Write better version of the app

Author: brandon-rhodes

py3/chapter11/app_better.py

@@ -0,0 +1,59 @@
+
+import bank, uuid
+from flask import Flask, abort, flash, render_template, redirect, request, session, url_for
+
+app = Flask(__name__)
+app.secret_key = 'saiGeij8AiS2ahleahMo5dahveixuV3J'
+
+@app.route('/login', methods=['GET', 'POST'])
+def login():
+    username = request.form.get('username', '')
+    password = request.form.get('password', '')
+    if request.method == 'POST':
+        if (username, password) in [('brandon', 'atigdng'), ('sam', 'xyzzy')]:
+            session['username'] = username
+            session['csrf_token'] = uuid.uuid4().hex
+            return redirect(url_for('index'))
+    return render_template('login.html', username=username)
+
+@app.route('/logout')
+def logout():
+    session.pop('username', None)
+    return redirect(url_for('login'))
+
+@app.route('/')
+def index():
+    username = session.get('username')
+    if not username:
+        return redirect(url_for('login'))
+    payments = bank.get_payments_of(bank.open_database(), username)
+    return render_template('index2.html', payments=payments, username=username,
+                           message=request.args.get('message'))
+
+@app.route('/pay', methods=['GET', 'POST'])
+def pay():
+    username = session.get('username')
+    if not username:
+        return redirect(url_for('login'))
+    account = request.form.get('account', '').strip()
+    dollars = request.form.get('dollars', '').strip()
+    message = request.form.get('message', '').strip()
+    complaint = None
+    if request.method == 'POST':
+        if request.form.get('csrf_token') != session['csrf_token']:
+            abort(403)
+        if account and dollars and dollars.isdigit() and message:
+            db = bank.open_database()
+            bank.add_payment(db, username, account, dollars, message)
+            db.commit()
+            flash('Payment successful')
+            return redirect(url_for('index'))
+        complaint = ('Dollars must be an integer' if not dollars.isdigit()
+                     else 'Please fill in all three fields')
+    return render_template('pay2.html', complaint=complaint, account=account,
+                           dollars=dollars, message=message,
+                           csrf_token=session['csrf_token'])
+
+if __name__ == '__main__':
+    app.debug = True
+    app.run()

py3/chapter11/app_insecure.py

@@ -30,7 +30,7 @@ def index():
         return redirect(url_for('login'))
     payments = bank.get_payments_of(bank.open_database(), username)
     return get('index.html').render(payments=payments, username=username,
-                                    message=request.args.get('message'))
+                                    flash=request.args.get('flash'))
 
 @app.route('/pay', methods=['GET', 'POST'])
 def pay():
@@ -46,7 +46,7 @@ def pay():
             db = bank.open_database()
             bank.add_payment(db, username, account, dollars, message)
             db.commit()
-            return redirect(url_for('index', message='Payment successful'))
+            return redirect(url_for('index', flash='Payment successful'))
         complaint = ('Dollars must be an integer' if not dollars.isdigit()
                      else 'Please fill in all three fields')
     return get('pay.html').render(complaint=complaint, account=account,

py3/chapter11/csrf.html

@@ -7,7 +7,7 @@
     <form method="post" action="http://localhost:5000/pay">
       <input type="hidden" name="account" value="sam">
       <input type="hidden" name="dollars" value="220">
-      <input type="hidden" name="message" value="Dispute charge-back">
+      <input type="hidden" name="message" value="Someone won big">
       <button type="submit">Win Big</button>
     </form>
   </body>

py3/chapter11/csrf_auto.html

@@ -7,7 +7,7 @@
     <form id="secret_form" method="post" action="http://localhost:5000/pay">
       <input type="hidden" name="account" value="sam">
       <input type="hidden" name="dollars" value="330">
-      <input type="hidden" name="message" value="Dispute charge-back">
+      <input type="hidden" name="message" value="Someone else won big">
       <button type="submit">Win Big</button>
     </form>
     <script>

py3/chapter11/static/style.css

@@ -4,13 +4,13 @@ html {
 body {
     display: inline-block;
 }
-.message {
+.flash_message {
     position: relative;
     padding: 1em;
     color: white;
     background: green;
 }
-.message a {
+.flash_message a {
     position: absolute;
     top: 0px;
     right: 0px;

py3/chapter11/templates/index.html

@@ -1,8 +1,8 @@
 {% extends "design.html" %}
 {% block title %}Welcome, {{ username }}{% endblock %}
 {% block body %}
-{% if message %}
-  <div class="message">{{ message }}<a href="/">&times;</a></div>
+{% if flash %}
+  <div class="flash_message">{{ flash }}<a href="/">&times;</a></div>
 {% endif %}
 <p>Your Payments</p>
 <ul>

py3/chapter11/templates/index2.html

@@ -0,0 +1,20 @@
+{% extends "design.html" %}
+{% block title %}Welcome, {{ username }}{% endblock %}
+{% block body %}
+{% set messages = get_flashed_messages() %}
+{% if messages %}
+  <div class="flash_message">
+    {% for message in messages %}{{ message }}<br>{% endfor %}
+  <a href="/">&times;</a></div>
+{% endif %}
+<p>Your Payments</p>
+<ul>
+  {% for p in payments %}
+    {% set prep = 'from' if (p.credit == username) else 'to' %}
+    {% set acct = p.debit if (p.credit == username) else p.credit %}
+    <li class="{{ prep }}">${{ p.dollars }} {{ prep }} <b>{{ acct }}</b>
+    for: <i>{{ p.message }}</i></li>
+  {% endfor %}
+</ul>
+<a href="/pay">Make payment</a> | <a href="/logout">Log out</a>
+{% endblock %}

py3/chapter11/templates/pay.html

@@ -3,9 +3,9 @@
 {% block body %}
 <form method="post" action="/pay">
   {% if complaint %}<span class="complaint">{{ complaint }}</span>{% endif %}
-  <label>To account: <input name="account" value="{{ account }}""></label>
-  <label>Dollars: <input name="dollars" value="{{ dollars }}""></label>
-  <label>Message: <input name="message" value="{{ message }}""></label>
+  <label>To account: <input name="account" value="{{ account }}"></label>
+  <label>Dollars: <input name="dollars" value="{{ dollars }}"></label>
+  <label>Message: <input name="message" value="{{ message }}"></label>
   <button type="submit">Send money</button> | <a href="/">Cancel</a>
 </form>
 {% endblock %}

py3/chapter11/templates/pay2.html

@@ -0,0 +1,12 @@
+{% extends "design.html" %}
+{% block title %}Make a Payment{% endblock %}
+{% block body %}
+<form method="post" action="/pay">
+  {% if complaint %}<span class="complaint">{{ complaint }}</span>{% endif %}
+  <label>To account: <input name="account" value="{{ account }}"></label>
+  <label>Dollars: <input name="dollars" value="{{ dollars }}"></label>
+  <label>Message: <input name="message" value="{{ message }}"></label>
+  <input name="csrf_token" type="hidden" value="{{ csrf_token }}">
+  <button type="submit">Send money</button> | <a href="/">Cancel</a>
+</form>
+{% endblock %}