[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-bank] 01/02: linting pin/tan verify
From: |
gnunet |
Subject: |
[GNUnet-SVN] [taler-bank] 01/02: linting pin/tan verify |
Date: |
Mon, 06 Nov 2017 16:01:09 +0100 |
This is an automated email from the git hooks/post-receive script.
marcello pushed a commit to branch master
in repository bank.
commit a52cdc012158842d3019d605eb0a2be83a9787a0
Author: Marcello Stanisci <address@hidden>
AuthorDate: Mon Nov 6 15:19:40 2017 +0100
linting pin/tan verify
---
talerbank/app/urls.py | 2 +-
talerbank/app/views.py | 110 +++++++++++++++++++++----------------------------
2 files changed, 48 insertions(+), 64 deletions(-)
diff --git a/talerbank/app/urls.py b/talerbank/app/urls.py
index 7578d81..a437aa0 100644
--- a/talerbank/app/urls.py
+++ b/talerbank/app/urls.py
@@ -28,7 +28,7 @@ urlpatterns = [
url(r'^logout/$', views.logout_view, name="logout"),
url(r'^accounts/register/$', views.register, name="register"),
url(r'^profile$', views.profile_page, name="profile"),
- url(r'^history$', views.history, name="history"),
+ url(r'^history$', views.serve_history, name="history"),
url(r'^withdraw$', views.withdraw_nojs, name="withdraw-nojs"),
url(r'^public-accounts$', views.public_accounts, name="public-accounts"),
url(r'^public-accounts/(?P<name>[a-zA-Z0-9 ]+)$',
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index dc5aabc..eb3320c 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -20,6 +20,7 @@ import logging
import time
import hashlib
import re
+import validictory
from urllib.parse import urljoin
import requests
import django.contrib.auth
@@ -56,6 +57,7 @@ class
MyAuthenticationForm(django.contrib.auth.forms.AuthenticationForm):
self.fields["password"].widget.attrs["placeholder"] = "Password"
def ignore(request):
+ del request
return HttpResponse()
@@ -133,8 +135,8 @@ def pin_tan_question(request):
schemas.validate_pin_tan_args(request.GET.dict())
# Currency is not checked, as any mismatches will be
# detected afterwards
- except ValueError as error:
- return HttpResponseBadRequest("invalid '%s'" % error.fieldname)
+ except validictory.FieldValidationError as err:
+ return HttpResponseBadRequest("invalid '%s'" % err.fieldname)
user_account = BankAccount.objects.get(user=request.user)
request.session["exchange_account_number"] = \
json.loads(request.GET["wire_details"])["test"]["account_number"]
@@ -161,79 +163,61 @@ def pin_tan_question(request):
@require_POST
@login_required
def pin_tan_verify(request):
- try:
- given = request.POST["pin_0"]
- hashed_result = request.POST["pin_1"]
- question_url = request.POST["question_url"]
- except Exception: # FIXME narrow the Exception type
- return redirect("profile")
hasher = hashlib.new("sha1")
hasher.update(settings.SECRET_KEY.encode("utf-8"))
- hasher.update(given.encode("utf-8"))
+ # pin_0 is the answer given by the user
+ hasher.update(request.POST.get("pin_0").encode("utf-8"))
hashed_attempt = hasher.hexdigest()
- if hashed_attempt != hashed_result:
+ if hashed_attempt != request.POST.get("pin_1"):
request.session["captcha_failed"] = True
- return redirect(question_url)
- # We recover the info about reserve creation from the session (and
- # not from POST parameters), since we don't what the user to
- # change it after we've verified it.
- try:
- amount = Amount(**request.session["amount"])
- exchange_url = request.session["exchange_url"]
- reserve_pub = request.session["reserve_pub"]
- exchange_account_number = request.session["exchange_account_number"]
- sender_wiredetails = request.session["sender_wiredetails"]
- except KeyError:
- # This is not a withdraw session, we redirect the user to the
- # profile page.
- return redirect("profile")
+ return redirect(request.POST.get("question_url", "profile"))
+ # Check the session is a "pin tan" one
+ for i in ("amount", "exchange_url", "reserve_pub",
+ "exchange_account_number", "sender_wiredetails"):
+ if i not in request.session:
+ LOGGER.warning("Apparently NOT a withdraw session")
+ return redirect("profile")
+ amount = Amount(**request.session["amount"])
try:
- BankAccount.objects.get(account_no=exchange_account_number)
+ exchange_bank_account = BankAccount.objects.get(
+ account_no=request.session["exchange_account_number"])
+ wire_transfer(amount,
+ BankAccount.objects.get(user=request.user),
+ exchange_bank_account,
+ request.session["reserve_pub"])
except BankAccount.DoesNotExist:
- raise HttpResponseBadRequest("The bank account #{} \
- of exchange {} does not \
- exist".format(exchange_account_number,
- exchange_url))
- logging.info("asking exchange {} to create reserve
{}".format(exchange_url, reserve_pub))
- json_body = dict(
- reserve_pub=reserve_pub,
- execution_date="/Date(" + str(int(time.time())) + ")/",
- sender_account_details=sender_wiredetails,
- # just something unique
- transfer_details=dict(timestamp=int(time.time() * 1000)),
- amount=amount.dump(),
- )
- user_account = BankAccount.objects.get(user=request.user)
- exchange_account =
BankAccount.objects.get(account_no=exchange_account_number)
- try:
- wire_transfer(amount, user_account, exchange_account, reserve_pub)
+ err = lambda: HttpResponseBadRequest("That exchange is unknown to this
bank")
except DebtLimitExceededException:
LOGGER.warning("Withdrawal impossible due to debt limit exceeded")
request.session["debt_limit"] = True
- return redirect("profile")
- except SameAccountException:
- LOGGER.error("Odd situation: SameAccountException should NOT occur in
this function")
- return JsonResponse(dict(error="Internal server error", status=500))
- except BadFormatAmount:
- LOGGER.error("parsing MAX_DEBT or MAX_BANK_DEBT failed")
- return JsonResponse(dict(error="Internal server error", status=500))
- except CurrencyMismatch:
- LOGGER.error("currency mismatch internal to the bank, should never
happen here")
- return JsonResponse(dict(error="Internal server error", status=500))
-
- request_url = urljoin(exchange_url, "admin/add/incoming")
- res = requests.post(request_url, json=json_body)
+ err = lambda: redirect("profile")
+ except (SameAccountException, BadFormatAmount, CurrencyMismatch) as err:
+ LOGGER.error(err)
+ err = lambda: JsonResponse(dict(error="Internal server error",
status=500))
+ if "err" in locals():
+ return err()
+ res = requests.post(
+ urljoin(request.session["exchange_url"],
+ "admin/add/incoming"),
+ json={"reserve_pub": request.session["reserve_pub"],
+ "execution_date":
+ "/Date(" + str(int(time.time())) + ")/",
+ "sender_account_details":
+ request.session["sender_wiredetails"],
+ "transfer_details":
+ {"timestamp": int(time.time() * 1000)},
+ "amount": amount.dump()})
if res.status_code != 200:
- return render(request, "error_exchange.html", dict(
- message="Could not transfer funds to the exchange. \
- The exchange ({}) gave a bad
response.".format(exchange_url),
- response_text=res.text,
- response_status=res.status_code,
- ))
+ return render(request,
+ "error_exchange.html",
+ {"message": "Could not transfer funds to the exchange. \
+ The exchange (%s) gave a bad response.\
+ " % request.session["exchange_url"],
+ "response_text": res.text,
+ "response_status": res.status_code})
request.session["just_withdrawn"] = True
return redirect("profile")
-
class UserReg(forms.Form):
username = forms.CharField()
password = forms.CharField(widget=forms.PasswordInput())
@@ -336,7 +320,7 @@ def public_accounts(request, name=None):
return render(request, "public_accounts.html", context)
@require_GET
-def history(request):
+def serve_history(request):
"""
This API is used to get a list of transactions related to one user.
"""
--
To stop receiving notification emails like this one, please contact
address@hidden