Waiting for updating and fix some bugs

It will be released soon because lowiro will update in some days. Fix many bugs and I forgot them. :< I push this because there's a small but serious safety problem. It should be fixed immediately. Oh, and this update needs you to login in arcaea again because a new function is added.
2026-02-14 20:37:27 +08:00 · 2021-02-08 14:45:10 +08:00
parent c6bb4c9afb
commit a890a9af4a
11 changed files with 563 additions and 574 deletions
--- a/version/database/arcaea_database.db
+++ b/version/database/arcaea_database.db
--- a/version/database/database_initialize.py
+++ b/version/database/database_initialize.py
@@ -37,10 +37,11 @@ ticket int,
 prog_boost int
 );''')
 c.execute('''create table if not exists login(access_token text,
-user_id int primary key,
+user_id int,
-last_login_time int,
+login_time int,
-last_login_ip text,
+login_ip text,
-last_login_device text
+login_device text,
 primary key(access_token, user_id)
 );''')
 c.execute('''create table if not exists friend(user_id_me int,
 user_id_other int,
--- a/version/main.py
+++ b/version/main.py
@@ -1,6 +1,8 @@
 # encoding: utf-8
 from flask import Flask, request, jsonify, make_response, send_from_directory
 from logging.config import dictConfig
-import configparser
+from setting import Config
 import base64
 import server.auth
 import server.info
@@ -87,32 +89,29 @@ def login():
    id_pwd = headers['Authorization']
    id_pwd = base64.b64decode(id_pwd[6:]).decode()
    name, password = id_pwd.split(':', 1)
-    try:
+    device_id = headers['DeviceId']
-        token, error_code = server.auth.arc_login(name, password)
+    token, error_code = server.auth.arc_login(name, password, device_id)
    if not error_code:
        r = {"success": True, "token_type": "Bearer"}
        r['access_token'] = token
        return jsonify(r)
    else:
        return error_return(error_code)
    except:
        return error_return(108)
@app.route('/latte/13/user/', methods=['POST'])  # 注册接口
 def register():
    name = request.form['name']
    password = request.form['password']
-    try:
+    device_id = request.form['device_id']
-        user_id, token, error_code = server.auth.arc_register(name, password)
+    user_id, token, error_code = server.auth.arc_register(
        name, password, device_id)
    if user_id is not None:
        r = {"success": True, "value": {
            'user_id': user_id, 'access_token': token}}
        return jsonify(r)
    else:
-            return error_return(error_code)  # 应该是101，用户名被占用，毕竟电子邮箱、设备号没记录
+        return error_return(error_code)  # 应该是101，用户名被占用，毕竟电子邮箱没记录
    except:
        return error_return(108)
 # 集成式请求，没想到什么好办法处理，就先这样写着
@@ -149,7 +148,9 @@ def character_change(user_id):
@app.route('/latte/<path:path>/toggle_uncap', methods=['POST'])  # 角色觉醒切换
@server.auth.auth_required(request)
 def character_uncap(user_id, path):
-    character_id = int(path[22:])
+    while '//' in path:
        path = path.replace('//', '/')
    character_id = int(path[21:])
    r = server.setme.change_char_uncap(user_id, character_id)
    if r is not None:
        return jsonify({
@@ -280,7 +281,7 @@ def song_score_post(user_id):
    r, re = server.arcscore.arc_score_post(user_id, song_id, difficulty, score, shiny_perfect_count,
                                           perfect_count, near_count, miss_count, health, modifier, beyond_gauge, clear_type)
-    if r:
+    if r is not None:
        if re:
            return jsonify({
                "success": True,
@@ -512,12 +513,7 @@ def sys_set(user_id, path):
 def main():
-    config = configparser.ConfigParser()
+    app.config.from_mapping(SECRET_KEY=Config.SECRET_KEY)
    path = r'setting.ini'
    config.read(path, encoding="utf-8")
    HOST = config.get('CONFIG', 'HOST')
    PORT = config.get('CONFIG', 'PORT')
    app.config.from_mapping(SECRET_KEY='1145141919810')
    app.register_blueprint(web.login.bp)
    app.register_blueprint(web.index.bp)
@@ -541,7 +537,7 @@ def main():
    else:
        app.logger.info('Complete!')
-    app.run(HOST, PORT)
+    app.run(Config.HOST, Config.PORT)
 if __name__ == '__main__':
--- a/version/run.bat
+++ b/version/run.bat
@@ -1 +1 @@
-python main.py
+python -B main.py
--- a/version/server/arcdownload.py
+++ b/version/server/arcdownload.py
@@ -4,9 +4,10 @@ from flask import url_for
 import sqlite3
 from server.sql import Connect
 import time
 from setting import Config
-time_limit = 3000  # 每个玩家24小时下载次数限制
+time_limit = Config.DOWNLOAD_TIMES_LIMIT  # 每个玩家24小时下载次数限制
-time_gap_limit = 1000  # 下载链接有效秒数
+time_gap_limit = Config.DOWNLOAD_TIME_GAP_LIMIT  # 下载链接有效秒数
 def get_file_md5(file_path):
--- a/version/server/arcscore.py
+++ b/version/server/arcscore.py
@@ -364,7 +364,7 @@ def update_recent30(c, user_id, song_id, rating, is_protected):
 def arc_score_post(user_id, song_id, difficulty, score, shiny_perfect_count, perfect_count, near_count, miss_count, health, modifier, beyond_gauge, clear_type):
    # 分数上传，返回变化后的ptt，和世界模式变化
-    ptt = 0
+    ptt = None
    re = None
    with Connect() as c:
        rating = get_one_ptt(song_id, difficulty, score)
--- a/version/server/auth.py
+++ b/version/server/auth.py
@@ -3,9 +3,10 @@ import time
 import server.arcworld
 from server.sql import Connect
 import functools
 from setting import Config
-def arc_login(name: str, password: str) -> str:  # 登录判断
+def arc_login(name: str, password: str, device_id: str):  # 登录判断
    # 查询数据库中的user表，验证账号密码，返回并记录token，多返回个error code
    # token采用user_id和时间戳连接后hash生成（真的是瞎想的，没用bear）
    # 密码和token的加密方式为 SHA-256
@@ -27,14 +28,29 @@ def arc_login(name: str, password: str) -> str:  # 登录判断
                token = hashlib.sha256(
                    (user_id + str(now)).encode("utf8")).hexdigest()
                c.execute(
-                    '''select exists(select * from login where user_id = :user_id)''', {"user_id": user_id})
+                    '''select login_device from login where user_id = :user_id''', {"user_id": user_id})
                y = c.fetchall()
                if y:
                    device_list = []
                    for i in y:
                        if i[0]:
                            device_list.append(i[0])
                        else:
                            device_list.append('')
                    if device_id in device_list:
                        c.execute('''delete from login where login_device=:a''', {
                                  'a': device_id})
                        should_delete_num = len(
                            device_list) - Config.LOGIN_DEVICE_NUMBER_LIMIT
                    else:
                        should_delete_num = len(
                            device_list) + 1 - Config.LOGIN_DEVICE_NUMBER_LIMIT
                    if should_delete_num >= 1:  # 删掉多余token
                        c.execute('''delete from login where rowid in (select rowid from login where user_id=:user_id limit :a);''',
                                  {'user_id': user_id, 'a': int(should_delete_num)})
-                if c.fetchone() == (1,):  # 删掉多余token
+                c.execute('''insert into login(access_token, user_id, login_device) values(:access_token, :user_id, :device_id)''', {
-                    c.execute('''delete from login where user_id = :user_id''',
+                    'user_id': user_id, 'access_token': token, 'device_id': device_id})
                              {'user_id': user_id})
                c.execute('''insert into login(access_token, user_id) values(:access_token, :user_id)''', {
                    'user_id': user_id, 'access_token': token})
                error_code = None
            else:
                # 密码错误
@@ -46,7 +62,7 @@ def arc_login(name: str, password: str) -> str:  # 登录判断
    return token, error_code
-def arc_register(name: str, password: str):  # 注册
+def arc_register(name: str, password: str, device_id: str):  # 注册
    # 账号注册，只记录hash密码和用户名，生成user_id和user_code，自动登录返回token
    # token和密码的处理同登录部分
@@ -100,8 +116,8 @@ def arc_register(name: str, password: str):  # 注册
            token = hashlib.sha256(
                (str(user_id) + str(now)).encode("utf8")).hexdigest()
-            c.execute('''insert into login(access_token, user_id) values(:access_token, :user_id)''', {
+            c.execute('''insert into login(access_token, user_id, login_device) values(:access_token, :user_id, :device_id)''', {
-                'user_id': user_id, 'access_token': token})
+                'user_id': user_id, 'access_token': token, 'device_id': device_id})
            insert_user_char(c, user_id)
            error_code = 0
--- a/version/setting.ini
+++ b/version/setting.ini
@@ -1,7 +0,0 @@
 [CONFIG]
 HOST = 192.168.1.113
 PORT = 80
 [WEB]
 USERNAME = admin
 PASSWORD = admin
--- a/version/setting.py
+++ b/version/setting.py
@@ -0,0 +1,62 @@
 class Config():
    '''
    This is the setting file. You can change some parameters here.
    '''
    '''
    --------------------
    主机的地址和端口号
    Host and port of your server
    '''
    HOST = '192.168.1.113'
    PORT = '80'
    '''
    --------------------
    '''
    '''
    --------------------
    Web后台管理页面的用户名和密码
    Username and password of web background management page
    '''
    USERNAME = 'admin'
    PASSWORD = 'admin'
    '''
    --------------------
    '''
    '''
    --------------------
    Web后台管理页面的session秘钥，如果不知道是什么，请不要修改
    Session key of web background management page
    If you don't know what it is, please don't modify it.
    '''
    SECRET_KEY = '1145141919810'
    '''
    --------------------
    '''
    '''
    --------------------
    玩家歌曲下载的24小时次数限制
    Player's song download limit times in 24 hours
    '''
    DOWNLOAD_TIMES_LIMIT = 3000
    '''
    歌曲下载链接的有效时长，单位：秒
    Effective duration of song download link, unit: seconds
    '''
    DOWNLOAD_TIME_GAP_LIMIT = 1000
    '''
    --------------------
    '''
    '''
    --------------------
    Arcaea登录的最大允许设备数量，最小值为1
    The maximum number of devices allowed to log in Arcaea, minimum: 1
    '''
    LOGIN_DEVICE_NUMBER_LIMIT = 1
    '''
    --------------------
    '''
--- a/version/web/index.py
+++ b/version/web/index.py
@@ -3,7 +3,7 @@ from flask import (
 )
 from web.login import login_required
 from werkzeug.utils import secure_filename
-import sqlite3
+from server.sql import Connect
 import web.webscore
 import web.system
 import time
@@ -43,8 +43,7 @@ def single_player_score():
        user_code = request.form['user_code']
        error = None
        if name or user_code:
-            conn = sqlite3.connect('./database/arcaea_database.db')
+            with Connect() as c:
            c = conn.cursor()
                if user_code:
                    c.execute('''select user_id from user where user_code=:a''', {
                        'a': user_code})
@@ -61,8 +60,6 @@ def single_player_score():
                        error = '无成绩 No score.'
                else:
                    error = '玩家不存在 The player does not exist.'
            conn.commit()
            conn.close()
        else:
            error = '输入为空 Null Input.'
@@ -84,8 +81,7 @@ def single_player_ptt():
        user_code = request.form['user_code']
        error = None
        if name or user_code:
-            conn = sqlite3.connect('./database/arcaea_database.db')
+            with Connect() as c:
            c = conn.cursor()
                if user_code:
                    c.execute('''select user_id from user where user_code=:a''', {
                        'a': user_code})
@@ -99,7 +95,8 @@ def single_player_ptt():
                    user_id = user_id[0]
                    user = web.webscore.get_user(c, user_id)
                    posts = web.webscore.get_user_score(c, user_id, 30)
-                recent, recentptt = web.webscore.get_user_recent30(c, user_id)
+                    recent, recentptt = web.webscore.get_user_recent30(
                        c, user_id)
                    if not posts:
                        error = '无成绩 No score.'
                    else:
@@ -111,8 +108,6 @@ def single_player_ptt():
                else:
                    error = '玩家不存在 The player does not exist.'
            conn.commit()
            conn.close()
        else:
            error = '输入为空 Null Input.'
@@ -128,11 +123,10 @@ def single_player_ptt():
@login_required
 def all_player():
    # 所有玩家数据，按照ptt排序
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    error = None
-    c = conn.cursor()
+    with Connect() as c:
        c.execute('''select * from user order by rating_ptt DESC''')
        x = c.fetchall()
    error = None
        if x:
            posts = []
            for i in x:
@@ -164,8 +158,6 @@ def all_player():
        else:
            error = '没有玩家数据 No player data.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
        return render_template('web/allplayer.html')
@@ -184,11 +176,10 @@ def all_song():
        else:
            return None
-    conn = sqlite3.connect('./database/arcsong.db')
+    error = None
-    c = conn.cursor()
+    with Connect('./database/arcsong.db') as c:
        c.execute('''select * from songs''')
        x = c.fetchall()
    error = None
        if x:
            posts = []
            for i in x:
@@ -202,8 +193,6 @@ def all_song():
        else:
            error = '没有铺面数据 No song data.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
        return render_template('web/allsong.html')
@@ -221,15 +210,13 @@ def single_chart_top():
        if difficulty.isdigit():
            difficulty = int(difficulty)
        error = None
-        conn = sqlite3.connect('./database/arcsong.db')
+        x = None
-        c = conn.cursor()
+        with Connect('./database/arcsong.db') as c:
            song_name = '%'+song_name+'%'
            c.execute('''select sid, name_en from songs where sid like :a limit 1''',
                      {'a': song_name})
            x = c.fetchone()
-        conn.commit()
+
        conn.close()
        print(x)
        if x:
            song_id = x[0]
            posts = server.arcscore.arc_score_top(song_id, difficulty, -1)
@@ -317,8 +304,8 @@ def add_song():
        song_id = song_id[:200]
    if len(name_en) >= 256:
        name_en = name_en[:200]
-    conn = sqlite3.connect('./database/arcsong.db')
+
-    c = conn.cursor()
+    with Connect('./database/arcsong.db') as c:
        c.execute(
            '''select exists(select * from songs where sid=:a)''', {'a': song_id})
        if c.fetchone() == (0,):
@@ -328,9 +315,6 @@ def add_song():
        else:
            error = '歌曲已存在 The song exists.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -344,8 +328,7 @@ def delete_song():
    error = None
    song_id = request.form['sid']
-    conn = sqlite3.connect('./database/arcsong.db')
+    with Connect('./database/arcsong.db') as c:
    c = conn.cursor()
        c.execute(
            '''select exists(select * from songs where sid=:a)''', {'a': song_id})
        if c.fetchone() == (1,):
@@ -354,8 +337,6 @@ def delete_song():
        else:
            error = "歌曲不存在 The song doesn't exist."
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -366,12 +347,10 @@ def delete_song():
@login_required
 def all_character():
    # 所有角色数据
-
+    error = None
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        c.execute('''select * from character''')
        x = c.fetchall()
    error = None
        if x:
            posts = []
            for i in x:
@@ -389,8 +368,6 @@ def all_character():
        else:
            error = '没有角色数据 No character data.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
        return render_template('web/allchar.html')
@@ -443,8 +420,7 @@ def edit_char():
        flash(error)
        return redirect(url_for('index.change_character'))
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        c.execute(
            '''select exists(select * from character where character_id=:a)''', {'a': character_id})
        if c.fetchone() == (1,):
@@ -484,9 +460,6 @@ def edit_char():
        else:
            error = '角色不存在 The character does not exist.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -497,11 +470,8 @@ def edit_char():
@login_required
 def update_character():
    # 更新角色数据
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        web.system.update_user_char(c)
    conn.commit()
    conn.close()
    flash('数据更新成功 Success update data.')
    return redirect(url_for('index.change_character'))
@@ -535,8 +505,7 @@ def edit_user():
        flash(error)
        return redirect(url_for('index.change_user'))
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
       # 全修改
        if 'name' not in request.form and 'user_code' not in request.form:
@@ -583,8 +552,6 @@ def edit_user():
            if flag:
                error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -614,8 +581,7 @@ def edit_user_purchase():
        flash('输入为空 Null Input.')
        return redirect(url_for('index.change_user_purchase'))
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        # 全修改
        if 'name' not in request.form and 'user_code' not in request.form:
@@ -659,8 +625,6 @@ def edit_user_purchase():
            if flag:
                error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -730,8 +694,7 @@ def change_item():
            flash(error)
            return redirect(url_for('index.change_item'))
-        conn = sqlite3.connect('./database/arcaea_database.db')
+        with Connect() as c:
        c = conn.cursor()
            c.execute(
                '''select exists(select * from item where item_id=:a and type=:b)''', {'a': item_id, 'b': item_type})
            if c.fetchone() == (1,):
@@ -762,8 +725,6 @@ def change_item():
            else:
                error = '购买项目不存在 The item does not exist.'
        conn.commit()
        conn.close()
        if error:
            flash(error)
@@ -783,8 +744,7 @@ def update_user_save():
    name = None
    user_code = None
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        # 全修改
        if 'name' not in request.form and 'user_code' not in request.form:
@@ -819,8 +779,6 @@ def update_user_save():
            if flag:
                error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -832,11 +790,10 @@ def update_user_save():
 def all_present():
    # 所有奖励数据
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    error = None
-    c = conn.cursor()
+    with Connect() as c:
        c.execute('''select * from present''')
        x = c.fetchall()
    error = None
        if x:
            posts = []
            for i in x:
@@ -854,8 +811,6 @@ def all_present():
        else:
            error = '没有奖励数据 No present data.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
        return render_template('web/allpresent.html')
@@ -941,12 +896,9 @@ def deliver_present():
    user_code = None
    present_id = request.form['present_id']
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        if not web.system.is_present_available(c, present_id):
            flash("奖励不存在 The present does not exist.")
        conn.commit()
        conn.close()
            return render_template('web/deliverpresent.html')
        # 全修改
@@ -980,8 +932,6 @@ def deliver_present():
            if flag:
                error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -993,11 +943,10 @@ def deliver_present():
 def all_redeem():
    # 所有兑换码数据
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    error = None
-    c = conn.cursor()
+    with Connect() as c:
        c.execute('''select * from redeem''')
        x = c.fetchall()
    error = None
        if x:
            posts = []
            for i in x:
@@ -1014,8 +963,6 @@ def all_redeem():
        else:
            error = '没有兑换码数据 No redeem code data.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
        return render_template('web/allredeem.html')
@@ -1106,12 +1053,11 @@ def delete_redeem():
 def one_redeem(code):
    # 某个兑换码的用户使用情况数据
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    error = None
-    c = conn.cursor()
+    with Connect() as c:
        c.execute(
            '''select user_id, name, user_code from user where user_id in (select user_id from user_redeem where code=:a)''', {'a': code})
        x = c.fetchall()
    error = None
        if x:
            posts = []
            for i in x:
@@ -1122,8 +1068,6 @@ def one_redeem(code):
        else:
            error = '没有数据 No data.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
        return render_template('web/redeem.html', code=code)
@@ -1152,9 +1096,7 @@ def edit_userpwd():
            flash('密码太长或太短 Password is too long or too short!')
            return render_template('web/changeuserpwd.html')
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        if name or user_code:
            if user_code:
@@ -1176,8 +1118,6 @@ def edit_userpwd():
        else:
            error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -1196,9 +1136,7 @@ def ban_user():
    name = request.form['name']
    user_code = request.form['user_code']
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        if name or user_code:
            if user_code:
                c.execute('''select user_id from user where user_code=:a''', {
@@ -1219,8 +1157,6 @@ def ban_user():
        else:
            error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
@@ -1236,9 +1172,7 @@ def delete_user_score():
    name = request.form['name']
    user_code = request.form['user_code']
-    conn = sqlite3.connect('./database/arcaea_database.db')
+    with Connect() as c:
    c = conn.cursor()
        if name or user_code:
            if user_code:
                c.execute('''select user_id from user where user_code=:a''', {
@@ -1259,8 +1193,6 @@ def delete_user_score():
        else:
            error = '输入为空 Null Input.'
    conn.commit()
    conn.close()
    if error:
        flash(error)
--- a/version/web/login.py
+++ b/version/web/login.py
@@ -2,7 +2,7 @@
 from flask import (Blueprint, flash, g, redirect,
                   render_template, request, session, url_for)
 import functools
-import configparser
+from setting import Config
 bp = Blueprint('login', __name__, url_prefix='/web')
@@ -15,18 +15,12 @@ def login():
        password = request.form['password']
        error = None
-        config = configparser.ConfigParser()
+        if username != Config.USERNAME or password != Config.PASSWORD:
        path = r'setting.ini'
        config.read(path, encoding="utf-8")
        USERNAME = config.get('WEB', 'USERNAME')
        PASSWORD = config.get('WEB', 'PASSWORD')
        if username != USERNAME and password != PASSWORD:
            error = '错误的用户名或密码 Incorrect username or password.'
        if error is None:
            session.clear()
-            session['user_id'] = USERNAME + PASSWORD
+            session['user_id'] = Config.USERNAME + Config.PASSWORD
            return redirect(url_for('index.index'))
        flash(error)
@@ -48,16 +42,10 @@ def login_required(view):
    def wrapped_view(**kwargs):
        x = session.get('user_id')
-        config = configparser.ConfigParser()
+        if x != Config.USERNAME + Config.PASSWORD:
        path = r'setting.ini'
        config.read(path, encoding="utf-8")
        USERNAME = config.get('WEB', 'USERNAME')
        PASSWORD = config.get('WEB', 'PASSWORD')
        if x != USERNAME + PASSWORD:
            return redirect(url_for('login.login'))
-        g.user = {'user_id': x, 'username': USERNAME}
+        g.user = {'user_id': x, 'username': Config.USERNAME}
        return view(**kwargs)
    return wrapped_view