web/app.py

from flask import Flask, render_template, jsonify, request, redirect, url_for, flash, session
from flask_login import LoginManager, login_user, logout_user, login_required, current_user
from functools import wraps
import asyncio
import threading
import os
import json
import uuid
import bcrypt
from datetime import datetime, timedelta
import logging
from typing import Dict, Optional


import sys
from pathlib import Path
sys.path.append(str(Path(__file__).parent.parent))

# Import core VPN components
from core.shadowsocks_protocol import ShadowsocksProtocol
from core.tcp_forward import OutlineTCPForwardingEngine
from core.session_tracker import SessionTracker, UnifiedSession, SessionType, SessionState
from core.logger import LogManager, LogCategory, LogLevel
from core.outline_server import OutlineServer
from core.ikev2_server import IKEv2Server
from core.models.user import User, UserSession, UserRole, UserStatus
from core.database import SessionLocal, engine
from core.database_init import init_db
from core.services.user_service import UserService
from core.outline_config import generate_openvpn_certificates, generate_openvpn_config, generate_wireguard_keys

# For IP detection
import socket
import requests

app = Flask(__name__)
app.secret_key = os.urandom(24)
app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(days=30)

# Initialize Flask-Login
login_manager = LoginManager()
login_manager.init_app(app)
login_manager.login_view = "login"
login_manager.login_message = "Please log in to access this page."

@login_manager.user_loader
def load_user(user_id):
    db = SessionLocal()
    try:
        return db.query(User).get(int(user_id))
    finally:
        db.close()

# Global VPN server state
vpn_server: Optional[OutlineServer] = None
session_tracker: Optional[SessionTracker] = None
logger: Optional[LogManager] = None

# Initialize database
init_db()

CONFIG_DIR = 'config'
USERS_FILE = os.path.join(CONFIG_DIR, 'users.json')
os.makedirs(CONFIG_DIR, exist_ok=True)

def load_users():
    if os.path.exists(USERS_FILE):
        with open(USERS_FILE, 'r') as f:
            return json.load(f)
    return {}

def save_users(users):
    with open(USERS_FILE, 'w') as f:
        json.dump(users, f)

def get_server_ip():
    """Get the server's public IP address"""
    try:
        # First try to get public IP from external service
        response = requests.get('https://api.ipify.org', timeout=5)
        if response.status_code == 200:
            return response.text.strip()
    except:
        pass
    
    try:
        # Try another public IP service as backup
        response = requests.get('https://ifconfig.me', timeout=5)
        if response.status_code == 200:
            return response.text.strip()
    except:
        pass
    
    # Fallback: Get local IP
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(('8.8.8.8', 80))
        local_ip = s.getsockname()[0]
        s.close()
        return local_ip
    except:
        # Last resort fallback
        return '127.0.0.1'

def initialize_ikev2_server():
    """Initialize IKEv2 server"""
    global ikev2_server
    server_ip = get_server_ip()
    ikev2_server = IKEv2Server(server_ip, logger)
    logger.log(LogLevel.INFO, LogCategory.SYSTEM, "app", "IKEv2 server initialized")

def initialize_vpn_server():
    """Initialize the VPN server components"""
    global vpn_server, session_tracker, logger, ikev2_server
    
    # Initialize logger
    logger = LogManager()
    logger.log(LogLevel.INFO, LogCategory.SYSTEM, "app", "Initializing VPN server")
    
    # Initialize session tracker
    session_tracker = SessionTracker()
    
    # Initialize IKEv2 server
    initialize_ikev2_server()
    
    # Initialize VPN server
    server_ip = get_server_ip()
    vpn_server_config = {
        "server": {
            "host": server_ip,  # Use automatically detected server IP
            "port": 8388,  # Default Shadowsocks port
            "virtual_network": "10.7.0.0/24",  # Virtual network for client IPs
            "protocols": {
                "shadowsocks": {
                    "enabled": True,
                    "port": 8388
                },
                "wireguard": {
                    "enabled": True,
                    "port": 51820
                },
                "openvpn": {
                    "enabled": True,
                    "port": 1194
                },
                "ikev2": {
                    "enabled": True,
                    "port": 500
                }
            }
        },
        "security": {
            "cipher": "aes-256-gcm",
            "auth": "sha256",
            "enable_perfect_forward_secrecy": True
        }
    }
    vpn_server = OutlineServer(vpn_server_config)    
    # Start the VPN server in a separate thread
    def run_server():
        loop = asyncio.new_event_loop()
        asyncio.set_event_loop(loop)
        loop.run_until_complete(vpn_server.start())
        loop.run_forever()
    
    server_thread = threading.Thread(target=run_server, daemon=True)
    server_thread.start()
    logger.log(LogLevel.INFO, LogCategory.SYSTEM, "app", f"VPN server initialized and started on {server_ip}")

def load_users():
    if os.path.exists(USERS_FILE):
        with open(USERS_FILE, 'r') as f:
            return json.load(f)
    return {}

def save_users(users):
    with open(USERS_FILE, 'w') as f:
        json.dump(users, f)

def login_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if 'user_id' not in session:
            return redirect(url_for('login'))
        return f(*args, **kwargs)
    return decorated_function

@app.route('/')
def index():
    if 'user_id' in session:
        return redirect(url_for('dashboard'))
    return render_template('index.html')

@app.route("/login", methods=["GET", "POST"])
def login():
    if current_user.is_authenticated:
        return redirect(url_for("dashboard"))
    if request.method == "POST":
        email = request.form.get("email")
        password = request.form.get("password")
        remember_me = request.form.get("remember_me") == "on"
        db = SessionLocal()
        try:
            user_service = UserService(db)
            success, message, user = user_service.authenticate_user(email, password)
            
            if success:
                if user.status == UserStatus.LOCKED:
                    flash('Your account is locked. Please try again later or contact support.')
                    return redirect(url_for('login'))
                
                # Create a new session
                ip_address = request.remote_addr
                device_info = request.user_agent.string
                user_service.create_session(user, ip_address, device_info)
                
                # Log in the user
                login_user(user, remember=remember_me)
                
                # Record successful login
                user.record_login_attempt(success=True)
                db.commit()
                
                next_page = request.args.get('next')
                if not next_page or not next_page.startswith('/'):
                    next_page = url_for('dashboard')
                return redirect(next_page)
            else:
                if user:
                    # Record failed attempt
                    user.record_login_attempt(success=False)
                    db.commit()
                flash(message)
                return redirect(url_for('login'))
        finally:
            db.close()
    
    return render_template('login.html')

@app.route('/signup', methods=['GET', 'POST'])
def signup():
    if request.method == 'POST':
        users = load_users()
        email = request.form.get('email')
        password = request.form.get('password')

        if email in users:
            flash('Email already registered')
            return redirect(url_for('signup'))

        # Hash password and create user
        hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
        users[email] = {
            'password': hashed,
            'created_at': datetime.now().isoformat(),
            'config_id': str(uuid.uuid4())
        }
        save_users(users)

        # Create user's VPN configuration
        create_user_config(users[email]['config_id'])

        session['user_id'] = email
        return redirect(url_for('dashboard'))

    return render_template('signup.html')

@app.route('/dashboard')
@login_required
def dashboard():
    users = load_users()
    user = users[session['user_id']]
    stats = get_user_stats(user['config_id'])
    return render_template('dashboard.html', user=user, stats=stats)

@app.route('/download_config')
@login_required
def download_config():
    users = load_users()
    user = users[session['user_id']]
    config_path = os.path.join(CONFIG_DIR, f"{user['config_id']}.json")
    
    if not os.path.exists(config_path):
        flash('Configuration not found')
        return redirect(url_for('dashboard'))

    with open(config_path, 'r') as f:
        config = json.load(f)
    
    return jsonify(config)

@app.route('/api/stats')
@login_required
def get_stats():
    users = load_users()
    user = users[session['user_id']]
    return jsonify(get_user_stats(user['config_id']))

def get_server_ip():
    """Get the server's public IP address"""
    try:
        # First try to get public IP from external service
        response = requests.get('https://api.ipify.org')
        if response.status_code == 200:
            return response.text.strip()
    except:
        pass
    
    # Fallback: Get local IP
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(('8.8.8.8', 80))
        local_ip = s.getsockname()[0]
        s.close()
        return local_ip
    except:
        return '127.0.0.1'  # Last resort fallback

def initialize_ikev2_server():
    """Initialize IKEv2 server"""
    global ikev2_server
    server_ip = get_server_ip()
    ikev2_server = IKEv2Server(server_ip, logger)
    logger.log(LogLevel.INFO, LogCategory.SYSTEM, "app", "IKEv2 server initialized")

def generate_ikev2_certificate(config_id: str) -> Dict:
    """Generate IKEv2 certificates for a user"""
    username = f"user_{config_id[:8]}"
    password = str(uuid.uuid4())
    psk = str(uuid.uuid4())
    
    try:
        cert_data = ikev2_server.add_user(config_id, username, password, psk)
        logger.info(LogCategory.SYSTEM, "app", f"Generated IKEv2 certificates for user {config_id}")
        return cert_data
    except Exception as e:
        logger.error(LogCategory.SYSTEM, "app", f"Failed to generate IKEv2 certificates: {e}")
        return None

def create_user_config(config_id):
    """Create Outline VPN configuration for a new user"""
    if not os.path.exists(CONFIG_DIR):
        os.makedirs(CONFIG_DIR)

    server_ip = get_server_ip()
    access_key = str(uuid.uuid4())

    # Outline/Shadowsocks config
    ss_config = {
        'id': config_id,
        'server': {
            'host': server_ip,
            'port': 8388  # Shadowsocks port
        },
        'access_key': access_key,
        'protocol': 'shadowsocks',
        'created_at': datetime.now().isoformat()
    }

    # IKEv2 config (Windows 10/11, Android 10+)
    ikev2_config = {
        'id': f"{config_id}_ikev2",
        'server': {
            'host': server_ip,
            'port': 500  # IKEv2 port
        },
        'credentials': {
            'username': f"user_{config_id[:8]}",
            'password': str(uuid.uuid4()),
        },
        'psk': str(uuid.uuid4()),  # Pre-shared key
        'certificate': generate_ikev2_certificate(config_id),
        'protocol': 'ikev2',
        'created_at': datetime.now().isoformat()
    }

    # L2TP/IPsec config (Windows, Android)
    l2tp_config = {
        'id': f"{config_id}_l2tp",
        'server': {
            'host': server_ip,
            'ports': {
                'l2tp': 1701,
                'ipsec': [500, 4500]  # IPsec ports for NAT traversal
            }
        },
        'credentials': {
            'username': f"user_{config_id[:8]}",
            'password': str(uuid.uuid4())
        },
        'ipsec': {
            'psk': str(uuid.uuid4()),  # Pre-shared key for IPsec
            'encryption': 'aes-256-cbc',
            'hash': 'sha256'
        },
        'protocol': 'l2tp_ipsec',
        'created_at': datetime.now().isoformat()
    }

    # PPTP config (Legacy support - Windows, Android)
    pptp_config = {
        'id': f"{config_id}_pptp",
        'server': {
            'host': server_ip,
            'port': 1723  # PPTP port
        },
        'credentials': {
            'username': f"user_{config_id[:8]}",
            'password': str(uuid.uuid4())
        },
        'protocol': 'pptp',
        'encryption': 'require-mppe',  # Maximum PPTP security
        'warning': 'PPTP is considered less secure, use IKEv2 or L2TP/IPsec when possible',
        'created_at': datetime.now().isoformat()
    }

    # OpenVPN config (Universal support)
    openvpn_config = {
        'id': f"{config_id}_openvpn",
        'server': {
            'host': server_ip,
            'port': 1194,  # OpenVPN default port
            'protocol': 'udp'  # UDP for better performance
        },
        'credentials': {
            'username': f"user_{config_id[:8]}",
            'password': str(uuid.uuid4())
        },
        'certificates': generate_openvpn_certificates(config_id),
        'protocol': 'openvpn',
        'created_at': datetime.now().isoformat(),
        'config_file': generate_openvpn_config(config_id, server_ip)
    }

    # WireGuard config (Built-in Windows 11, Android, iOS)
    wireguard_config = {
        'id': f"{config_id}_wireguard",
        'server': {
            'host': server_ip,
            'port': 51820,  # WireGuard default port
            'public_key': generate_wireguard_keys(config_id)['server_public'],
            'allowed_ips': ['0.0.0.0/0', '::/0']  # Route all traffic
        },
        'client': {
            'private_key': generate_wireguard_keys(config_id)['client_private'],
            'public_key': generate_wireguard_keys(config_id)['client_public'],
            'address': f'10.7.0.{2 + len(load_users())}',  # Unique IP for each client
            'dns': ['1.1.1.1', '8.8.8.8']
        },
        'protocol': 'wireguard',
        'created_at': datetime.now().isoformat()
    }

    # L2TP/IPsec config (Built-in Windows, Android, iOS)
    l2tp_config = {
        'id': f"{config_id}_l2tp",
        'server': {
            'host': server_ip,
            'port': 1701,  # L2TP port
        },
        'credentials': {
            'username': f"user_{config_id[:8]}",
            'password': str(uuid.uuid4())
        },
        'ipsec': {
            'psk': str(uuid.uuid4())  # Pre-shared key for IPsec
        },
        'protocol': 'l2tp_ipsec',
        'created_at': datetime.now().isoformat()
    }

    # Combined config with all supported protocols
    config = {
        'id': config_id,
        'protocols': {
            'shadowsocks': ss_config,
            'ikev2': ikev2_config,
            'l2tp': l2tp_config,
            'pptp': pptp_config
        },
        'recommended_protocol': {
            'windows': 'ikev2',
            'android': 'ikev2',
            'fallback': 'l2tp'
        },
        'created_at': datetime.now().isoformat()
    }

    config_path = os.path.join(CONFIG_DIR, f"{config_id}.json")
    with open(config_path, 'w') as f:
        json.dump(config, f)

def get_user_stats(config_id):
    """Get real VPN usage statistics for a user from all active sessions"""
    try:
        if not session_tracker:
            logger.error(LogCategory.SYSTEM, "app", "Session tracker not initialized")
            return None

        # Get all sessions for this user
        user_sessions = session_tracker.get_user_sessions(config_id)
        if not user_sessions:
            return {
                'bytes_sent': 0,
                'bytes_received': 0,
                'connected_since': None,
                'last_seen': None,
                'status': 'disconnected',
                'active_sessions': [],
                'protocols': []
            }

        # Aggregate stats from all active sessions
        total_bytes_sent = 0
        total_bytes_received = 0
        earliest_connection = None
        latest_seen = None
        active_sessions = []
        used_protocols = set()

        for sess in user_sessions:
            # Update totals
            total_bytes_sent += sess.bytes_out
            total_bytes_received += sess.bytes_in
            
            # Track connection times
            session_start = datetime.fromtimestamp(sess.start_time)
            session_last_seen = datetime.fromtimestamp(sess.last_seen)
            
            if not earliest_connection or session_start < earliest_connection:
                earliest_connection = session_start
            if not latest_seen or session_last_seen > latest_seen:
                latest_seen = session_last_seen

            # Track protocols
            used_protocols.add(sess.protocol)

            # Get session details
            session_info = {
                'id': sess.session_id,
                'protocol': sess.protocol,
                'assigned_ip': sess.assigned_ip,
                'connected_since': session_start.isoformat(),
                'last_seen': session_last_seen.isoformat(),
                'bytes_sent': sess.bytes_out,
                'bytes_received': sess.bytes_in,
                'is_offline': sess.is_offline
            }
            active_sessions.append(session_info)

        # Determine overall status
        current_time = datetime.now()
        is_active = any(
            (current_time - datetime.fromtimestamp(s.last_seen)).total_seconds() < 300  # 5 minutes
            for s in user_sessions
        )
        
        status = 'active' if is_active else 'offline'
        if not is_active and any(s.is_offline for s in user_sessions):
            status = 'offline_available'

        return {
            'bytes_sent': total_bytes_sent,
            'bytes_received': total_bytes_received,
            'connected_since': earliest_connection.isoformat() if earliest_connection else None,
            'last_seen': latest_seen.isoformat() if latest_seen else None,
            'status': status,
            'active_sessions': active_sessions,
            'protocols': list(used_protocols)
        }

    except Exception as e:
        logger.error(LogCategory.SYSTEM, "app", f"Error getting user stats: {e}")
        return None

@app.route('/logout')
def logout():
    if current_user.is_authenticated:
        db = SessionLocal()
        try:
            # Find and end the current session
            current_session = (
                db.query(UserSession)
                .filter(UserSession.user_id == current_user.id)
                .order_by(UserSession.created_at.desc())
                .first()
            )
            if current_session:
                current_session.expires_at = datetime.utcnow()
                db.commit()
        finally:
            db.close()
    
    logout_user()
    flash('You have been logged out.')
    return redirect(url_for('index'))

@app.route('/forgot-password', methods=['GET', 'POST'])
def forgot_password():
    if request.method == 'POST':
        email = request.form.get('email')
        
        db = SessionLocal()
        try:
            user = db.query(User).filter(User.username == email).first()
            if user:
                # Generate password reset token
                user_service = UserService(db)
                reset_token = user_service.generate_reset_token()
                user.reset_token = reset_token
                user.reset_token_expires = datetime.utcnow() + timedelta(hours=24)
                db.commit()
                
                # TODO: Send reset email with token
                # For now, just show the token (in production, you'd send this via email)
                flash(f'Password reset link has been sent to your email address.')
            else:
                # To prevent user enumeration, show the same message
                flash(f'Password reset link has been sent to your email address.')
            
            return redirect(url_for('login'))
        finally:
            db.close()
            
    return render_template('forgot_password.html')

if __name__ == '__main__':
    # Initialize the VPN server first
    initialize_vpn_server()
    
    # Run Flask development server
    app.run(host="0.0.0.0", port=7860, debug=True)
    
    # If you want to use Uvicorn (production), uncomment these lines and comment out app.run():
    # from asgiref.wsgi import WsgiToAsgi
    # asgi_app = WsgiToAsgi(app)
    # import uvicorn
    # uvicorn.run(asgi_app, host="0.0.0.0", port=7860)



@app.teardown_appcontext
def shutdown_vpn_server(exception=None):
    global vpn_server
    if vpn_server and vpn_server.is_running:
        logger.log(LogLevel.INFO, LogCategory.SYSTEM, "app", "Shutting down VPN server...")
        asyncio.run(vpn_server.stop())
        logger.log(LogLevel.INFO, LogCategory.SYSTEM, "app", "VPN server shut down.")