god i am done with this program

server/security.py

@@ -1,9 +1,16 @@
-import os  # Import for generating random salts
+import os
 import hashlib
 from flask import request
 from db_setup import get_user, increment_login_attempts, reset_login_attempts
 
 MAX_ATTEMPTS = 3
+LOCKOUT_FILE = "locked_ips.txt"
+FAILED_ATTEMPTS = {}
+
+# Ensure the locked_ips.txt file exists
+if not os.path.exists(LOCKOUT_FILE):
+    with open(LOCKOUT_FILE, 'w') as f:
+        pass
 
 def generate_salt():
     """
@@ -12,39 +19,68 @@ def generate_salt():
     return os.urandom(16)
 
 def hash_password(password, salt):
+    """
+    Hashes the password with the provided salt using SHA-256.
+    """
     # Convert the salt to bytes if it's a string
     if isinstance(salt, str):
         salt = salt.encode()
     return hashlib.sha256(salt + password.encode()).hexdigest()
 
+def is_ip_locked(ip):
+    """
+    Checks if the IP address is in the lockout list.
+    """
+    if os.path.exists(LOCKOUT_FILE):
+        with open(LOCKOUT_FILE, 'r') as f:
+            locked_ips = f.read().splitlines()
+            return ip in locked_ips
+    return False
+
+def lock_ip(ip):
+    """
+    Adds an IP address to the lockout list.
+    """
+    with open(LOCKOUT_FILE, 'a') as f:
+        f.write(ip + "\n")
+
 def validate_user(username, password):
-    """
-    Validates the user's credentials against stored data.
-    """
+    ip_address = request.remote_addr
+
+    # Check if the IP is locked
+    if is_ip_locked(ip_address):
+        return False, "You have been locked out."
+
+    # Check or increment failed attempts for this IP address
+    if ip_address not in FAILED_ATTEMPTS:
+        FAILED_ATTEMPTS[ip_address] = 0
+
     user_data = get_user(username)
     if not user_data:
-        print(f"User '{username}' does not exist.")
-        return False, "User does not exist."
+        FAILED_ATTEMPTS[ip_address] += 1
+
+        if FAILED_ATTEMPTS[ip_address] >= MAX_ATTEMPTS:
+            lock_ip(ip_address)
+            return False, "Maximum login attempts exceeded. You have been locked out."
+        
+        remaining_attempts = MAX_ATTEMPTS - FAILED_ATTEMPTS[ip_address]
+        return False, f"User does not exist. {remaining_attempts} attempt(s) remaining."
 
     stored_password, salt, login_attempts = user_data
 
-    # Check if the maximum login attempts have been reached
-    if login_attempts >= MAX_ATTEMPTS:
-        print(f"User '{username}' has exceeded max login attempts.")
-        return False, "Maximum login attempts exceeded. Please contact the administrator."
-
-    # Hash the provided password with the salt
     hashed_password = hash_password(password, salt)
-    print(f"Provided hash: {hashed_password}, Stored hash: {stored_password}")
-
     if hashed_password == stored_password:
         reset_login_attempts(username)
-        print(f"User '{username}' logged in successfully.")
+        # Clear failed attempts for this IP on a successful login
+        FAILED_ATTEMPTS.pop(ip_address, None)
         return True, "Login successful."
     else:
-        increment_login_attempts(username)
-        remaining_attempts = MAX_ATTEMPTS - login_attempts - 1
-        print(f"Invalid credentials for '{username}'. {remaining_attempts} attempt(s) remaining.")
+        FAILED_ATTEMPTS[ip_address] += 1
+        if FAILED_ATTEMPTS[ip_address] >= MAX_ATTEMPTS:
+            lock_ip(ip_address)
+            return False, "Maximum login attempts exceeded. You have been locked out."
+        
+        remaining_attempts = MAX_ATTEMPTS - FAILED_ATTEMPTS[ip_address]
         return False, f"Invalid credentials. {remaining_attempts} attempt(s) remaining."
 
 def identify_uploader():