We use cookies to ensure you get the best experience on our website
Startsida Utforska Hjälp
Registrera dig Logga in
0ct0pu5
/
desec-stack
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: b55e9e34fd
Grenar Taggar
desec-stack
/
api
/
desecapi
/
views.py

views.py 25 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635 
  1. import base64
    2. 

  2. import binascii
    3. 

  3. 

  4. from django.conf import settings
    5. 

  5. from django.contrib.auth import user_logged_in
    6. 

  6. from django.contrib.auth.hashers import is_password_usable
    7. 

  7. from django.core.mail import EmailMessage
    8. 

  8. from django.http import Http404
    9. 

  9. from django.shortcuts import redirect
    10. 

  10. from django.template.loader import get_template
    11. 

  11. from rest_framework import generics
    12. 

  12. from rest_framework import mixins
    13. 

  13. from rest_framework import status
    14. 

  14. from rest_framework.authentication import get_authorization_header
    15. 

  15. from rest_framework.exceptions import (NotAcceptable, NotFound, PermissionDenied, ValidationError)
    16. 

  16. from rest_framework.permissions import IsAuthenticated
    17. 

  17. from rest_framework.renderers import JSONRenderer, StaticHTMLRenderer
    18. 

  18. from rest_framework.response import Response
    19. 

  19. from rest_framework.reverse import reverse
    20. 

  20. from rest_framework.views import APIView
    21. 

  21. from rest_framework.viewsets import GenericViewSet
    22. 

  22. 

  23. import desecapi.authentication as auth
    24. 

  24. from desecapi import serializers, models
    25. 

  25. from desecapi.pdns_change_tracker import PDNSChangeTracker
    26. 

  26. from desecapi.permissions import IsOwner, IsDomainOwner, WithinDomainLimitOnPOST
    27. 

  27. from desecapi.renderers import PlainTextRenderer
    28. 

  28. 

  29. 

  30. class IdempotentDestroy:
    31. 

  31. 

  32.     def destroy(self, request, *args, **kwargs):
    33. 

  33.         try:
    34. 

  34.             # noinspection PyUnresolvedReferences
    35. 

  35.             super().destroy(request, *args, **kwargs)
    36. 

  36.         except Http404:
    37. 

  37.             pass
    38. 

  38.         return Response(status=status.HTTP_204_NO_CONTENT)
    39. 

  39. 

  40. 

  41. class DomainView:
    42. 

  42. 

  43.     def initial(self, request, *args, **kwargs):
    44. 

  44.         # noinspection PyUnresolvedReferences
    45. 

  45.         super().initial(request, *args, **kwargs)
    46. 

  46.         try:
    47. 

  47.             # noinspection PyAttributeOutsideInit, PyUnresolvedReferences
    48. 

  48.             self.domain = self.request.user.domains.get(name=self.kwargs['name'])
    49. 

  49.         except models.Domain.DoesNotExist:
    50. 

  50.             raise Http404
    51. 

  51. 

  52. 

  53. class TokenViewSet(IdempotentDestroy,
    54. 

  54.                    mixins.CreateModelMixin,
    55. 

  55.                    mixins.RetrieveModelMixin,
    56. 

  56.                    mixins.DestroyModelMixin,
    57. 

  57.                    mixins.ListModelMixin,
    58. 

  58.                    GenericViewSet):
    59. 

  59.     serializer_class = serializers.TokenSerializer
    60. 

  60.     permission_classes = (IsAuthenticated, )
    61. 

  61. 

  62.     def get_queryset(self):
    63. 

  63.         return self.request.user.auth_tokens.all()
    64. 

  64. 

  65.     def get_serializer(self, *args, **kwargs):
    66. 

  66.         # When creating a new token, return the plaintext representation
    67. 

  67.         if self.request.method == 'POST':
    68. 

  68.             kwargs.setdefault('include_plain', True)
    69. 

  69.         return super().get_serializer(*args, **kwargs)
    70. 

  70. 

  71.     def perform_create(self, serializer):
    72. 

  72.         serializer.save(user=self.request.user)
    73. 

  73. 

  74. 

  75. class DomainViewSet(IdempotentDestroy,
    76. 

  76.                     mixins.CreateModelMixin,
    77. 

  77.                     mixins.RetrieveModelMixin,
    78. 

  78.                     mixins.DestroyModelMixin,
    79. 

  79.                     mixins.ListModelMixin,
    80. 

  80.                     GenericViewSet):
    81. 

  81.     serializer_class = serializers.DomainSerializer
    82. 

  82.     permission_classes = (IsAuthenticated, IsOwner, WithinDomainLimitOnPOST)
    83. 

  83.     lookup_field = 'name'
    84. 

  84.     lookup_value_regex = r'[^/]+'
    85. 

  85. 

  86.     def get_queryset(self):
    87. 

  87.         return self.request.user.domains
    88. 

  88. 

  89.     def perform_create(self, serializer):
    90. 

  90.         with PDNSChangeTracker():
    91. 

  91.             domain = serializer.save(owner=self.request.user)
    92. 

  92. 

  93.         # TODO this line raises if the local public suffix is not in our database!
    94. 

  94.         PDNSChangeTracker.track(lambda: self.auto_delegate(domain))
    95. 

  95. 

  96.     @staticmethod
    97. 

  97.     def auto_delegate(domain: models.Domain):
    98. 

  98.         if domain.is_locally_registrable:
    99. 

  99.             parent_domain = models.Domain.objects.get(name=domain.parent_domain_name)
    100. 

  100.             parent_domain.update_delegation(domain)
    101. 

  101. 

  102.     def perform_destroy(self, instance: models.Domain):
    103. 

  103.         with PDNSChangeTracker():
    104. 

  104.             instance.delete()
    105. 

  105.         if instance.is_locally_registrable:
    106. 

  106.             parent_domain = models.Domain.objects.get(name=instance.parent_domain_name)
    107. 

  107.             with PDNSChangeTracker():
    108. 

  108.                 parent_domain.update_delegation(instance)
    109. 

  109. 

  110. 

  111. class RRsetDetail(IdempotentDestroy, DomainView, generics.RetrieveUpdateDestroyAPIView):
    112. 

  112.     serializer_class = serializers.RRsetSerializer
    113. 

  113.     permission_classes = (IsAuthenticated, IsDomainOwner,)
    114. 

  114. 

  115.     def get_queryset(self):
    116. 

  116.         return self.domain.rrset_set
    117. 

  117. 

  118.     def get_object(self):
    119. 

  119.         queryset = self.filter_queryset(self.get_queryset())
    120. 

  120. 

  121.         filter_kwargs = {k: self.kwargs[k] for k in ['subname', 'type']}
    122. 

  122.         obj = generics.get_object_or_404(queryset, **filter_kwargs)
    123. 

  123. 

  124.         # May raise a permission denied
    125. 

  125.         self.check_object_permissions(self.request, obj)
    126. 

  126. 

  127.         return obj
    128. 

  128. 

  129.     def get_serializer(self, *args, **kwargs):
    130. 

  130.         return super().get_serializer(domain=self.domain, *args, **kwargs)
    131. 

  131. 

  132.     def update(self, request, *args, **kwargs):
    133. 

  133.         response = super().update(request, *args, **kwargs)
    134. 

  134. 

  135.         if response.data is None:
    136. 

  136.             response.status_code = 204
    137. 

  137.         return response
    138. 

  138. 

  139.     def perform_update(self, serializer):
    140. 

  140.         with PDNSChangeTracker():
    141. 

  141.             super().perform_update(serializer)
    142. 

  142. 

  143.     def perform_destroy(self, instance):
    144. 

  144.         with PDNSChangeTracker():
    145. 

  145.             super().perform_destroy(instance)
    146. 

  146. 

  147. 

  148. class RRsetList(DomainView, generics.ListCreateAPIView, generics.UpdateAPIView):
    149. 

  149.     serializer_class = serializers.RRsetSerializer
    150. 

  150.     permission_classes = (IsAuthenticated, IsDomainOwner,)
    151. 

  151. 

  152.     def get_queryset(self):
    153. 

  153.         rrsets = models.RRset.objects.filter(domain=self.domain)
    154. 

  154. 

  155.         for filter_field in ('subname', 'type'):
    156. 

  156.             value = self.request.query_params.get(filter_field)
    157. 

  157. 

  158.             if value is not None:
    159. 

  159.                 # TODO consider moving this
    160. 

  160.                 if filter_field == 'type' and value in models.RRset.RESTRICTED_TYPES:
    161. 

  161.                     raise PermissionDenied("You cannot tinker with the %s RRset." % value)
    162. 

  162. 

  163.                 rrsets = rrsets.filter(**{'%s__exact' % filter_field: value})
    164. 

  164. 

  165.         return rrsets
    166. 

  166. 

  167.     def get_object(self):
    168. 

  168.         # For this view, the object we're operating on is the queryset that one can also GET. Serializing a queryset
    169. 

  169.         # is fine as per https://www.django-rest-framework.org/api-guide/serializers/#serializing-multiple-objects.
    170. 

  170.         # We skip checking object permissions here to avoid evaluating the queryset. The user can access all his RRsets
    171. 

  171.         # anyways.
    172. 

  172.         return self.filter_queryset(self.get_queryset())
    173. 

  173. 

  174.     def get_serializer(self, *args, **kwargs):
    175. 

  175.         kwargs = kwargs.copy()
    176. 

  176.         data = kwargs.get('data')
    177. 

  177.         if data and 'many' not in kwargs:
    178. 

  178.             if self.request.method == 'POST':
    179. 

  179.                 kwargs['many'] = isinstance(data, list)
    180. 

  180.             elif self.request.method in ['PATCH', 'PUT']:
    181. 

  181.                 kwargs['many'] = True
    182. 

  182.         return super().get_serializer(domain=self.domain, *args, **kwargs)
    183. 

  183. 

  184.     def perform_create(self, serializer):
    185. 

  185.         with PDNSChangeTracker():
    186. 

  186.             serializer.save(domain=self.domain)
    187. 

  187. 

  188.     def perform_update(self, serializer):
    189. 

  189.         with PDNSChangeTracker():
    190. 

  190.             serializer.save(domain=self.domain)
    191. 

  191. 

  192. 

  193. class Root(APIView):
    194. 

  194.     def get(self, request, *_):
    195. 

  195.         if self.request.user.is_authenticated:
    196. 

  196.             routes = {
    197. 

  197.                 'account': {
    198. 

  198.                     'show': reverse('account', request=request),
    199. 

  199.                     'delete': reverse('account-delete', request=request),
    200. 

  200.                     'change-email': reverse('account-change-email', request=request),
    201. 

  201.                     'reset-password': reverse('account-reset-password', request=request),
    202. 

  202.                 },
    203. 

  203.                 'logout': reverse('logout', request=request),
    204. 

  204.                 'tokens': reverse('token-list', request=request),
    205. 

  205.                 'domains': reverse('domain-list', request=request),
    206. 

  206.             }
    207. 

  207.         else:
    208. 

  208.             routes = {
    209. 

  209.                 'register': reverse('register', request=request),
    210. 

  210.                 'login': reverse('login', request=request),
    211. 

  211.                 'reset-password': reverse('account-reset-password', request=request),
    212. 

  212.             }
    213. 

  213.         return Response(routes)
    214. 

  214. 

  215. 

  216. class DynDNS12Update(APIView):
    217. 

  217.     authentication_classes = (auth.TokenAuthentication, auth.BasicTokenAuthentication, auth.URLParamAuthentication,)
    218. 

  218.     renderer_classes = [PlainTextRenderer]
    219. 

  219. 

  220.     def _find_domain(self, request):
    221. 

  221.         def find_domain_name(r):
    222. 

  222.             # 1. hostname parameter
    223. 

  223.             if 'hostname' in r.query_params and r.query_params['hostname'] != 'YES':
    224. 

  224.                 return r.query_params['hostname']
    225. 

  225. 

  226.             # 2. host_id parameter
    227. 

  227.             if 'host_id' in r.query_params:
    228. 

  228.                 return r.query_params['host_id']
    229. 

  229. 

  230.             # 3. http basic auth username
    231. 

  231.             try:
    232. 

  232.                 domain_name = base64.b64decode(
    233. 

  233.                     get_authorization_header(r).decode().split(' ')[1].encode()).decode().split(':')[0]
    234. 

  234.                 if domain_name and '@' not in domain_name:
    235. 

  235.                     return domain_name
    236. 

  236.             except IndexError:
    237. 

  237.                 pass
    238. 

  238.             except UnicodeDecodeError:
    239. 

  239.                 pass
    240. 

  240.             except binascii.Error:
    241. 

  241.                 pass
    242. 

  242. 

  243.             # 4. username parameter
    244. 

  244.             if 'username' in r.query_params:
    245. 

  245.                 return r.query_params['username']
    246. 

  246. 

  247.             # 5. only domain associated with this user account
    248. 

  248.             if len(r.user.domains.all()) == 1:
    249. 

  249.                 return r.user.domains.all()[0].name
    250. 

  250.             if len(r.user.domains.all()) > 1:
    251. 

  251.                 ex = ValidationError(detail={
    252. 

  252.                     "detail": "Request does not specify domain unambiguously.",
    253. 

  253.                     "code": "domain-ambiguous"
    254. 

  254.                 })
    255. 

  255.                 ex.status_code = status.HTTP_409_CONFLICT
    256. 

  256.                 raise ex
    257. 

  257. 

  258.             return None
    259. 

  259. 

  260.         name = find_domain_name(request).lower()
    261. 

  261. 

  262.         try:
    263. 

  263.             return self.request.user.domains.get(name=name)
    264. 

  264.         except models.Domain.DoesNotExist:
    265. 

  265.             return None
    266. 

  266. 

  267.     @staticmethod
    268. 

  268.     def find_ip(request, params, version=4):
    269. 

  269.         if version == 4:
    270. 

  270.             look_for = '.'
    271. 

  271.         elif version == 6:
    272. 

  272.             look_for = ':'
    273. 

  273.         else:
    274. 

  274.             raise Exception
    275. 

  275. 

  276.         # Check URL parameters
    277. 

  277.         for p in params:
    278. 

  278.             if p in request.query_params:
    279. 

  279.                 if not len(request.query_params[p]):
    280. 

  280.                     return None
    281. 

  281.                 if look_for in request.query_params[p]:
    282. 

  282.                     return request.query_params[p]
    283. 

  283. 

  284.         # Check remote IP address
    285. 

  285.         client_ip = request.META.get('REMOTE_ADDR')
    286. 

  286.         if look_for in client_ip:
    287. 

  287.             return client_ip
    288. 

  288. 

  289.         # give up
    290. 

  290.         return None
    291. 

  291. 

  292.     def _find_ip_v4(self, request):
    293. 

  293.         return self.find_ip(request, ['myip', 'myipv4', 'ip'])
    294. 

  294. 

  295.     def _find_ip_v6(self, request):
    296. 

  296.         return self.find_ip(request, ['myipv6', 'ipv6', 'myip', 'ip'], version=6)
    297. 

  297. 

  298.     def get(self, request, *_):
    299. 

  299.         domain = self._find_domain(request)
    300. 

  300. 

  301.         if domain is None:
    302. 

  302.             raise NotFound('nohost')
    303. 

  303. 

  304.         ipv4 = self._find_ip_v4(request)
    305. 

  305.         ipv6 = self._find_ip_v6(request)
    306. 

  306. 

  307.         data = [
    308. 

  308.             {'type': 'A', 'subname': '', 'ttl': 60, 'records': [ipv4] if ipv4 else []},
    309. 

  309.             {'type': 'AAAA', 'subname': '', 'ttl': 60, 'records': [ipv6] if ipv6 else []},
    310. 

  310.         ]
    311. 

  311. 

  312.         instances = domain.rrset_set.filter(subname='', type__in=['A', 'AAAA']).all()
    313. 

  313.         serializer = serializers.RRsetSerializer(instances, domain=domain, data=data, many=True, partial=True)
    314. 

  314.         try:
    315. 

  315.             serializer.is_valid(raise_exception=True)
    316. 

  316.         except ValidationError as e:
    317. 

  317.             raise e
    318. 

  318. 

  319.         with PDNSChangeTracker():
    320. 

  320.             serializer.save(domain=domain)
    321. 

  321. 

  322.         return Response('good', content_type='text/plain')
    323. 

  323. 

  324. 

  325. class DonationList(generics.CreateAPIView):
    326. 

  326.     serializer_class = serializers.DonationSerializer
    327. 

  327. 

  328.     def perform_create(self, serializer):
    329. 

  329.         instance = self.serializer_class.Meta.model(**serializer.validated_data)
    330. 

  330. 

  331.         context = {
    332. 

  332.             'donation': instance,
    333. 

  333.             'creditoridentifier': settings.SEPA['CREDITOR_ID'],
    334. 

  334.             'creditorname': settings.SEPA['CREDITOR_NAME'],
    335. 

  335.         }
    336. 

  336. 

  337.         # internal desec notification
    338. 

  338.         content_tmpl = get_template('emails/donation/desec-content.txt')
    339. 

  339.         subject_tmpl = get_template('emails/donation/desec-subject.txt')
    340. 

  340.         attachment_tmpl = get_template('emails/donation/desec-attachment-jameica.txt')
    341. 

  341.         from_tmpl = get_template('emails/from.txt')
    342. 

  342.         email = EmailMessage(subject_tmpl.render(context),
    343. 

  343.                              content_tmpl.render(context),
    344. 

  344.                              from_tmpl.render(context),
    345. 

  345.                              ['donation@desec.io'],
    346. 

  346.                              attachments=[
    347. 

  347.                                  ('jameica-directdebit.xml',
    348. 

  348.                                   attachment_tmpl.render(context),
    349. 

  349.                                   'text/xml')
    350. 

  350.                              ])
    351. 

  351.         email.send()
    352. 

  352. 

  353.         # donor notification
    354. 

  354.         if instance.email:
    355. 

  355.             content_tmpl = get_template('emails/donation/donor-content.txt')
    356. 

  356.             subject_tmpl = get_template('emails/donation/donor-subject.txt')
    357. 

  357.             footer_tmpl = get_template('emails/footer.txt')
    358. 

  358.             email = EmailMessage(subject_tmpl.render(context),
    359. 

  359.                                  content_tmpl.render(context) + footer_tmpl.render(),
    360. 

  360.                                  from_tmpl.render(context),
    361. 

  361.                                  [instance.email])
    362. 

  362.             email.send()
    363. 

  363. 

  364. 

  365. class AccountCreateView(generics.CreateAPIView):
    366. 

  366.     serializer_class = serializers.RegisterAccountSerializer
    367. 

  367. 

  368.     def create(self, request, *args, **kwargs):
    369. 

  369.         # Create user and send trigger email verification.
    370. 

  370.         # Alternative would be to create user once email is verified, but this could be abused for bulk email.
    371. 

  371. 

  372.         serializer = self.get_serializer(data=request.data)
    373. 

  373.         activation_required = settings.USER_ACTIVATION_REQUIRED
    374. 

  374.         try:
    375. 

  375.             serializer.is_valid(raise_exception=True)
    376. 

  376.         except ValidationError as e:
    377. 

  377.             # Hide existing users
    378. 

  378.             email_detail = e.detail.pop('email', [])
    379. 

  379.             email_detail = [detail for detail in email_detail if detail.code != 'unique']
    380. 

  380.             if email_detail:
    381. 

  381.                 e.detail['email'] = email_detail
    382. 

  382.             if e.detail:
    383. 

  383.                 raise e
    384. 

  384.         else:
    385. 

  385.             # create user
    386. 

  386.             user = serializer.save(is_active=(not activation_required))
    387. 

  387. 

  388.             # send email if needed
    389. 

  389.             domain = serializer.validated_data.get('domain')
    390. 

  390.             if domain or activation_required:
    391. 

  391.                 action = models.AuthenticatedActivateUserAction(user=user, domain=domain)
    392. 

  392.                 verification_code = serializers.AuthenticatedActivateUserActionSerializer(action).data['code']
    393. 

  393.                 user.send_email('activate-with-domain' if domain else 'activate', context={
    394. 

  394.                     'confirmation_link': reverse('confirm-activate-account', request=request, args=[verification_code]),
    395. 

  395.                     'domain': domain,
    396. 

  396.                 })
    397. 

  397. 

  398.         # This request is unauthenticated, so don't expose whether we did anything.
    399. 

  399.         message = 'Welcome! Please check your mailbox.' if activation_required else 'Welcome!'
    400. 

  400.         return Response(data={'detail': message}, status=status.HTTP_202_ACCEPTED)
    401. 

  401. 

  402. 

  403. class AccountView(generics.RetrieveAPIView):
    404. 

  404.     permission_classes = (IsAuthenticated,)
    405. 

  405.     serializer_class = serializers.UserSerializer
    406. 

  406. 

  407.     def get_object(self):
    408. 

  408.         return self.request.user
    409. 

  409. 

  410. 

  411. class AccountDeleteView(generics.GenericAPIView):
    412. 

  412.     authentication_classes = (auth.EmailPasswordPayloadAuthentication,)
    413. 

  413.     permission_classes = (IsAuthenticated,)
    414. 

  414.     response_still_has_domains = Response(
    415. 

  415.         data={'detail': 'To delete your user account, first delete all of your domains.'},
    416. 

  416.         status=status.HTTP_409_CONFLICT,
    417. 

  417.     )
    418. 

  418. 

  419.     def post(self, request, *args, **kwargs):
    420. 

  420.         if self.request.user.domains.exists():
    421. 

  421.             return self.response_still_has_domains
    422. 

  422.         action = models.AuthenticatedDeleteUserAction(user=self.request.user)
    423. 

  423.         verification_code = serializers.AuthenticatedDeleteUserActionSerializer(action).data['code']
    424. 

  424.         request.user.send_email('delete-user', context={
    425. 

  425.             'confirmation_link': reverse('confirm-delete-account', request=request, args=[verification_code])
    426. 

  426.         })
    427. 

  427. 

  428.         return Response(data={'detail': 'Please check your mailbox for further account deletion instructions.'},
    429. 

  429.                         status=status.HTTP_202_ACCEPTED)
    430. 

  430. 

  431. 

  432. class AccountLoginView(generics.GenericAPIView):
    433. 

  433.     authentication_classes = (auth.EmailPasswordPayloadAuthentication,)
    434. 

  434.     permission_classes = (IsAuthenticated,)
    435. 

  435. 

  436.     def post(self, request, *args, **kwargs):
    437. 

  437.         user = self.request.user
    438. 

  438. 

  439.         token = models.Token.objects.create(user=user, name="login")
    440. 

  440.         user_logged_in.send(sender=user.__class__, request=self.request, user=user)
    441. 

  441. 

  442.         data = serializers.TokenSerializer(token, include_plain=True).data
    443. 

  443.         return Response(data)
    444. 

  444. 

  445. 

  446. class AccountLogoutView(generics.GenericAPIView, mixins.DestroyModelMixin):
    447. 

  447.     authentication_classes = (auth.TokenAuthentication,)
    448. 

  448.     permission_classes = (IsAuthenticated,)
    449. 

  449. 

  450.     def get_object(self):
    451. 

  451.         # self.request.auth contains the hashed key as it is stored in the database
    452. 

  452.         return models.Token.objects.get(key=self.request.auth)
    453. 

  453. 

  454.     def post(self, request, *args, **kwargs):
    455. 

  455.         return self.destroy(request, *args, **kwargs)
    456. 

  456. 

  457. 

  458. class AccountChangeEmailView(generics.GenericAPIView):
    459. 

  459.     authentication_classes = (auth.EmailPasswordPayloadAuthentication,)
    460. 

  460.     permission_classes = (IsAuthenticated,)
    461. 

  461.     serializer_class = serializers.ChangeEmailSerializer
    462. 

  462. 

  463.     def post(self, request, *args, **kwargs):
    464. 

  464.         # Check password and extract email
    465. 

  465.         serializer = self.get_serializer(data=request.data)
    466. 

  466.         serializer.is_valid(raise_exception=True)
    467. 

  467.         new_email = serializer.validated_data['new_email']
    468. 

  468. 

  469.         action = models.AuthenticatedChangeEmailUserAction(user=request.user, new_email=new_email)
    470. 

  470.         verification_code = serializers.AuthenticatedChangeEmailUserActionSerializer(action).data['code']
    471. 

  471.         request.user.send_email('change-email', recipient=new_email, context={
    472. 

  472.             'confirmation_link': reverse('confirm-change-email', request=request, args=[verification_code]),
    473. 

  473.             'old_email': request.user.email,
    474. 

  474.             'new_email': new_email,
    475. 

  475.         })
    476. 

  476. 

  477.         # At this point, we know that we are talking to the user, so we can tell that we sent an email.
    478. 

  478.         return Response(data={'detail': 'Please check your mailbox to confirm email address change.'},
    479. 

  479.                         status=status.HTTP_202_ACCEPTED)
    480. 

  480. 

  481. 

  482. class AccountResetPasswordView(generics.GenericAPIView):
    483. 

  483.     serializer_class = serializers.ResetPasswordSerializer
    484. 

  484. 

  485.     def post(self, request, *args, **kwargs):
    486. 

  486.         serializer = self.get_serializer(data=request.data)
    487. 

  487.         serializer.is_valid(raise_exception=True)
    488. 

  488.         try:
    489. 

  489.             email = serializer.validated_data['email']
    490. 

  490.             user = models.User.objects.get(email=email, is_active=True)
    491. 

  491.         except models.User.DoesNotExist:
    492. 

  492.             pass
    493. 

  493.         else:
    494. 

  494.             self.send_reset_token(user, request)
    495. 

  495. 

  496.         # This request is unauthenticated, so don't expose whether we did anything.
    497. 

  497.         return Response(data={'detail': 'Please check your mailbox for further password reset instructions. '
    498. 

  498.                                         'If you did not receive an email, please contact support.'},
    499. 

  499.                         status=status.HTTP_202_ACCEPTED)
    500. 

  500. 

  501.     @staticmethod
    502. 

  502.     def send_reset_token(user, request):
    503. 

  503.         action = models.AuthenticatedResetPasswordUserAction(user=user)
    504. 

  504.         verification_code = serializers.AuthenticatedResetPasswordUserActionSerializer(action).data['code']
    505. 

  505.         user.send_email('reset-password', context={
    506. 

  506.             'confirmation_link': reverse('confirm-reset-password', request=request, args=[verification_code])
    507. 

  507.         })
    508. 

  508. 

  509. 

  510. class AuthenticatedActionView(generics.GenericAPIView):
    511. 

  511.     """
    512. 

  512.     Abstract class. Deserializes the given payload according the serializers specified by the view extending
    513. 

  513.     this class. If the `serializer.is_valid`, `act` is called on the action object.
    514. 

  514.     """
    515. 

  515.     authentication_classes = (auth.AuthenticatedActionAuthentication,)
    516. 

  516.     authentication_exception = ValidationError
    517. 

  517.     html_url = None
    518. 

  518.     http_method_names = ['get', 'post']  # GET is for redirect only
    519. 

  519.     renderer_classes = [JSONRenderer, StaticHTMLRenderer]
    520. 

  520. 

  521.     def perform_authentication(self, request):
    522. 

  522.         # Delay authentication until request.auth or request.user is first accessed.
    523. 

  523.         # This allows returning a redirect or status 405 without validating the action code.
    524. 

  524.         pass
    525. 

  525. 

  526.     def get(self, request, *args, **kwargs):
    527. 

  527.         # Redirect browsers to frontend if available
    528. 

  528.         is_redirect = (request.accepted_renderer.format == 'html') and self.html_url
    529. 

  529.         if is_redirect:
    530. 

  530.             # Careful: This can generally lead to an open redirect if values contain slashes!
    531. 

  531.             # However, it cannot happen for Django view kwargs.
    532. 

  532.             return redirect(self.html_url.format(**kwargs))
    533. 

  533.         else:
    534. 

  534.             raise NotAcceptable
    535. 

  535. 

  536.     def post(self, request, *args, **kwargs):
    537. 

  537.         self.request.auth.act()  # execute the action (triggers authentication if not yet done)
    538. 

  538.         return self.finalize()
    539. 

  539. 

  540.     def finalize(self):
    541. 

  541.         raise NotImplementedError
    542. 

  542. 

  543. 

  544. class AuthenticatedActivateUserActionView(AuthenticatedActionView):
    545. 

  545.     html_url = '/confirm/activate-account/{code}/'
    546. 

  546.     serializer_class = serializers.AuthenticatedActivateUserActionSerializer
    547. 

  547. 

  548.     def finalize(self):
    549. 

  549.         if not self.request.auth.domain:
    550. 

  550.             return self._finalize_without_domain()
    551. 

  551.         else:
    552. 

  552.             domain = self._create_domain()
    553. 

  553.             return self._finalize_with_domain(domain)
    554. 

  554. 

  555.     def _create_domain(self):
    556. 

  556.         action = self.request.auth
    557. 

  557.         serializer = serializers.DomainSerializer(
    558. 

  558.             data={'name': action.domain},
    559. 

  559.             context=self.get_serializer_context()
    560. 

  560.         )
    561. 

  561.         try:
    562. 

  562.             serializer.is_valid(raise_exception=True)
    563. 

  563.         except ValidationError as e:  # e.g. domain name unavailable
    564. 

  564.             action.user.delete()
    565. 

  565.             reasons = ', '.join([detail.code for detail in e.detail.get('name', [])])
    566. 

  566.             raise ValidationError(
    567. 

  567.                 f'The requested domain {action.domain} could not be registered (reason: {reasons}). '
    568. 

  568.                 f'Please start over and sign up again.'
    569. 

  569.             )
    570. 

  570.         # TODO the following line is subject to race condition and can fail, as for the domain name, we have that
    571. 

  571.         #  time-of-check != time-of-action
    572. 

  572.         return PDNSChangeTracker.track(lambda: serializer.save(owner=action.user))
    573. 

  573. 

  574.     def _finalize_without_domain(self):
    575. 

  575.         if not is_password_usable(self.request.auth.user.password):
    576. 

  576.             AccountResetPasswordView.send_reset_token(self.request.auth.user, self.request)
    577. 

  577.             return Response({
    578. 

  578.                 'detail': 'Success! We sent you instructions on how to set your password.'
    579. 

  579.             })
    580. 

  580.         login_url = self.request.build_absolute_uri(reverse('v1:login'))
    581. 

  581.         return Response({
    582. 

  582.                 'detail': f'Success! Please log in at {login_url}.'
    583. 

  583.             })
    584. 

  584. 

  585.     def _finalize_with_domain(self, domain):
    586. 

  586.         if domain.is_locally_registrable:
    587. 

  587.             # TODO the following line raises Domain.DoesNotExist under unknown conditions
    588. 

  588.             PDNSChangeTracker.track(lambda: DomainViewSet.auto_delegate(domain))
    589. 

  589.             token = models.Token.objects.create(user=domain.owner, name='dyndns')
    590. 

  590.             return Response({
    591. 

  591.                 'detail': 'Success! Here is the password ("token") to configure your router (or any other dynDNS '
    592. 

  592.                           'client). This password is different from your account password for security reasons.',
    593. 

  593.                 'domain': serializers.DomainSerializer(domain).data,
    594. 

  594.                 **serializers.TokenSerializer(token, include_plain=True).data,
    595. 

  595.             })
    596. 

  596.         else:
    597. 

  597.             return Response({
    598. 

  598.                 'detail': 'Success! Please check the docs for the next steps, https://desec.readthedocs.io/.'
    599. 

  599.             })
    600. 

  600. 

  601. 

  602. class AuthenticatedChangeEmailUserActionView(AuthenticatedActionView):
    603. 

  603.     html_url = '/confirm/change-email/{code}/'
    604. 

  604.     serializer_class = serializers.AuthenticatedChangeEmailUserActionSerializer
    605. 

  605. 

  606.     def finalize(self):
    607. 

  607.         return Response({
    608. 

  608.             'detail': f'Success! Your email address has been changed to {self.request.user.email}.'
    609. 

  609.         })
    610. 

  610. 

  611. 

  612. class AuthenticatedResetPasswordUserActionView(AuthenticatedActionView):
    613. 

  613.     html_url = '/confirm/reset-password/{code}/'
    614. 

  614.     serializer_class = serializers.AuthenticatedResetPasswordUserActionSerializer
    615. 

  615. 

  616.     def finalize(self):
    617. 

  617.         login_url = self.request.build_absolute_uri(reverse('v1:login'))
    618. 

  618.         return Response({'detail': f'Success! Your password has been changed. Log in at {login_url}.'})
    619. 

  619. 

  620. 

  621. class AuthenticatedDeleteUserActionView(AuthenticatedActionView):
    622. 

  622.     html_url = '/confirm/delete-account/{code}/'
    623. 

  623.     serializer_class = serializers.AuthenticatedDeleteUserActionSerializer
    624. 

  624. 

  625.     def post(self, request, *args, **kwargs):
    626. 

  626.         if self.request.user.domains.exists():
    627. 

  627.             return AccountDeleteView.response_still_has_domains
    628. 

  628.         return super().post(request, *args, **kwargs)
    629. 

  629. 

  630.     def finalize(self):
    631. 

  631.         return Response({'detail': 'All your data has been deleted. Bye bye, see you soon! <3'})
    632. 

  632. 

  633. 

  634. class CaptchaView(generics.CreateAPIView):
    635. 

  635.     serializer_class = serializers.CaptchaSerializer
    636.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5