batman

2025-03-25 23:41:13 +01:00 · 2025-03-25 23:41:13 +01:00 · 66f9ce3614
commit 66f9ce3614
33 changed files with 2271 additions and 0 deletions
--- a/app/auth/routes.py
+++ b/app/auth/routes.py
@ -0,0 +1,127 @@
+"""
+Authentication routes for user management.
+"""
+from datetime import datetime
+from flask import render_template, redirect, url_for, flash, request, current_app
+from flask_login import login_user, logout_user, login_required, current_user
+from werkzeug.urls import url_parse
+
+from app.auth import auth_bp
+from app.auth.forms import LoginForm, RegistrationForm, ResetPasswordRequestForm, ResetPasswordForm
+from app.models.user import User
+from app.extensions import db, limiter
+from app.utils.email import send_password_reset_email
+
+
+@auth_bp.route("/login", methods=["GET", "POST"])
+@limiter.limit("10/minute")
+def login():
+    """User login route."""
+    if current_user.is_authenticated:
+        return redirect(url_for("core.index"))
+    
+    form = LoginForm()
+    if form.validate_on_submit():
+        user = User.query.filter_by(username=form.username.data).first()
+        
+        if user is None or not user.check_password(form.password.data):
+            if user:
+                user.record_login(success=False)
+            flash("Invalid username or password", "danger")
+            return render_template("auth/login.html", form=form)
+        
+        if not user.active:
+            flash("This account has been deactivated", "danger")
+            return render_template("auth/login.html", form=form)
+        
+        if user.is_account_locked():
+            flash("This account is temporarily locked due to too many failed login attempts", "danger")
+            return render_template("auth/login.html", form=form)
+        
+        user.record_login(success=True)
+        login_user(user, remember=form.remember_me.data)
+        
+        next_page = request.args.get("next")
+        if not next_page or url_parse(next_page).netloc != "":
+            next_page = url_for("core.index")
+        
+        return redirect(next_page)
+    
+    return render_template("auth/login.html", form=form)
+
+
+@auth_bp.route("/logout")
+@login_required
+def logout():
+    """User logout route."""
+    logout_user()
+    flash("You have been logged out", "info")
+    return redirect(url_for("auth.login"))
+
+
+@auth_bp.route("/register", methods=["GET", "POST"])
+@limiter.limit("5/hour")
+def register():
+    """User registration route."""
+    if current_user.is_authenticated:
+        return redirect(url_for("core.index"))
+    
+    form = RegistrationForm()
+    if form.validate_on_submit():
+        user = User(
+            username=form.username.data,
+            email=form.email.data
+        )
+        user.set_password(form.password.data)
+        
+        db.session.add(user)
+        db.session.commit()
+        
+        flash("Registration successful! You can now log in.", "success")
+        return redirect(url_for("auth.login"))
+    
+    return render_template("auth/register.html", form=form)
+
+
+@auth_bp.route("/reset-password-request", methods=["GET", "POST"])
+@limiter.limit("5/hour")
+def reset_password_request():
+    """Request a password reset."""
+    if current_user.is_authenticated:
+        return redirect(url_for("core.index"))
+    
+    form = ResetPasswordRequestForm()
+    if form.validate_on_submit():
+        user = User.query.filter_by(email=form.email.data).first()
+        if user:
+            send_password_reset_email(user)
+        
+        # Always show the same message to prevent user enumeration
+        flash("If your email address is registered, you will receive instructions to reset your password", "info")
+        return redirect(url_for("auth.login"))
+    
+    return render_template("auth/reset_password_request.html", form=form)
+
+
+@auth_bp.route("/reset-password/<token>", methods=["GET", "POST"])
+@limiter.limit("5/hour")
+def reset_password(token):
+    """Reset password with token."""
+    if current_user.is_authenticated:
+        return redirect(url_for("core.index"))
+    
+    user = User.query.filter_by(reset_token=token).first()
+    
+    if not user or not user.is_reset_token_valid(token):
+        flash("The password reset link is invalid or has expired", "danger")
+        return redirect(url_for("auth.login"))
+    
+    form = ResetPasswordForm()
+    if form.validate_on_submit():
+        user.set_password(form.password.data)
+        user.clear_reset_token()
+        
+        flash("Your password has been reset", "success")
+        return redirect(url_for("auth.login"))
+    
+    return render_template("auth/reset_password.html", form=form)