Waiting for updating and fix some bugs

It will be released soon because lowiro will update in some days.
Fix many bugs and I forgot them. :<

I push this because there's a small but serious safety problem. It should be fixed immediately.

Oh, and this update needs you to login in arcaea again because a new function is added.

latest version/database/database_initialize.py

@@ -37,10 +37,11 @@ ticket int,
 prog_boost int
 );''')
 c.execute('''create table if not exists login(access_token text,
-user_id int primary key,
+user_id int,
-last_login_time int,
+login_time int,
-last_login_ip text,
+login_ip text,
-last_login_device text
+login_device text,
+primary key(access_token, user_id)
 );''')
 c.execute('''create table if not exists friend(user_id_me int,
 user_id_other int,

latest version/main.py

@@ -1,6 +1,8 @@
+# encoding: utf-8
+
 from flask import Flask, request, jsonify, make_response, send_from_directory
 from logging.config import dictConfig
-import configparser
+from setting import Config
 import base64
 import server.auth
 import server.info
@@ -87,32 +89,29 @@ def login():
     id_pwd = headers['Authorization']
     id_pwd = base64.b64decode(id_pwd[6:]).decode()
     name, password = id_pwd.split(':', 1)
-    try:
+    device_id = headers['DeviceId']
-        token, error_code = server.auth.arc_login(name, password)
+    token, error_code = server.auth.arc_login(name, password, device_id)
-        if not error_code:
+    if not error_code:
-            r = {"success": True, "token_type": "Bearer"}
+        r = {"success": True, "token_type": "Bearer"}
-            r['access_token'] = token
+        r['access_token'] = token
-            return jsonify(r)
+        return jsonify(r)
-        else:
+    else:
-            return error_return(error_code)
+        return error_return(error_code)
-    except:
-        return error_return(108)
 
 
 @app.route('/latte/13/user/', methods=['POST'])  # 注册接口
 def register():
     name = request.form['name']
     password = request.form['password']
-    try:
+    device_id = request.form['device_id']
-        user_id, token, error_code = server.auth.arc_register(name, password)
+    user_id, token, error_code = server.auth.arc_register(
-        if user_id is not None:
+        name, password, device_id)
-            r = {"success": True, "value": {
+    if user_id is not None:
-                'user_id': user_id, 'access_token': token}}
+        r = {"success": True, "value": {
-            return jsonify(r)
+            'user_id': user_id, 'access_token': token}}
-        else:
+        return jsonify(r)
-            return error_return(error_code)  # 应该是101，用户名被占用，毕竟电子邮箱、设备号没记录
+    else:
-    except:
+        return error_return(error_code)  # 应该是101，用户名被占用，毕竟电子邮箱没记录
-        return error_return(108)
 
 
 # 集成式请求，没想到什么好办法处理，就先这样写着
@@ -149,7 +148,9 @@ def character_change(user_id):
 @app.route('/latte/<path:path>/toggle_uncap', methods=['POST'])  # 角色觉醒切换
 @server.auth.auth_required(request)
 def character_uncap(user_id, path):
-    character_id = int(path[22:])
+    while '//' in path:
+        path = path.replace('//', '/')
+    character_id = int(path[21:])
     r = server.setme.change_char_uncap(user_id, character_id)
     if r is not None:
         return jsonify({
@@ -280,7 +281,7 @@ def song_score_post(user_id):
 
     r, re = server.arcscore.arc_score_post(user_id, song_id, difficulty, score, shiny_perfect_count,
                                            perfect_count, near_count, miss_count, health, modifier, beyond_gauge, clear_type)
-    if r:
+    if r is not None:
         if re:
             return jsonify({
                 "success": True,
@@ -512,12 +513,7 @@ def sys_set(user_id, path):
 
 
 def main():
-    config = configparser.ConfigParser()
+    app.config.from_mapping(SECRET_KEY=Config.SECRET_KEY)
-    path = r'setting.ini'
-    config.read(path, encoding="utf-8")
-    HOST = config.get('CONFIG', 'HOST')
-    PORT = config.get('CONFIG', 'PORT')
-    app.config.from_mapping(SECRET_KEY='1145141919810')
     app.register_blueprint(web.login.bp)
     app.register_blueprint(web.index.bp)
 
@@ -541,7 +537,7 @@ def main():
     else:
         app.logger.info('Complete!')
 
-    app.run(HOST, PORT)
+    app.run(Config.HOST, Config.PORT)
 
 
 if __name__ == '__main__':

latest version/run.bat

@@ -1 +1 @@
-python main.py
+python -B main.py

latest version/server/arcdownload.py

@@ -4,9 +4,10 @@ from flask import url_for
 import sqlite3
 from server.sql import Connect
 import time
+from setting import Config
 
-time_limit = 3000  # 每个玩家24小时下载次数限制
+time_limit = Config.DOWNLOAD_TIMES_LIMIT  # 每个玩家24小时下载次数限制
-time_gap_limit = 1000  # 下载链接有效秒数
+time_gap_limit = Config.DOWNLOAD_TIME_GAP_LIMIT  # 下载链接有效秒数
 
 
 def get_file_md5(file_path):

latest version/server/arcscore.py

@@ -364,7 +364,7 @@ def update_recent30(c, user_id, song_id, rating, is_protected):
 
 def arc_score_post(user_id, song_id, difficulty, score, shiny_perfect_count, perfect_count, near_count, miss_count, health, modifier, beyond_gauge, clear_type):
     # 分数上传，返回变化后的ptt，和世界模式变化
-    ptt = 0
+    ptt = None
     re = None
     with Connect() as c:
         rating = get_one_ptt(song_id, difficulty, score)

latest version/server/auth.py

@@ -3,9 +3,10 @@ import time
 import server.arcworld
 from server.sql import Connect
 import functools
+from setting import Config
 
 
-def arc_login(name: str, password: str) -> str:  # 登录判断
+def arc_login(name: str, password: str, device_id: str):  # 登录判断
     # 查询数据库中的user表，验证账号密码，返回并记录token，多返回个error code
     # token采用user_id和时间戳连接后hash生成（真的是瞎想的，没用bear）
     # 密码和token的加密方式为 SHA-256
@@ -27,14 +28,29 @@ def arc_login(name: str, password: str) -> str:  # 登录判断
                 token = hashlib.sha256(
                     (user_id + str(now)).encode("utf8")).hexdigest()
                 c.execute(
-                    '''select exists(select * from login where user_id = :user_id)''', {"user_id": user_id})
+                    '''select login_device from login where user_id = :user_id''', {"user_id": user_id})
+                y = c.fetchall()
+                if y:
+                    device_list = []
+                    for i in y:
+                        if i[0]:
+                            device_list.append(i[0])
+                        else:
+                            device_list.append('')
+                    if device_id in device_list:
+                        c.execute('''delete from login where login_device=:a''', {
+                                  'a': device_id})
+                        should_delete_num = len(
+                            device_list) - Config.LOGIN_DEVICE_NUMBER_LIMIT
+                    else:
+                        should_delete_num = len(
+                            device_list) + 1 - Config.LOGIN_DEVICE_NUMBER_LIMIT
+                    if should_delete_num >= 1:  # 删掉多余token
+                        c.execute('''delete from login where rowid in (select rowid from login where user_id=:user_id limit :a);''',
+                                  {'user_id': user_id, 'a': int(should_delete_num)})
 
-                if c.fetchone() == (1,):  # 删掉多余token
+                c.execute('''insert into login(access_token, user_id, login_device) values(:access_token, :user_id, :device_id)''', {
-                    c.execute('''delete from login where user_id = :user_id''',
+                    'user_id': user_id, 'access_token': token, 'device_id': device_id})
-                              {'user_id': user_id})
-
-                c.execute('''insert into login(access_token, user_id) values(:access_token, :user_id)''', {
-                    'user_id': user_id, 'access_token': token})
                 error_code = None
             else:
                 # 密码错误
@@ -46,7 +62,7 @@ def arc_login(name: str, password: str) -> str:  # 登录判断
     return token, error_code
 
 
-def arc_register(name: str, password: str):  # 注册
+def arc_register(name: str, password: str, device_id: str):  # 注册
     # 账号注册，只记录hash密码和用户名，生成user_id和user_code，自动登录返回token
     # token和密码的处理同登录部分
 
@@ -100,8 +116,8 @@ def arc_register(name: str, password: str):  # 注册
 
             token = hashlib.sha256(
                 (str(user_id) + str(now)).encode("utf8")).hexdigest()
-            c.execute('''insert into login(access_token, user_id) values(:access_token, :user_id)''', {
+            c.execute('''insert into login(access_token, user_id, login_device) values(:access_token, :user_id, :device_id)''', {
-                'user_id': user_id, 'access_token': token})
+                'user_id': user_id, 'access_token': token, 'device_id': device_id})
 
             insert_user_char(c, user_id)
             error_code = 0

latest version/setting.ini

@@ -1,7 +0,0 @@
-[CONFIG]
-HOST = 192.168.1.113
-PORT = 80
-
-[WEB]
-USERNAME = admin
-PASSWORD = admin

latest version/setting.py

@@ -0,0 +1,62 @@
+class Config():
+    '''
+    This is the setting file. You can change some parameters here.
+    '''
+
+    '''
+    --------------------
+    主机的地址和端口号
+    Host and port of your server
+    '''
+    HOST = '192.168.1.113'
+    PORT = '80'
+    '''
+    --------------------
+    '''
+
+    '''
+    --------------------
+    Web后台管理页面的用户名和密码
+    Username and password of web background management page
+    '''
+    USERNAME = 'admin'
+    PASSWORD = 'admin'
+    '''
+    --------------------
+    '''
+
+    '''
+    --------------------
+    Web后台管理页面的session秘钥，如果不知道是什么，请不要修改
+    Session key of web background management page
+    If you don't know what it is, please don't modify it.
+    '''
+    SECRET_KEY = '1145141919810'
+    '''
+    --------------------
+    '''
+
+    '''
+    --------------------
+    玩家歌曲下载的24小时次数限制
+    Player's song download limit times in 24 hours
+    '''
+    DOWNLOAD_TIMES_LIMIT = 3000
+    '''
+    歌曲下载链接的有效时长，单位：秒
+    Effective duration of song download link, unit: seconds
+    '''
+    DOWNLOAD_TIME_GAP_LIMIT = 1000
+    '''
+    --------------------
+    '''
+
+    '''
+    --------------------
+    Arcaea登录的最大允许设备数量，最小值为1
+    The maximum number of devices allowed to log in Arcaea, minimum: 1
+    '''
+    LOGIN_DEVICE_NUMBER_LIMIT = 1
+    '''
+    --------------------
+    '''

latest version/web/login.py

@@ -2,7 +2,7 @@
 from flask import (Blueprint, flash, g, redirect,
                    render_template, request, session, url_for)
 import functools
-import configparser
+from setting import Config
 
 bp = Blueprint('login', __name__, url_prefix='/web')
 
@@ -15,18 +15,12 @@ def login():
         password = request.form['password']
         error = None
 
-        config = configparser.ConfigParser()
+        if username != Config.USERNAME or password != Config.PASSWORD:
-        path = r'setting.ini'
-        config.read(path, encoding="utf-8")
-        USERNAME = config.get('WEB', 'USERNAME')
-        PASSWORD = config.get('WEB', 'PASSWORD')
-
-        if username != USERNAME and password != PASSWORD:
             error = '错误的用户名或密码 Incorrect username or password.'
 
         if error is None:
             session.clear()
-            session['user_id'] = USERNAME + PASSWORD
+            session['user_id'] = Config.USERNAME + Config.PASSWORD
             return redirect(url_for('index.index'))
 
         flash(error)
@@ -48,16 +42,10 @@ def login_required(view):
     def wrapped_view(**kwargs):
         x = session.get('user_id')
 
-        config = configparser.ConfigParser()
+        if x != Config.USERNAME + Config.PASSWORD:
-        path = r'setting.ini'
-        config.read(path, encoding="utf-8")
-        USERNAME = config.get('WEB', 'USERNAME')
-        PASSWORD = config.get('WEB', 'PASSWORD')
-
-        if x != USERNAME + PASSWORD:
             return redirect(url_for('login.login'))
 
-        g.user = {'user_id': x, 'username': USERNAME}
+        g.user = {'user_id': x, 'username': Config.USERNAME}
         return view(**kwargs)
 
     return wrapped_view