User accounts/management ready except for admin.

app.py

@@ -235,7 +235,7 @@ def main_page(page):
     lang = requested_lang()
     effective_lang = lang
 
-    if page in ['signup', 'login', 'my-profile']:
+    if page in ['signup', 'login', 'my-profile', 'recover', 'reset']:
         return auth_templates(page, lang, render_main_menu(page), request)
 
     # Default to English if requested language is not available

auth.py

@@ -1,6 +1,8 @@
+import os
 import bcrypt
 import redis
 import re
+import urllib
 from flask import request, make_response, jsonify, redirect, render_template
 from utils import type_check, object_check, timems
 import datetime
@@ -18,8 +20,7 @@
 cookie_name     = config ['session'] ['cookie_name']
 session_length  = config ['session'] ['session_length'] * 60
 
-# TODO: determine environment properly
-env = 'local'
+env = os.getenv ('HEROKU_APP_NAME')
 
 def check_password (password, hash):
     return bcrypt.checkpw (bytes (password, 'utf-8'), bytes (hash, 'utf-8'))
@@ -77,11 +78,11 @@ def login ():
 
         # If username has an @-sign, then it's an email
         if '@' in body ['username']:
-           username = r.hget ('email', body ['username'].strip ().lower ())
-           if not username:
-              return 'invalid username/password', 403
+            username = r.hget ('email', body ['username'].strip ().lower ())
+            if not username:
+                return 'invalid username/password', 403
         else:
-           username = body ['username'].strip ().lower ()
+            username = body ['username'].strip ().lower ()
 
         user = r.hgetall ('user:' + username)
         if not user:
@@ -143,52 +144,54 @@ def signup ():
         username = body ['username'].strip ().lower ()
         email = body ['email'].strip ().lower ()
 
+        if env and 'subscribe' in body and body ['subscribe'] == True:
+            send_email (config ['email'] ['sender'], 'Subscription to Hedy newsletter on signup', email, '<p>' + email + '</p>')
+
         user = {
-           'username': username,
-           'password': hashed,
-           'email':    email,
-           'created':  timems (),
-           'verification_pending': hashed_token
+            'username': username,
+            'password': hashed,
+            'email':    email,
+            'created':  timems (),
+            'verification_pending': hashed_token
         }
 
         if 'country' in body:
-           user ['country'] = body ['country']
+            user ['country'] = body ['country']
         if 'birth_year' in body:
-           user ['birth_year'] = body ['birth_year']
+            user ['birth_year'] = body ['birth_year']
         if 'gender' in body:
-           user ['gender'] = body ['gender']
+            user ['gender'] = body ['gender']
 
         r.hmset ('user:' + username, user);
         r.hset ('email', email, username)
 
-        if env == 'local':
+        if not env:
             # If on local environment, we return email verification token directly instead of emailing it, for test purposes.
             return jsonify ({'username': username, 'token': hashed_token}), 200
         else:
-            # TODO: Replace with template
-            send_email (email, 'Welcome to Hedy', 'Welcome to Hedy, please verify your email', '<h1>Welcome to Hedy, please verify your email</h1>')
+            send_email_template ('welcome_verify', email, requested_lang (), os.getenv ('BASE_URL') + '/auth/verify?username=' + urllib.parse.quote_plus (username) + '&token=' + urllib.parse.quote_plus (hashed_token))
             return '', 200
 
     @app.route ('/auth/verify', methods=['GET'])
     def verify_email ():
         username = request.args.get ('username', None)
         token = request.args.get ('token', None)
         if not token:
-            return 'No token sent', 403
+            return 'no token', 400
         if not username:
-            return 'No username sent', 403
+            return 'no username', 400
 
         user = r.hgetall ('user:' + username)
 
         if not user:
-            return 'Invalid username', 403
+            return 'invalid username/token', 403
 
         # If user is verified, succeed anyway
         if not 'verification_pending' in user:
             return redirect ('/')
 
         if token != user ['verification_pending']:
-            return 'Invalid token', 403
+            return 'invalid username/token', 403
 
         r.hdel ('user:' + username, 'verification_pending')
         return redirect ('/')
@@ -230,6 +233,9 @@ def change_password (user):
         hashed = hash (body ['new_password'], make_salt ())
 
         r.hset ('user:' + user ['username'], 'password', hashed)
+        if env:
+            send_email_template ('change_password', user ['email'], requested_lang (), None)
+
         return '', 200
 
     @app.route ('/profile', methods=['POST'])
@@ -257,12 +263,12 @@ def update_profile (user):
         if 'email' in body:
             email = body ['email'].strip ().lower ()
             if email != user ['email']:
-               exists = r.hget ('email', email)
-               if exists:
-                   return 'email exists', 403
-               r.hdel ('email', user ['email'])
-               r.hset ('email', email, user ['username'])
-               r.hset ('user:' + user ['username'], 'email', email)
+                exists = r.hget ('email', email)
+                if exists:
+                    return 'email exists', 403
+                r.hdel ('email', user ['email'])
+                r.hset ('email', email, user ['username'])
+                r.hset ('user:' + user ['username'], 'email', email)
 
         if 'country' in body:
             r.hset ('user:' + user ['username'], 'country', body ['country'])
@@ -297,11 +303,11 @@ def recover ():
 
         # If username has an @-sign, then it's an email
         if '@' in body ['username']:
-           username = r.hget ('email', body ['username'].strip ().lower ())
-           if not username:
-              return 'invalid username/password', 403
+            username = r.hget ('email', body ['username'].strip ().lower ())
+            if not username:
+                return 'invalid username', 403
         else:
-           username = body ['username'].strip ().lower ()
+            username = body ['username'].strip ().lower ()
 
         user = r.hgetall ('user:' + username)
 
@@ -313,12 +319,11 @@ def recover ():
 
         r.setex ('token:' + username, session_length, hashed)
 
-        if env == 'local':
+        if not env:
             # If on local environment, we return email verification token directly instead of emailing it, for test purposes.
-            return jsonify ({'token': token}), 200
+            return jsonify ({'username': username, 'token': token}), 200
         else:
-            # TODO: Replace with template
-            send_email (user ['email'], 'Reset password', 'Reset password', '<h1>Reset password</h1>')
+            send_email_template ('recover_password', user ['email'], requested_lang (), os.getenv ('BASE_URL') + '/reset?username=' + urllib.parse.quote_plus (username) + '&token=' + urllib.parse.quote_plus (token))
             return '', 200
 
     @app.route ('/auth/reset', methods=['POST'])
@@ -339,31 +344,47 @@ def reset ():
 
         # If username has an @-sign, then it's an email
         if '@' in body ['username']:
-           username = r.hget ('email', body ['username'].strip ().lower ())
-           if not username:
-              return 'invalid username/password', 403
+            username = r.hget ('email', body ['username'].strip ().lower ())
+            if not username:
+                return 'invalid username/password', 403
         else:
-           username = body ['username'].strip ().lower ()
+            username = body ['username'].strip ().lower ()
 
         hashed = r.get ('token:' + username)
         if not hashed:
-            return 'invalid username', 403
+            return 'invalid username/token', 403
         if not check_password (body ['token'], hashed):
-            return 'invalid token', 403
+            return 'invalid username/token', 403
 
         hashed = hash (body ['password'], make_salt ())
         r.delete ('token:' + username);
         r.hset ('user:' + username, 'password', hashed)
         email = r.hget ('user:' + username, 'email')
 
-        if env != 'local':
-            # TODO: Replace with template
-            send_email (email, 'Your password has been changed', 'Your password has been changed', '<h1>Your password has been changed</h1>')
+        if env:
+            send_email_template ('reset_password', email, requested_lang (), None)
 
         return '', 200
 
+    @app.route ('/users', methods=['GET'])
+    @requires_login
+    def get_users (user):
+        if user ['email'] != os.getenv ('ADMIN_EMAIL'):
+            return '', 403
+        # TODO: implement
+        # username, email, birth_year (int), country, gender, created (int), last_access (int|undefined), verification_pending (make boolean)
+        # sort by last created first
+        output = []
+        return jsonify (output), 200
+
+# Turn off verbose logs from boto/SES, thanks to https://github.com/boto/boto3/issues/521
+import logging
+for name in logging.Logger.manager.loggerDict.keys ():
+    if ('boto' in name) or ('urllib3' in name) or ('s3transfer' in name) or ('boto3' in name) or ('botocore' in name) or ('nose' in name):
+        logging.getLogger (name).setLevel (logging.CRITICAL)
+
 # https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-using-sdk-python.html
-email_client = boto3.client ('ses', region_name = config ['email'] ['region'], aws_access_key_id = '...', aws_secret_access_key = '...')
+email_client = boto3.client ('ses', region_name = config ['email'] ['region'], aws_access_key_id = os.getenv ('AWS_SES_ACCESS_KEY'), aws_secret_access_key = os.getenv ('AWS_SES_SECRET_KEY'))
 
 def send_email (recipient, subject, body_plain, body_html):
     try:
@@ -383,10 +404,25 @@ def send_email (recipient, subject, body_plain, body_html):
     else:
         print ('Email sent to ' + recipient)
 
+def send_email_template (template, email, lang, link):
+    texts = TRANSLATIONS.data [lang] ['Auth']
+    subject = texts ['email_' + template + '_subject']
+    body = texts ['email_' + template + '_body'].split ('\n')
+    body = [texts ['email_hello']] + body
+    if link:
+        body = body + ['@@LINK@@']
+    body = body + texts ['email_goodbye'].split ('\n')
+
+    body_plain = '\n'.join (body)
+    body_html = '<p>' + '</p><p>'.join (body) + '</p>'
+    if link:
+        body_plain = body_plain.replace ('@@LINK@@', 'Please copy and paste this link into a new tab: ' + link)
+        body_html = body_html.replace ('@@LINK@@', '<a href="' + link + '">Link</a>')
+
+    send_email (email, subject, body_plain, body_html)
+
 def auth_templates (page, lang, menu, request):
-    if page == 'signup':
-        return render_template ('signup.html', lang=lang, auth=TRANSLATIONS.data [lang] ['Auth'], menu=menu, username=current_user (request))
-    if page == 'login':
-        return render_template ('login.html', lang=lang, auth=TRANSLATIONS.data [lang] ['Auth'], menu=menu, username=current_user (request))
     if page == 'my-profile':
         return render_template ('profile.html', lang=lang, auth=TRANSLATIONS.data [lang] ['Auth'], menu=menu, username=current_user (request))
+    if page in ['signup', 'login', 'recover', 'reset']:
+        return render_template (page + '.html',  lang=lang, auth=TRANSLATIONS.data [lang] ['Auth'], menu=menu, username=current_user (request))

coursedata/texts/en.yaml

@@ -39,6 +39,7 @@ Auth:
   male: "Male"
   other: "Other"
   country: "Country"
+  subscribe_newsletter: "Subscribe to the newsletter"
   already_account: "Already have an account?"
   login_long: "Log in to your account"
   login: "Log in"
@@ -65,3 +66,25 @@ Auth:
   profile_updated: "Profile updated."
   password_updated: "Password updated."
   signup_success: "Success! Please login :)."
+  forgot_password: "Forgot your password?"
+  recover_password: "Request a password reset"
+  send_password_recovery: "Send me a password recovery link"
+  sent_password_recovery: "You should soon receive an email with instructions on how to reset your password."
+  reset_password: "Reset password"
+  password_resetted: "Your password has been successfully resetted. Please login."
+  invalid_username_password: "Invalid username/password."
+  invalid_username: "Invalid username."
+  invalid_password: "Invalid password."
+  invalid_reset_link: "Invalid reset password link."
+  exists_email: "That email is already in use."
+  exists_username: "That username is already in use."
+  email_hello: "Hi!"
+  email_goodbye: "Thank you!\nThe Hedy team"
+  email_welcome_verify_subject: "Your Hedy account has been created"
+  email_welcome_verify_body: "Your Hedy account has been created successfully. Welcome!\nPlease click on the link below to verify your email address."
+  email_change_password_subject: "Your Hedy password has been changed"
+  email_change_password_body: "Your Hedy password has been changed. If you did this, all is good.\nIf you didn't change your password, please contact us immediately by replying to this email."
+  email_recover_password_subject: "Reset your Hedy password"
+  email_recover_password_body: "By clicking the link below, you can set a new Hedy password. If you haven't required a password reset, please ignore this email."
+  email_reset_password_subject: "Your Hedy password has been resetted"
+  email_reset_password_body: "Your Hedy password has been resetted to a new one. If you did this, all is good.\nIf you didn't change your password, please contact us immediately by replying to this email."

coursedata/texts/es.yaml

@@ -39,6 +39,7 @@ Auth:
   male: "Masculino"
   other: "Otro"
   country: "País"
+  subscribe_newsletter: "Subscribirse al newsletter"
   already_account: "¿Ya tienes una cuenta?"
   login_long: "Ingresar a mi cuenta"
   login: "Ingresar"
@@ -65,3 +66,25 @@ Auth:
   profile_updated: "Perfil actualizado."
   password_updated: "Contraseña actualizada."
   signup_success: "¡Tu cuenta se ha creado con éxito! Ya puedes entrar con tu nuevo nombre de usuario :)."
+  forgot_password: "¿Olvidaste tu contraseña?"
+  recover_password: "Reestablecer contraseña"
+  send_password_recovery: "Envíame un link para reestablecer mi contraseña"
+  sent_password_recovery: "Pronto recibirás un correo electrónico con instrucciones sobre cómo reestablecer tu contraseña."
+  reset_password: "Establecer nueva contraseña"
+  password_resetted: "Tu contraseña ha sido cambiada exitosamente. Ya puedes entrar nuevamente a tu cuenta usando la nueva contraseña."
+  invalid_username_password: "Combinación de usuario/contraseña inválida."
+  invalid_username: "Nombre de usuario inválido."
+  invalid_password: "Contraseña inválida."
+  invalid_reset_link: "Link de reestablecer contraseña inválido."
+  exists_email: "Esa dirección de correo electrónico ya está en uso."
+  exists_username: "Ese nombre de usuario ya está en uso."
+  email_hello: "¡Hola!"
+  email_goodbye: "¡Gracias!\nEl equipo de Hedy"
+  email_welcome_verify_subject: "Tu cuenta de Hedy ha sido creada"
+  email_welcome_verify_body: "Tu cuenta de Hedy ha sido creada exitosamente. ¡Bienvenid@!\nPor favor haz click en el link debajo para verificar tu dirección de correo electrónico."
+  email_change_password_subject: "Tu contraseña de Hedy ha sido cambiada"
+  email_change_password_body: "Tu contraseña de Hedy ha sido cambiada. Si tú has hecho esto, todo marcha bien.\nSi tú no has realizado esta acción, por favor contáctanos inmediatamente respondiendo a este correo electrónico."
+  email_recover_password_subject: "Reestablecer tu contraseña de Hedy"
+  email_recover_password_body: "Haciendo click en el link debajo, puedes reestablecer tu contraseña de Hedy. Si tú no has requerido reestablecer tu contraseña de Hedy, por favor ignora este correo electrónico."
+  email_reset_password_subject: "Tu contraseña de Hedy se ha reestablecido"
+  email_reset_password_body: "Tu contraseña de Hedy se ha reestablecido. Si tú has hecho esto, todo marcha bien.\nSi tú no has reestablecido tu contraseña, por favor contáctanos inmediataamente respondiendo a este correo electrónico."

coursedata/texts/fr.yaml

@@ -50,6 +50,7 @@ Auth:
   male: "Male"
   other: "Other"
   country: "Country"
+  subscribe_newsletter: "Subscribe to the newsletter"
   already_account: "Already have an account?"
   login_long: "Log in to your account"
   login: "Log in"
@@ -76,3 +77,25 @@ Auth:
   profile_updated: "Profile updated."
   password_updated: "Password updated."
   signup_success: "Success! Please login :)."
+  forgot_password: "Forgot your password?"
+  recover_password: "Request a password reset"
+  send_password_recovery: "Send me a password recovery link"
+  sent_password_recovery: "You should soon receive an email with instructions on how to reset your password."
+  reset_password: "Reset password"
+  password_resetted: "Your password has been successfully resetted. Please login."
+  invalid_username_password: "Invalid username/password."
+  invalid_username: "Invalid username."
+  invalid_password: "Invalid password."
+  invalid_reset_link: "Invalid reset password link."
+  exists_email: "That email is already in use."
+  exists_username: "That username is already in use."
+  email_hello: "Hi!"
+  email_goodbye: "Thank you!\nThe Hedy team"
+  email_welcome_verify_subject: "Your Hedy account has been created"
+  email_welcome_verify_body: "Your Hedy account has been created successfully. Welcome!\nPlease click on the link below to verify your email address."
+  email_change_password_subject: "Your Hedy password has been changed"
+  email_change_password_body: "Your Hedy password has been changed. If you did this, all is good.\nIf you didn't change your password, please contact us immediately by replying to this email."
+  email_recover_password_subject: "Reset your Hedy password"
+  email_recover_password_body: "By clicking the link below, you can set a new Hedy password. If you haven't required a password reset, please ignore this email."
+  email_reset_password_subject: "Your Hedy password has been resetted"
+  email_reset_password_body: "Your Hedy password has been resetted to a new one. If you did this, all is good.\nIf you didn't change your password, please contact us immediately by replying to this email."