rene
526ff42215
- Passwort-Minimum 8 Zeichen bei Register + Reset - Rate Limit auf /resend-verification (3/h) und /forgot-password (3/h) - Security-Headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy etc. - email_verified in get_current_user SELECT ergänzt - Forum: create_thread + create_post erfordern email_verified - POST /auth/forgot-password + /auth/reset-password (2h-Token, via support@) - DB-Migration: password_reset_token + password_reset_expires - Frontend: Passwort-vergessen-Modal im Login, Reset-Formular mit Passphrase-Generator - SW by-v576, APP_VER 553
331 lines
12 KiB
Python
331 lines
12 KiB
Python
"""BAN YARO — Auth Routes"""
|
|
|
|
import os
|
|
import secrets
|
|
import string
|
|
from datetime import datetime, timedelta
|
|
from typing import Optional
|
|
|
|
from fastapi import APIRouter, HTTPException, Request, Response, Depends
|
|
from fastapi.responses import RedirectResponse
|
|
from pydantic import BaseModel, EmailStr
|
|
from database import db
|
|
from auth import (
|
|
hash_password, verify_password, create_token,
|
|
get_current_user
|
|
)
|
|
from username_blocklist import is_username_blocked
|
|
from ratelimit import check as rl_check
|
|
|
|
router = APIRouter()
|
|
COOKIE_NAME = "by_token"
|
|
_APP_URL = os.getenv("APP_URL", "https://banyaro.app")
|
|
_SMTP_READY = bool(os.getenv("SMTP_SUPPORT_USER") and os.getenv("SMTP_SUPPORT_PASS"))
|
|
|
|
|
|
def _send_verification_email(email: str, name: str, token: str):
|
|
if not _SMTP_READY:
|
|
return
|
|
from routes.outreach import _send_smtp
|
|
subject = "Ban Yaro — bitte bestätige deine E-Mail-Adresse"
|
|
body = (
|
|
f"Hallo {name},\n\n"
|
|
"willkommen bei Ban Yaro! Bitte bestätige deine E-Mail-Adresse mit diesem Link:\n\n"
|
|
f"{_APP_URL}/api/auth/verify-email/{token}\n\n"
|
|
"Der Link ist 7 Tage gültig.\n\n"
|
|
"Falls du dich nicht bei Ban Yaro registriert hast, kannst du diese Mail ignorieren.\n\n"
|
|
"Viele Grüße,\nDas Ban Yaro Team\nbanyaro.app"
|
|
)
|
|
try:
|
|
_send_smtp(email, subject, body, "support")
|
|
except Exception:
|
|
pass # Nicht blockieren wenn SMTP fehlschlägt
|
|
|
|
|
|
class LoginRequest(BaseModel):
|
|
email: EmailStr
|
|
password: str
|
|
|
|
class RegisterRequest(BaseModel):
|
|
email: EmailStr
|
|
password: str
|
|
name: str
|
|
ref_code: Optional[str] = None
|
|
|
|
|
|
def _gen_referral_code() -> str:
|
|
alphabet = string.ascii_uppercase + string.digits
|
|
return ''.join(secrets.choice(alphabet) for _ in range(8))
|
|
|
|
|
|
def _set_cookie(response: Response, token: str):
|
|
response.set_cookie(
|
|
key=COOKIE_NAME, value=token,
|
|
httponly=True, secure=True, samesite="lax",
|
|
max_age=30 * 24 * 3600
|
|
)
|
|
|
|
|
|
@router.post("/register")
|
|
async def register(data: RegisterRequest, response: Response, request: Request):
|
|
rl_check(request, max_requests=5, window_seconds=3600, key="register")
|
|
name = data.name.strip()
|
|
if len(name) < 2:
|
|
raise HTTPException(400, "Benutzername muss mindestens 2 Zeichen lang sein.")
|
|
if len(name) > 40:
|
|
raise HTTPException(400, "Benutzername darf maximal 40 Zeichen lang sein.")
|
|
if ' ' in name:
|
|
raise HTTPException(400, "Benutzername darf keine Leerzeichen enthalten.")
|
|
if is_username_blocked(name):
|
|
raise HTTPException(400, "Dieser Benutzername ist nicht erlaubt.")
|
|
if len(data.password) < 8:
|
|
raise HTTPException(400, "Passwort muss mindestens 8 Zeichen lang sein.")
|
|
|
|
with db() as conn:
|
|
if conn.execute("SELECT 1 FROM users WHERE email=?", (data.email,)).fetchone():
|
|
raise HTTPException(400, "E-Mail bereits registriert.")
|
|
if conn.execute(
|
|
"SELECT 1 FROM users WHERE name=? COLLATE NOCASE", (name,)
|
|
).fetchone():
|
|
raise HTTPException(400, "Dieser Name ist bereits vergeben. Bitte wähle einen anderen.")
|
|
code = _gen_referral_code()
|
|
verify_token = secrets.token_urlsafe(32)
|
|
try:
|
|
conn.execute(
|
|
"INSERT INTO users (email, pw_hash, name, referral_code, verification_token) VALUES (?,?,?,?,?)",
|
|
(data.email, hash_password(data.password), name, code, verify_token)
|
|
)
|
|
except Exception:
|
|
raise HTTPException(400, "Dieser Name ist bereits vergeben. Bitte wähle einen anderen.")
|
|
user = conn.execute(
|
|
"SELECT id, rolle FROM users WHERE email=?", (data.email,)
|
|
).fetchone()
|
|
new_user_id = user["id"]
|
|
|
|
if data.ref_code:
|
|
code_upper = data.ref_code.strip().upper()
|
|
# Zuerst prüfen ob es ein Partner-Code ist
|
|
partner = conn.execute(
|
|
"SELECT id, grants_founder, max_uses, uses FROM partner_codes WHERE code=?",
|
|
(code_upper,)
|
|
).fetchone()
|
|
if partner:
|
|
# Nur einlösen wenn max_uses nicht erreicht
|
|
if partner["max_uses"] is None or partner["uses"] < partner["max_uses"]:
|
|
conn.execute(
|
|
"UPDATE partner_codes SET uses=uses+1 WHERE id=?",
|
|
(partner["id"],)
|
|
)
|
|
updates = {"referred_by": -partner["id"]}
|
|
if partner["grants_founder"]:
|
|
total_founders = conn.execute(
|
|
"SELECT COUNT(*) FROM users WHERE is_founder=1"
|
|
).fetchone()[0]
|
|
if total_founders < 100:
|
|
# Pending — wird nach erstem Hunde-Profil mit Plausibilitätsprüfung aktiviert
|
|
updates["is_founder_pending"] = 1
|
|
set_clause = ", ".join(f"{k}=?" for k in updates)
|
|
conn.execute(
|
|
f"UPDATE users SET {set_clause} WHERE id=?",
|
|
(*updates.values(), new_user_id)
|
|
)
|
|
else:
|
|
# Fallback: Referral-Code eines anderen Users
|
|
referrer = conn.execute(
|
|
"SELECT id FROM users WHERE referral_code=? AND id != ?",
|
|
(code_upper, new_user_id)
|
|
).fetchone()
|
|
if referrer:
|
|
conn.execute("UPDATE users SET referred_by=? WHERE id=?",
|
|
(referrer['id'], new_user_id))
|
|
|
|
token = create_token(user["id"], user["rolle"])
|
|
_set_cookie(response, token)
|
|
_send_verification_email(data.email, name, verify_token)
|
|
return {"token": token, "name": name, "email_verified": 0}
|
|
|
|
|
|
@router.post("/login")
|
|
async def login(data: LoginRequest, response: Response, request: Request):
|
|
rl_check(request, max_requests=10, window_seconds=300, key="login")
|
|
with db() as conn:
|
|
user = conn.execute(
|
|
"SELECT id, pw_hash, name, rolle, is_premium FROM users WHERE email=?",
|
|
(data.email,)
|
|
).fetchone()
|
|
|
|
if not user or not verify_password(data.password, user["pw_hash"]):
|
|
raise HTTPException(401, "E-Mail oder Passwort falsch.")
|
|
|
|
token = create_token(user["id"], user["rolle"])
|
|
_set_cookie(response, token)
|
|
|
|
with db() as conn:
|
|
conn.execute(
|
|
"UPDATE users SET last_login=datetime('now') WHERE id=?", (user["id"],)
|
|
)
|
|
|
|
return {"token": token, "name": user["name"], "is_premium": bool(user["is_premium"])}
|
|
|
|
|
|
@router.post("/logout")
|
|
async def logout(response: Response):
|
|
response.delete_cookie(COOKIE_NAME)
|
|
return {"ok": True}
|
|
|
|
|
|
_REFERRAL_TIERS = [
|
|
(50, 50),
|
|
(20, 30),
|
|
(10, 20),
|
|
]
|
|
|
|
def _referral_tier(count: int):
|
|
for threshold, discount in _REFERRAL_TIERS:
|
|
if count >= threshold:
|
|
return discount
|
|
return 0
|
|
|
|
def _referral_next(count: int):
|
|
for threshold, discount in reversed(_REFERRAL_TIERS):
|
|
if count < threshold:
|
|
return {"count": threshold, "discount": discount}
|
|
return None # Maximalstufe erreicht
|
|
|
|
@router.get("/referral")
|
|
async def get_referral_info(user=Depends(get_current_user)):
|
|
with db() as conn:
|
|
row = conn.execute(
|
|
"""SELECT referral_code,
|
|
COALESCE((SELECT COUNT(*) FROM users WHERE referred_by=?), 0) AS count
|
|
FROM users WHERE id=?""",
|
|
(user['id'], user['id'])
|
|
).fetchone()
|
|
code = row["referral_code"] if row else None
|
|
if not code:
|
|
code = _gen_referral_code()
|
|
conn.execute("UPDATE users SET referral_code=? WHERE id=?", (code, user['id']))
|
|
count = row["count"] if row else 0
|
|
base = os.getenv("APP_URL", "https://banyaro.app")
|
|
return {
|
|
"code": code,
|
|
"count": count,
|
|
"link": f"{base}/?ref={code}",
|
|
"discount_pct": _referral_tier(count),
|
|
"next_tier": _referral_next(count),
|
|
}
|
|
|
|
|
|
@router.get("/me")
|
|
async def me(user=Depends(get_current_user)):
|
|
with db() as conn:
|
|
row = conn.execute(
|
|
"""SELECT id, name, real_name, email, rolle, is_premium, email_verified,
|
|
bio, wohnort, erfahrung, social_link,
|
|
profil_sichtbarkeit, avatar_url, created_at,
|
|
is_founder, is_partner, founder_number, is_founder_pending
|
|
FROM users WHERE id=?""",
|
|
(user["id"],)
|
|
).fetchone()
|
|
if not row:
|
|
raise HTTPException(404, "User nicht gefunden.")
|
|
data = dict(row)
|
|
data["is_premium"] = bool(data["is_premium"])
|
|
return data
|
|
|
|
|
|
@router.get("/verify-email/{token}")
|
|
async def verify_email(token: str):
|
|
with db() as conn:
|
|
row = conn.execute(
|
|
"SELECT id, email_verified FROM users WHERE verification_token=?", (token,)
|
|
).fetchone()
|
|
if not row:
|
|
return RedirectResponse(f"{_APP_URL}/#settings?verified=error", status_code=302)
|
|
conn.execute(
|
|
"UPDATE users SET email_verified=1, verification_token=NULL WHERE id=?",
|
|
(row["id"],)
|
|
)
|
|
return RedirectResponse(f"{_APP_URL}/#settings?verified=1", status_code=302)
|
|
|
|
|
|
@router.post("/resend-verification")
|
|
async def resend_verification(request: Request, user=Depends(get_current_user)):
|
|
rl_check(request, max_requests=3, window_seconds=3600, key="resend_verify")
|
|
with db() as conn:
|
|
row = conn.execute(
|
|
"SELECT email, name, email_verified FROM users WHERE id=?", (user["id"],)
|
|
).fetchone()
|
|
if not row:
|
|
raise HTTPException(404)
|
|
if row["email_verified"]:
|
|
return {"ok": True, "already_verified": True}
|
|
token = secrets.token_urlsafe(32)
|
|
with db() as conn:
|
|
conn.execute(
|
|
"UPDATE users SET verification_token=? WHERE id=?", (token, user["id"])
|
|
)
|
|
_send_verification_email(row["email"], row["name"], token)
|
|
return {"ok": True}
|
|
|
|
|
|
class ForgotPasswordRequest(BaseModel):
|
|
email: EmailStr
|
|
|
|
class ResetPasswordRequest(BaseModel):
|
|
token: str
|
|
password: str
|
|
|
|
@router.post("/forgot-password")
|
|
async def forgot_password(data: ForgotPasswordRequest, request: Request):
|
|
rl_check(request, max_requests=3, window_seconds=3600, key="forgot_pw")
|
|
with db() as conn:
|
|
user = conn.execute(
|
|
"SELECT id, name FROM users WHERE email=?", (data.email,)
|
|
).fetchone()
|
|
# Immer OK zurückgeben — kein User-Enumeration
|
|
if user:
|
|
token = secrets.token_urlsafe(32)
|
|
expires = (datetime.utcnow() + timedelta(hours=2)).isoformat()
|
|
with db() as conn:
|
|
conn.execute(
|
|
"UPDATE users SET password_reset_token=?, password_reset_expires=? WHERE id=?",
|
|
(token, expires, user["id"])
|
|
)
|
|
app_url = os.getenv("APP_URL", "https://banyaro.app")
|
|
subject = "Ban Yaro — Passwort zurücksetzen"
|
|
body = (
|
|
f"Hallo {user['name']},\n\n"
|
|
"du hast eine Passwort-Zurücksetzen-Anfrage gestellt.\n\n"
|
|
f"Klicke hier um ein neues Passwort zu setzen:\n"
|
|
f"{app_url}/#reset-password?token={token}\n\n"
|
|
"Der Link ist 2 Stunden gültig. Falls du keine Anfrage gestellt hast, ignoriere diese Mail.\n\n"
|
|
"Viele Grüße,\nDas Ban Yaro Team"
|
|
)
|
|
from routes.outreach import _send_smtp
|
|
try:
|
|
_send_smtp(data.email, subject, body, "support")
|
|
except Exception:
|
|
pass
|
|
return {"ok": True}
|
|
|
|
|
|
@router.post("/reset-password")
|
|
async def reset_password(data: ResetPasswordRequest, request: Request):
|
|
rl_check(request, max_requests=5, window_seconds=3600, key="reset_pw")
|
|
if len(data.password) < 8:
|
|
raise HTTPException(400, "Passwort muss mindestens 8 Zeichen lang sein.")
|
|
with db() as conn:
|
|
user = conn.execute(
|
|
"SELECT id, password_reset_expires FROM users WHERE password_reset_token=?",
|
|
(data.token,)
|
|
).fetchone()
|
|
if not user:
|
|
raise HTTPException(400, "Ungültiger oder abgelaufener Link.")
|
|
if user["password_reset_expires"] < datetime.utcnow().isoformat():
|
|
raise HTTPException(400, "Dieser Link ist abgelaufen. Bitte fordere einen neuen an.")
|
|
conn.execute(
|
|
"UPDATE users SET pw_hash=?, password_reset_token=NULL, password_reset_expires=NULL WHERE id=?",
|
|
(hash_password(data.password), user["id"])
|
|
)
|
|
return {"ok": True}
|