Protect PoGoMap with password

pogom/app.py

@@ -42,12 +42,22 @@ def __init__(self, scan_config, *args, **kwargs):
         self.route('/locale', methods=['GET'])(self.locale)
 
     def is_authenticated(self):
+        if self.is_admin():
+            return True
+        if config.get('SITE_PASSWORD', None) and not request.cookies.get("siteauth") == config['SITE_AUTH_KEY']:
+            return False
+        return True
+
+    def is_admin(self):
         if config.get('CONFIG_PASSWORD', None) and not request.cookies.get("auth") == config['AUTH_KEY']:
             return False
         else:
             return True
 
     def fullmap(self):
+        if not self.is_authenticated():
+            return redirect(url_for('login'))
+
         # if 'search_thread' not in [t.name for t in threading.enumerate()]:
         if (not config.get('GOOGLEMAPS_KEY', None) or
                 not config.get('ACCOUNTS', None)):
@@ -56,10 +66,10 @@ def fullmap(self):
         return render_template('map.html',
                                scan_locations=json.dumps(self.scan_config.SCAN_LOCATIONS.values()),
                                gmaps_key=config['GOOGLEMAPS_KEY'],
-                               is_authenticated=self.is_authenticated())
+                               is_admin=self.is_admin())
 
     def login(self):
-        if self.is_authenticated():
+        if self.is_admin():
             return redirect(url_for('get_config_site'))
 
         if request.method == "GET":
@@ -68,12 +78,19 @@ def login(self):
             resp = make_response(redirect(url_for('get_config_site')))
             resp.set_cookie('auth', config['AUTH_KEY'])
             return resp
+        if request.form.get('password', None) == config.get('SITE_PASSWORD', None):
+            resp = make_response(redirect(url_for('fullmap')))
+            resp.set_cookie('siteauth', config['SITE_AUTH_KEY'])
+            return resp;
+        return render_template('login.html')
 
     def heatmap_data(self):
+        if not self.is_authenticated():
+            return redirect(url_for('login'))
         return jsonify( Pokemon.get_heat_stats() )
 
     def get_config_site(self):
-        if not self.is_authenticated():
+        if not self.is_admin():
             return redirect(url_for('login'))
 
         return render_template(
@@ -85,7 +102,7 @@ def get_config_site(self):
             password=config.get('CONFIG_PASSWORD', None))
 
     def post_config_site(self):
-        if not self.is_authenticated():
+        if not self.is_admin():
             return redirect(url_for('login'))
 
         config['LOCALE'] = request.form.get('locale', 'en')
@@ -97,6 +114,12 @@ def post_config_site(self):
             config['CONFIG_PASSWORD'] = pw
             config['AUTH_KEY'] = ''.join(random.choice(string.lowercase) for _ in range(32))
 
+        site_pw = request.form.get('sitePassword', None)
+        site_pw_changed = (site_pw != config.get('SITE_PASSWORD', None))
+        if site_pw_changed:
+            config['SITE_PASSWORD'] = site_pw
+            config['SITE_AUTH_KEY'] = ''.join(random.choice(string.lowercase) for _ in range(32))
+
         accounts_str = request.form.get('accounts', None)
 
         usernames_before = set([])
@@ -124,15 +147,18 @@ def post_config_site(self):
             locales_available=config.get('LOCALES_AVAILABLE', []),
             gmaps_key=config.get('GOOGLEMAPS_KEY', None),
             accounts=config.get('ACCOUNTS', []),
-            password=config.get('CONFIG_PASSWORD', None),
+            config_password=config.get('CONFIG_PASSWORD', None),
+            site_password=config.get('SITE_PASSWORD', None),
             alert=True))
         if pw_changed:
             resp.set_cookie('auth', config['AUTH_KEY'])
+        if site_pw_changed:
+            resp.set_cookie('siteauth', config['SITE_AUTH_KEY'])
 
         return resp
 
     def save_config(self):
-        if not self.is_authenticated():
+        if not self.is_admin():
             return redirect(url_for('login'))
 
         if (config['CONFIG_PATH'] is not None and
@@ -145,11 +171,14 @@ def save_config(self):
             data = {'GOOGLEMAPS_KEY': config['GOOGLEMAPS_KEY'],
                     'LOCALE': config['LOCALE'],
                     'CONFIG_PASSWORD': config['CONFIG_PASSWORD'],
+                    'SITE_PASSWORD': config['SITE_PASSWORD'],
                     'SCAN_LOCATIONS': self.scan_config.SCAN_LOCATIONS.values(),
                     'ACCOUNTS': config['ACCOUNTS']}
             f.write(json.dumps(data))
 
     def map_data(self):
+        if not self.is_authenticated():
+            return redirect(url_for('login'))
         d = {}
 
         if not ScanMetrics.LAST_SUCCESSFUL_REQUEST:
@@ -181,11 +210,13 @@ def map_data(self):
         return jsonify(d)
 
     def cover(self):
+        if not self.is_authenticated():
+            return redirect(url_for('login'))
         return jsonify({'cover': self.scan_config.COVER,
                         'scan_locations': self.scan_config.SCAN_LOCATIONS.values()})
 
     def add_location(self):
-        if not self.is_authenticated():
+        if not self.is_admin():
             return redirect(url_for('login'))
 
         lat = request.values.get('lat', type=float)
@@ -201,7 +232,7 @@ def add_location(self):
         return ('', 204)
 
     def delete_location(self):
-        if not self.is_authenticated():
+        if not self.is_admin():
             return redirect(url_for('login'))
 
         lat = request.values.get('lat', type=float)
@@ -216,6 +247,8 @@ def delete_location(self):
         return ('', 204)
 
     def stats(self):
+        if not self.is_authenticated():
+            return redirect(url_for('login'))
         stats = Pokemon.get_stats()
         count = sum(p['count'] for p in stats)
         return render_template('stats.html', pokemons=Pokemon.get_stats(), total=count)

runserver.py

@@ -34,12 +34,16 @@ def read_config(scan_config):
     config['LOCALE'] = c.get('LOCALE', 'en')
     config['GOOGLEMAPS_KEY'] = c.get('GOOGLEMAPS_KEY', None)
     config['CONFIG_PASSWORD'] = c.get('CONFIG_PASSWORD', None)
+    config['SITE_PASSWORD'] = c.get('SITE_PASSWORD', None)
     config['ACCOUNTS'] = c.get('ACCOUNTS', [])
     scan_config.update_scan_locations(c.get('SCAN_LOCATIONS', {}))
 
     if config.get('CONFIG_PASSWORD', None):
         config['AUTH_KEY'] = ''.join(random.choice(string.lowercase) for _ in range(32))
 
+    if config.get('SITE_PASSWORD', None):
+        config['SITE_AUTH_KEY'] = ''.join(random.choice(string.lowercase) for _ in range(32))
+
 
 if __name__ == '__main__':
     args = get_args()

templates/config.html

@@ -44,14 +44,19 @@ <h1>PoGoMap Config</h1> {% if alert %}
 			</div>
 			<div class="form-group">
 				<label for="configPassword">Config Password</label>
-				<input type="password" class="form-control" id="configPassword" name="configPassword" value="{{ password or ''}}">
+				<input type="password" class="form-control" id="configPassword" name="configPassword" value="{{ config_password or ''}}">
 				<span id="configPasswordHelp" class="help-block">Protect this config with a password.</span>
 			</div>
+			<div class="form-group">
+				<label for="sitePassword">Site Password</label>
+				<input type="password" class="form-control" id="sitePassword" name="sitePassword" value="{{ site_password or ''}}">
+				<span id="sitePasswordHelp" class="help-block">Protect this website with a password.</span>
+			</div>
 			<button type="submit" class="btn btn-primary">Submit</button>
 			<a href="../" class="btn btn-default">Back to Map</a>
 		</form>
 	</div>
 
 </body>
 
-</html>
+</html>

templates/map.html

@@ -45,10 +45,10 @@
     cursor: pointer;
     opacity: 0;
     /* hide this */
-    
+
     z-index: 2;
     /* and place it over the hamburger */
-    
+
     -webkit-touch-callout: none;
 }
 /*
@@ -122,7 +122,7 @@
     list-style-type: none;
     -webkit-font-smoothing: antialiased;
     /* to stop flickering of text in safari */
-    
+
     transform-origin: 0% 0%;
     transform: translate(-100%, 0);
     -webkit-transform-origin: 0% 0%;
@@ -200,7 +200,7 @@
 			<div id="menu-container">
 				<h1>Settings</h1>
 				<p style="margin: 8px 0">
-					{% if is_authenticated %}
+					{% if is_admin %}
 					<span class="auth-status label label-success">Authenticated</span> {% else %}
 					<span class="auth-status label label-warning"><a href="login" style="color: white; text-decoration: inherit;">Not authenticated</a></span> {% endif %}
 					<span class="last-request label label-warning">No scans yet</span>
@@ -278,4 +278,4 @@ <h1>Settings</h1>
 <script type="text/javascript" src="static/notify.js"></script>
 <script async defer type="text/javascript" src="https://maps.googleapis.com/maps/api/js?key={{ gmaps_key }}&libraries=visualization&callback=initMap"></script>
 
-</html>
+</html>