diff --git a/server/__pycache__/security.cpython-311.pyc b/server/__pycache__/security.cpython-311.pyc new file mode 100644 index 0000000..56ddc2b Binary files /dev/null and b/server/__pycache__/security.cpython-311.pyc differ diff --git a/server/app.py b/server/app.py index 97116df..3111bb1 100644 --- a/server/app.py +++ b/server/app.py @@ -1,9 +1,11 @@ # server/app.py -from flask import Flask, request, jsonify, render_template, redirect, url_for, send_from_directory +from flask import Flask, request, jsonify, render_template, redirect, url_for, session from flask_talisman import Talisman import os +from security import validate_user, identify_uploader app = Flask(__name__, template_folder='../templates') +app.secret_key = 'super_secret_key' # Change this to a more secure key for production Talisman(app) RECEIVED_FILES_DIR = "../assets" @@ -16,33 +18,58 @@ uploaded_images = [] @app.route('/') def index(): + if 'username' not in session: + return redirect(url_for('login')) return render_template("index.html") +@app.route('/login', methods=['GET', 'POST']) +def login(): + if request.method == 'POST': + username = request.form['username'] + password = request.form['password'] + if validate_user(username, password): + session['username'] = username + return redirect(url_for('index')) + else: + return "Invalid credentials. Please try again.", 403 + return render_template("login.html") + +@app.route('/logout') +def logout(): + session.pop('username', None) + return redirect(url_for('login')) + @app.route('/upload/link', methods=['POST']) def upload_link(): + if 'username' not in session: + return redirect(url_for('login')) + data = request.form - if 'link' not in data or 'uploader' not in data: - return jsonify({"error": "Link and uploader's name are required"}), 400 + if 'link' not in data: + return jsonify({"error": "No link provided"}), 400 - link_info = {'link': data['link'], 'uploader': data['uploader']} + uploader = identify_uploader() + link_info = {'link': data['link'], 'uploader': uploader} uploaded_links.append(link_info) with open(os.path.join(RECEIVED_FILES_DIR, "links.txt"), "a") as f: - f.write(f"{data['uploader']}: {data['link']}\n") + f.write(f"{uploader}: {data['link']}\n") return redirect(url_for('index')) @app.route('/upload/image', methods=['POST']) def upload_image(): - if 'file' not in request.files or 'uploader' not in request.form: - return jsonify({"error": "File and uploader's name are required"}), 400 + if 'username' not in session: + return redirect(url_for('login')) + + if 'file' not in request.files: + return jsonify({"error": "No file provided"}), 400 file = request.files['file'] - uploader = request.form['uploader'] - if file.filename == '': return jsonify({"error": "No selected file"}), 400 + uploader = identify_uploader() save_path = os.path.join(RECEIVED_FILES_DIR, file.filename) file.save(save_path) @@ -52,6 +79,9 @@ def upload_image(): @app.route('/uploads') def view_uploads(): + if 'username' not in session: + return redirect(url_for('login')) + return render_template("uploads.html", links=uploaded_links, images=uploaded_images) @app.route('/assets/') @@ -60,11 +90,13 @@ def get_image(filename): @app.route('/rename/', methods=['POST']) def rename_file(filename): + if 'username' not in session: + return redirect(url_for('login')) + new_name = request.form.get('new_name') if new_name and os.path.exists(os.path.join(RECEIVED_FILES_DIR, filename)): os.rename(os.path.join(RECEIVED_FILES_DIR, filename), os.path.join(RECEIVED_FILES_DIR, new_name)) - # Update internal records for image in uploaded_images: if image['filename'] == filename: image['filename'] = new_name @@ -75,4 +107,3 @@ def rename_file(filename): if __name__ == '__main__': app.run(host='0.0.0.0', port=5000, ssl_context='adhoc') - diff --git a/server/security.py b/server/security.py new file mode 100644 index 0000000..fa55ab9 --- /dev/null +++ b/server/security.py @@ -0,0 +1,33 @@ +# server/security.py +from flask import request +import platform +import hashlib + +# Mock user database (username: password) - replace with a real database +USER_DATABASE = { + "iphone_user": hashlib.sha256("iphone_password".encode()).hexdigest(), + "laptop_user": hashlib.sha256("laptop_password".encode()).hexdigest(), +} + +# Function to validate user credentials +def validate_user(username, password): + hashed_password = hashlib.sha256(password.encode()).hexdigest() + return USER_DATABASE.get(username) == hashed_password + +# Function to extract device information +def get_device_info(): + user_agent = request.headers.get('User-Agent', 'Unknown') + return { + "ip": request.remote_addr, + "user_agent": user_agent, + "isa": platform.machine(), # Get system architecture + "os": platform.system(), # Get OS + } + +# Function to identify the uploader based on device info +def identify_uploader(): + device_info = get_device_info() + if "iPhone" in device_info['user_agent']: + return f"Uploaded by iPhone (IP: {device_info['ip']})" + else: + return f"Uploaded by {device_info['isa']} {device_info['os']} (IP: {device_info['ip']})"