     mail.send(message)
 
@@ -51,8 +53,15 @@ def register():
 
 @auth.route("/register/verify", methods=["POST"])
 def register_verify():
-    # TODO: fill in once we get custom email address
-    pass
+    json = request.get_json()
+
+    user = User.register_verify(json["token"])
+    cookie = create_access_token(identity=user)
+
+    response = jsonify({})
+    set_access_cookies(response, cookie)
+
+    return response, 200
 
 @auth.route("/verify_token", methods=["GET"])
 def verify_token():
@@ -63,8 +72,7 @@ def verify_token():
 
     return jsonify({}), 200
 
-@auth.route("/logout", methods=["DELETE"])
-@jwt_required()
+@auth.route("/logout", methods=["POST"])
 def logout():
     response = jsonify({})
     unset_jwt_cookies(response)

backend/models/user.py

@@ -0,0 +1,4 @@
+<p>Welcome! Thanks for signing up. Please follow this link to activate your account:</p>
+<p><a href="{{ confirm_url }}">{{ confirm_url }}</a></p>
+<br>
+<p>Cheers!</p>