|
|
""" |
|
|
Enhanced User Model with Authentication and VPN Client Management |
|
|
|
|
|
This module provides comprehensive user management with security features, |
|
|
VPN client management, and session tracking capabilities. |
|
|
""" |
|
|
|
|
|
|
|
|
from werkzeug.security import generate_password_hash, check_password_hash |
|
|
from datetime import datetime, timedelta |
|
|
import secrets |
|
|
import jwt |
|
|
import re |
|
|
from flask import current_app |
|
|
|
|
|
from .user import db |
|
|
|
|
|
class User(db.Model): |
|
|
"""Enhanced User model with authentication and VPN management""" |
|
|
__tablename__ = 'users' |
|
|
|
|
|
id = db.Column(db.Integer, primary_key=True) |
|
|
username = db.Column(db.String(80), unique=True, nullable=False, index=True) |
|
|
email = db.Column(db.String(120), unique=True, nullable=False, index=True) |
|
|
password_hash = db.Column(db.String(255), nullable=False) |
|
|
salt = db.Column(db.String(32), nullable=False) |
|
|
created_at = db.Column(db.DateTime, default=datetime.utcnow) |
|
|
last_login = db.Column(db.DateTime) |
|
|
is_active = db.Column(db.Boolean, default=True) |
|
|
is_admin = db.Column(db.Boolean, default=False) |
|
|
subscription_type = db.Column(db.String(20), default='free') |
|
|
subscription_expires = db.Column(db.DateTime) |
|
|
max_concurrent_connections = db.Column(db.Integer, default=1) |
|
|
bandwidth_limit_mbps = db.Column(db.Integer, default=10) |
|
|
email_verified = db.Column(db.Boolean, default=False) |
|
|
email_verification_token = db.Column(db.String(64)) |
|
|
two_factor_enabled = db.Column(db.Boolean, default=False) |
|
|
two_factor_secret = db.Column(db.String(32)) |
|
|
password_reset_token = db.Column(db.String(64)) |
|
|
password_reset_expires = db.Column(db.DateTime) |
|
|
failed_login_attempts = db.Column(db.Integer, default=0) |
|
|
account_locked_until = db.Column(db.DateTime) |
|
|
|
|
|
|
|
|
vpn_clients = db.relationship('VPNClient', backref='user', lazy=True, cascade='all, delete-orphan') |
|
|
vpn_sessions = db.relationship('VPNSession', backref='user', lazy=True) |
|
|
|
|
|
def __init__(self, username, email, password=None): |
|
|
self.username = username |
|
|
self.email = email |
|
|
if password: |
|
|
self.set_password(password) |
|
|
self.email_verification_token = secrets.token_urlsafe(32) |
|
|
|
|
|
def set_password(self, password): |
|
|
"""Set password with secure hashing and salt""" |
|
|
if not self.validate_password_strength(password): |
|
|
raise ValueError("Password does not meet security requirements") |
|
|
|
|
|
self.salt = secrets.token_hex(16) |
|
|
self.password_hash = generate_password_hash(password + self.salt) |
|
|
self.failed_login_attempts = 0 |
|
|
self.account_locked_until = None |
|
|
|
|
|
def check_password(self, password): |
|
|
"""Verify password against hash""" |
|
|
if self.is_account_locked(): |
|
|
return False |
|
|
|
|
|
is_valid = check_password_hash(self.password_hash, password + self.salt) |
|
|
|
|
|
if is_valid: |
|
|
self.failed_login_attempts = 0 |
|
|
self.last_login = datetime.utcnow() |
|
|
else: |
|
|
self.failed_login_attempts += 1 |
|
|
if self.failed_login_attempts >= 5: |
|
|
self.account_locked_until = datetime.utcnow() + timedelta(minutes=30) |
|
|
|
|
|
return is_valid |
|
|
|
|
|
def is_account_locked(self): |
|
|
"""Check if account is locked due to failed login attempts""" |
|
|
if self.account_locked_until and datetime.utcnow() < self.account_locked_until: |
|
|
return True |
|
|
elif self.account_locked_until and datetime.utcnow() >= self.account_locked_until: |
|
|
|
|
|
self.account_locked_until = None |
|
|
self.failed_login_attempts = 0 |
|
|
return False |
|
|
|
|
|
@staticmethod |
|
|
def validate_password_strength(password): |
|
|
"""Validate password meets security requirements""" |
|
|
if len(password) < 8: |
|
|
return False |
|
|
if not re.search(r'[A-Z]', password): |
|
|
return False |
|
|
if not re.search(r'[a-z]', password): |
|
|
return False |
|
|
if not re.search(r'\d', password): |
|
|
return False |
|
|
if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password): |
|
|
return False |
|
|
return True |
|
|
|
|
|
@staticmethod |
|
|
def validate_email(email): |
|
|
"""Validate email format""" |
|
|
pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$' |
|
|
return re.match(pattern, email) is not None |
|
|
|
|
|
@staticmethod |
|
|
def validate_username(username): |
|
|
"""Validate username format""" |
|
|
if len(username) < 3 or len(username) > 80: |
|
|
return False |
|
|
if not re.match(r'^[a-zA-Z0-9_-]+$', username): |
|
|
return False |
|
|
return True |
|
|
|
|
|
def generate_auth_token(self, expires_in=3600): |
|
|
"""Generate JWT authentication token""" |
|
|
payload = { |
|
|
'user_id': self.id, |
|
|
'username': self.username, |
|
|
'email': self.email, |
|
|
'subscription_type': self.subscription_type, |
|
|
'is_admin': self.is_admin, |
|
|
'exp': datetime.utcnow() + timedelta(seconds=expires_in), |
|
|
'iat': datetime.utcnow() |
|
|
} |
|
|
return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256') |
|
|
|
|
|
def generate_refresh_token(self, expires_in=2592000): |
|
|
"""Generate refresh token for extended sessions""" |
|
|
payload = { |
|
|
'user_id': self.id, |
|
|
'type': 'refresh', |
|
|
'exp': datetime.utcnow() + timedelta(seconds=expires_in), |
|
|
'iat': datetime.utcnow() |
|
|
} |
|
|
return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256') |
|
|
|
|
|
@staticmethod |
|
|
def verify_auth_token(token): |
|
|
"""Verify JWT authentication token""" |
|
|
try: |
|
|
payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256']) |
|
|
if payload.get('type') == 'refresh': |
|
|
return None |
|
|
return User.query.get(payload['user_id']) |
|
|
except jwt.ExpiredSignatureError: |
|
|
return None |
|
|
except jwt.InvalidTokenError: |
|
|
return None |
|
|
|
|
|
@staticmethod |
|
|
def verify_refresh_token(token): |
|
|
"""Verify refresh token and return user""" |
|
|
try: |
|
|
payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256']) |
|
|
if payload.get('type') != 'refresh': |
|
|
return None |
|
|
return User.query.get(payload['user_id']) |
|
|
except jwt.ExpiredSignatureError: |
|
|
return None |
|
|
except jwt.InvalidTokenError: |
|
|
return None |
|
|
|
|
|
def generate_password_reset_token(self): |
|
|
"""Generate password reset token""" |
|
|
self.password_reset_token = secrets.token_urlsafe(32) |
|
|
self.password_reset_expires = datetime.utcnow() + timedelta(hours=1) |
|
|
return self.password_reset_token |
|
|
|
|
|
def verify_password_reset_token(self, token): |
|
|
"""Verify password reset token""" |
|
|
if (self.password_reset_token == token and |
|
|
self.password_reset_expires and |
|
|
datetime.utcnow() < self.password_reset_expires): |
|
|
return True |
|
|
return False |
|
|
|
|
|
def reset_password(self, new_password, token): |
|
|
"""Reset password using reset token""" |
|
|
if not self.verify_password_reset_token(token): |
|
|
return False |
|
|
|
|
|
self.set_password(new_password) |
|
|
self.password_reset_token = None |
|
|
self.password_reset_expires = None |
|
|
return True |
|
|
|
|
|
def verify_email(self, token): |
|
|
"""Verify email using verification token""" |
|
|
if self.email_verification_token == token: |
|
|
self.email_verified = True |
|
|
self.email_verification_token = None |
|
|
return True |
|
|
return False |
|
|
|
|
|
def can_create_vpn_client(self): |
|
|
"""Check if user can create additional VPN clients""" |
|
|
active_clients = len([c for c in self.vpn_clients if c.is_active]) |
|
|
|
|
|
if self.subscription_type == 'free': |
|
|
return active_clients < 1 |
|
|
elif self.subscription_type == 'premium': |
|
|
return active_clients < 5 |
|
|
elif self.subscription_type == 'enterprise': |
|
|
return active_clients < 50 |
|
|
|
|
|
return False |
|
|
|
|
|
def get_active_sessions_count(self): |
|
|
"""Get count of active VPN sessions""" |
|
|
return len([s for s in self.vpn_sessions if s.disconnected_at is None]) |
|
|
|
|
|
def can_connect_vpn(self): |
|
|
"""Check if user can establish new VPN connections""" |
|
|
active_sessions = self.get_active_sessions_count() |
|
|
return active_sessions < self.max_concurrent_connections |
|
|
|
|
|
def get_bandwidth_usage_today(self): |
|
|
"""Get bandwidth usage for today""" |
|
|
today = datetime.utcnow().date() |
|
|
today_sessions = [s for s in self.vpn_sessions |
|
|
if s.connected_at and s.connected_at.date() == today] |
|
|
|
|
|
total_bytes = sum(s.bytes_received + s.bytes_sent for s in today_sessions) |
|
|
return total_bytes |
|
|
|
|
|
def is_subscription_active(self): |
|
|
"""Check if subscription is active""" |
|
|
if self.subscription_type == 'free': |
|
|
return True |
|
|
|
|
|
return (self.subscription_expires and |
|
|
datetime.utcnow() < self.subscription_expires) |
|
|
|
|
|
def to_dict(self, include_sensitive=False): |
|
|
"""Convert user to dictionary""" |
|
|
data = { |
|
|
'id': self.id, |
|
|
'username': self.username, |
|
|
'email': self.email, |
|
|
'created_at': self.created_at.isoformat() if self.created_at else None, |
|
|
'last_login': self.last_login.isoformat() if self.last_login else None, |
|
|
'is_active': self.is_active, |
|
|
'subscription_type': self.subscription_type, |
|
|
'subscription_expires': self.subscription_expires.isoformat() if self.subscription_expires else None, |
|
|
'max_concurrent_connections': self.max_concurrent_connections, |
|
|
'bandwidth_limit_mbps': self.bandwidth_limit_mbps, |
|
|
'email_verified': self.email_verified, |
|
|
'two_factor_enabled': self.two_factor_enabled, |
|
|
'is_subscription_active': self.is_subscription_active(), |
|
|
'active_vpn_clients': len([c for c in self.vpn_clients if c.is_active]), |
|
|
'active_sessions': self.get_active_sessions_count(), |
|
|
'can_create_vpn_client': self.can_create_vpn_client(), |
|
|
'can_connect_vpn': self.can_connect_vpn() |
|
|
} |
|
|
|
|
|
if include_sensitive and (self.is_admin or include_sensitive == 'self'): |
|
|
data.update({ |
|
|
'is_admin': self.is_admin, |
|
|
'failed_login_attempts': self.failed_login_attempts, |
|
|
'account_locked': self.is_account_locked(), |
|
|
'bandwidth_usage_today': self.get_bandwidth_usage_today() |
|
|
}) |
|
|
|
|
|
return data |
|
|
|
|
|
|
|
|
class VPNClient(db.Model): |
|
|
"""VPN Client configuration and management""" |
|
|
__tablename__ = 'vpn_clients' |
|
|
|
|
|
id = db.Column(db.Integer, primary_key=True) |
|
|
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False) |
|
|
client_name = db.Column(db.String(100), nullable=False) |
|
|
protocol = db.Column(db.String(20), nullable=False) |
|
|
certificate_serial = db.Column(db.String(50), unique=True) |
|
|
private_key_path = db.Column(db.String(255)) |
|
|
certificate_path = db.Column(db.String(255)) |
|
|
config_file_path = db.Column(db.String(255)) |
|
|
created_at = db.Column(db.DateTime, default=datetime.utcnow) |
|
|
last_connected = db.Column(db.DateTime) |
|
|
is_active = db.Column(db.Boolean, default=True) |
|
|
device_type = db.Column(db.String(50)) |
|
|
public_key = db.Column(db.Text) |
|
|
|
|
|
|
|
|
sessions = db.relationship('VPNSession', backref='vpn_client', lazy=True) |
|
|
|
|
|
def __init__(self, user_id, client_name, protocol, device_type=None): |
|
|
self.user_id = user_id |
|
|
self.client_name = client_name |
|
|
self.protocol = protocol |
|
|
self.device_type = device_type |
|
|
|
|
|
def get_active_sessions(self): |
|
|
"""Get active sessions for this client""" |
|
|
return [s for s in self.sessions if s.disconnected_at is None] |
|
|
|
|
|
def get_total_bandwidth_usage(self): |
|
|
"""Get total bandwidth usage for this client""" |
|
|
return sum(s.bytes_received + s.bytes_sent for s in self.sessions) |
|
|
|
|
|
def to_dict(self): |
|
|
"""Convert VPN client to dictionary""" |
|
|
return { |
|
|
'id': self.id, |
|
|
'client_name': self.client_name, |
|
|
'protocol': self.protocol, |
|
|
'device_type': self.device_type, |
|
|
'created_at': self.created_at.isoformat() if self.created_at else None, |
|
|
'last_connected': self.last_connected.isoformat() if self.last_connected else None, |
|
|
'is_active': self.is_active, |
|
|
'certificate_serial': self.certificate_serial, |
|
|
'active_sessions': len(self.get_active_sessions()), |
|
|
'total_bandwidth_usage': self.get_total_bandwidth_usage() |
|
|
} |
|
|
|
|
|
|
|
|
class VPNSession(db.Model): |
|
|
"""VPN Session tracking""" |
|
|
__tablename__ = 'vpn_sessions' |
|
|
|
|
|
id = db.Column(db.Integer, primary_key=True) |
|
|
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False) |
|
|
client_id = db.Column(db.Integer, db.ForeignKey('vpn_clients.id'), nullable=False) |
|
|
server_protocol = db.Column(db.String(20), nullable=False) |
|
|
client_ip = db.Column(db.String(15)) |
|
|
server_ip = db.Column(db.String(15)) |
|
|
client_real_ip = db.Column(db.String(45)) |
|
|
connected_at = db.Column(db.DateTime, default=datetime.utcnow) |
|
|
disconnected_at = db.Column(db.DateTime) |
|
|
bytes_received = db.Column(db.BigInteger, default=0) |
|
|
bytes_sent = db.Column(db.BigInteger, default=0) |
|
|
session_duration = db.Column(db.Integer) |
|
|
disconnect_reason = db.Column(db.String(100)) |
|
|
|
|
|
def __init__(self, user_id, client_id, server_protocol, client_ip=None, server_ip=None, client_real_ip=None): |
|
|
self.user_id = user_id |
|
|
self.client_id = client_id |
|
|
self.server_protocol = server_protocol |
|
|
self.client_ip = client_ip |
|
|
self.server_ip = server_ip |
|
|
self.client_real_ip = client_real_ip |
|
|
|
|
|
def disconnect(self, reason=None): |
|
|
"""Mark session as disconnected""" |
|
|
self.disconnected_at = datetime.utcnow() |
|
|
self.disconnect_reason = reason |
|
|
if self.connected_at: |
|
|
self.session_duration = int((self.disconnected_at - self.connected_at).total_seconds()) |
|
|
|
|
|
def is_active(self): |
|
|
"""Check if session is active""" |
|
|
return self.disconnected_at is None |
|
|
|
|
|
def get_duration(self): |
|
|
"""Get session duration in seconds""" |
|
|
if self.disconnected_at: |
|
|
return self.session_duration |
|
|
elif self.connected_at: |
|
|
return int((datetime.utcnow() - self.connected_at).total_seconds()) |
|
|
return 0 |
|
|
|
|
|
def to_dict(self): |
|
|
"""Convert VPN session to dictionary""" |
|
|
return { |
|
|
'id': self.id, |
|
|
'client_id': self.client_id, |
|
|
'server_protocol': self.server_protocol, |
|
|
'client_ip': self.client_ip, |
|
|
'server_ip': self.server_ip, |
|
|
'client_real_ip': self.client_real_ip, |
|
|
'connected_at': self.connected_at.isoformat() if self.connected_at else None, |
|
|
'disconnected_at': self.disconnected_at.isoformat() if self.disconnected_at else None, |
|
|
'bytes_received': self.bytes_received, |
|
|
'bytes_sent': self.bytes_sent, |
|
|
'session_duration': self.get_duration(), |
|
|
'disconnect_reason': self.disconnect_reason, |
|
|
'is_active': self.is_active() |
|
|
} |
|
|
|
|
|
|
|
|
class ServerConfiguration(db.Model): |
|
|
"""VPN Server configuration management""" |
|
|
__tablename__ = 'server_configurations' |
|
|
|
|
|
id = db.Column(db.Integer, primary_key=True) |
|
|
protocol = db.Column(db.String(20), nullable=False) |
|
|
server_name = db.Column(db.String(100), nullable=False) |
|
|
listen_port = db.Column(db.Integer, nullable=False) |
|
|
network_cidr = db.Column(db.String(18), nullable=False) |
|
|
dns_servers = db.Column(db.Text) |
|
|
routes = db.Column(db.Text) |
|
|
is_active = db.Column(db.Boolean, default=True) |
|
|
created_at = db.Column(db.DateTime, default=datetime.utcnow) |
|
|
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow) |
|
|
max_clients = db.Column(db.Integer, default=100) |
|
|
|
|
|
def __init__(self, protocol, server_name, listen_port, network_cidr): |
|
|
self.protocol = protocol |
|
|
self.server_name = server_name |
|
|
self.listen_port = listen_port |
|
|
self.network_cidr = network_cidr |
|
|
|
|
|
def to_dict(self): |
|
|
"""Convert server configuration to dictionary""" |
|
|
return { |
|
|
'id': self.id, |
|
|
'protocol': self.protocol, |
|
|
'server_name': self.server_name, |
|
|
'listen_port': self.listen_port, |
|
|
'network_cidr': self.network_cidr, |
|
|
'dns_servers': self.dns_servers, |
|
|
'routes': self.routes, |
|
|
'is_active': self.is_active, |
|
|
'created_at': self.created_at.isoformat() if self.created_at else None, |
|
|
'updated_at': self.updated_at.isoformat() if self.updated_at else None, |
|
|
'max_clients': self.max_clients |
|
|
} |
|
|
|
|
|
|
