KTVManager_UI/app.py

# app.py
from flask import (Flask, render_template, request, redirect, url_for, session,
                   send_file, jsonify, send_from_directory, Response)
from flask_caching import Cache
import requests.auth
import os
import base64
from typing import Dict, Any, Tuple, Union
import sys
import redis
import json
import mysql.connector
import re
import threading

from lib.datetime import filter_accounts_next_30_days, filter_accounts_expired
from lib.reqs import (get_urls, get_user_accounts, add_user_account,
                    delete_user_account, get_stream_names)
from config import DevelopmentConfig, ProductionConfig


os.environ["OMP_NUM_THREADS"] = "1"
os.environ["MKL_NUM_THREADS"] = "1"

app = Flask(__name__)

if os.environ.get("FLASK_ENV") == "production":
    app.config.from_object(ProductionConfig)
else:
    app.config.from_object(DevelopmentConfig)

# Check for Redis availability and configure cache
redis_url = app.config["REDIS_URL"]
cache_config = {"CACHE_TYPE": "redis", "CACHE_REDIS_URL": redis_url}
try:
    # Use a short timeout to prevent hanging
    r = redis.from_url(redis_url, socket_connect_timeout=1)
    r.ping()
except redis.exceptions.ConnectionError as e:
    print(
        f"WARNING: Redis connection failed: {e}. Falling back to SimpleCache. "
        "This is not recommended for production with multiple workers.",
        file=sys.stderr,
    )
    cache_config = {"CACHE_TYPE": "SimpleCache"}

cache = Cache(app, config=cache_config)

app.config["OCR_ENABLED"] = False

app.config["SESSION_COOKIE_SECURE"] = not app.config["DEBUG"]
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
app.config['PERMANENT_SESSION_LIFETIME'] = 60 * 60 * 24 * 365  # 1 year

def get_version() -> str:
    """Retrieves the application version from the VERSION file.

    Returns:
        The version string, or 'dev' if the file is not found.
    """
    try:
        with open('VERSION', 'r') as f:
            return f.read().strip()
    except FileNotFoundError:
        return 'dev'

@app.context_processor
def inject_version() -> Dict[str, str]:
    """Injects the version into all templates."""
    return dict(version=get_version(), config=app.config, session=session)

def make_cache_key(*args, **kwargs):
    """Generate a cache key based on the user's session and request path."""
    username = session.get('username', 'anonymous')
    path = request.path
    return f"view/{username}/{path}"

@app.before_request
def make_session_permanent() -> None:
    """Makes the user session permanent."""
    session.permanent = True

@app.route('/site.webmanifest')
def serve_manifest() -> Response:
    """Serves the site manifest file."""
    return send_from_directory(
        os.path.join(app.root_path, 'static'),
        'site.webmanifest',
        mimetype='application/manifest+json'
    )

@app.route("/favicon.ico")
def favicon() -> Response:
    """Serves the favicon."""
    return send_from_directory(
        os.path.join(app.root_path, "static"),
        "favicon.ico",
        mimetype="image/vnd.microsoft.icon",
    )

@app.route("/")
def index() -> Union[Response, str]:
    """Renders the index page or redirects to home if logged in."""
    if session.get("logged_in"):
        return redirect(url_for("home"))
    return render_template("index.html")

@app.route('/vapid-public-key', methods=['GET'])
def proxy_vapid_public_key():
    """Proxies the request for the VAPID public key to the backend."""
    backend_url = f"{app.config['BACKEND_URL']}/vapid-public-key"
    try:
        response = requests.get(backend_url)
        return Response(response.content, status=response.status_code, mimetype=response.headers['Content-Type'])
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 502

@app.route('/save-subscription', methods=['POST'])
def proxy_save_subscription():
    """Proxies the request to save a push subscription to the backend."""
    if not session.get("logged_in"):
        return jsonify({'error': 'Unauthorized'}), 401

    backend_url = f"{app.config['BACKEND_URL']}/save-subscription"
    credentials = base64.b64decode(session["auth_credentials"]).decode()
    username, password = credentials.split(":", 1)

    try:
        response = requests.post(
            backend_url,
            auth=requests.auth.HTTPBasicAuth(username, password),
            json=request.get_json()
        )
        return Response(response.content, status=response.status_code, mimetype=response.headers['Content-Type'])
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 502

@app.route('/send-test-notification', methods=['POST'])
def send_test_notification():
    """Proxies the request to send a test notification to the backend."""
    if not session.get("logged_in"):
        return jsonify({'error': 'Unauthorized'}), 401

    backend_url = f"{app.config['BACKEND_URL']}/send-test-notification"
    credentials = base64.b64decode(session["auth_credentials"]).decode()
    username, password = credentials.split(":", 1)

    try:
        response = requests.post(
            backend_url,
            auth=requests.auth.HTTPBasicAuth(username, password),
            json={}
        )
        return Response(response.content, status=response.status_code, mimetype=response.headers['Content-Type'])
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 502

@app.route("/home")
@cache.cached(timeout=60, key_prefix=make_cache_key)
def home() -> str:
    """Renders the home page with account statistics."""
    if session.get("logged_in"):
        base_url = app.config["BACKEND_URL"]
        all_accounts = get_user_accounts(base_url, session["auth_credentials"])
        return render_template(
            "home.html",
            username=session["username"],
            accounts=len(all_accounts),
            current_month_accounts=filter_accounts_next_30_days(all_accounts),
            expired_accounts=filter_accounts_expired(all_accounts),
        )
    return render_template("index.html")

@app.route("/login", methods=["POST"])
def login() -> Union[Response, str]:
    """Handles user login."""
    username = request.form["username"]
    password = request.form["password"]
    credentials = f"{username}:{password}"
    encoded_credentials = base64.b64encode(credentials.encode()).decode()
    base_url = app.config["BACKEND_URL"]
    login_url = f"{base_url}/Login"

    try:
        response = requests.get(
            login_url, auth=requests.auth.HTTPBasicAuth(username, password)
        )
        response.raise_for_status()
        response_data = response.json()
        if response_data.get("auth") == "Success":
            session["logged_in"] = True
            session["username"] = response_data.get("username", username)
            session["user_id"] = response_data.get("user_id")
            session["auth_credentials"] = encoded_credentials
            next_url = request.args.get("next")
            if next_url:
                return redirect(next_url)
            return redirect(url_for("home", loggedin=True))
    except requests.exceptions.RequestException:
        pass  # Fall through to error

    error = "Invalid username or password. Please try again."
    return render_template("index.html", error=error)

@app.route("/urls", methods=["GET"])
@cache.cached(timeout=300, key_prefix=make_cache_key)
def urls() -> Union[Response, str]:
    """Renders the URLs page."""
    if not session.get("logged_in"):
        return redirect(url_for("home"))
    base_url = app.config["BACKEND_URL"]
    return render_template(
        "urls.html", urls=get_urls(base_url, session["auth_credentials"])
    )

@app.route("/accounts", methods=["GET"])
@cache.cached(timeout=60, key_prefix=make_cache_key)
def user_accounts() -> Union[Response, str]:
    """Renders the user accounts page."""
    if not session.get("logged_in"):
        return redirect(url_for("home"))
    base_url = app.config["BACKEND_URL"]
    user_accounts_data = get_user_accounts(base_url, session["auth_credentials"])
    return render_template(
        "user_accounts.html",
        username=session["username"],
        user_accounts=user_accounts_data,
        auth=session["auth_credentials"],
    )

@app.route("/share", methods=["GET"])
def share() -> Response:
    """Handles shared text from PWA."""
    if not session.get("logged_in"):
        return redirect(url_for("index", next=request.url))
    shared_text = request.args.get("text")
    return redirect(url_for("add_account", shared_text=shared_text))

@app.route("/accounts/add", methods=["GET", "POST"])
def add_account() -> Union[Response, str]:
    """Handles adding a new user account."""
    if not session.get("logged_in"):
        return redirect(url_for("index", next=request.url))
    base_url = app.config["BACKEND_URL"]
    shared_text = request.args.get('shared_text')

    if request.method == "POST":
        username = request.form["username"]
        password = request.form["password"]
        stream = request.form["stream"]
        if add_user_account(
            base_url, session["auth_credentials"], username, password, stream
        ):
            cache.delete_memoized(user_accounts, key_prefix=make_cache_key)
            # Run the NPM config update in a background thread
            thread = threading.Thread(target=_update_npm_config_in_background)
            thread.start()
            return redirect(url_for("user_accounts"))

    return render_template(
        "add_account.html",
        text_input_enabled=app.config.get("TEXT_INPUT_ENABLED"),
        shared_text=shared_text
    )

@app.route("/accounts/delete", methods=["POST"])
def delete_account() -> Response:
    """Handles deleting a user account."""
    stream = request.form.get("stream")
    username = request.form.get("username")
    base_url = app.config["BACKEND_URL"]
    delete_user_account(base_url, session["auth_credentials"], stream, username)
    cache.delete_memoized(user_accounts, key_prefix=make_cache_key)
    return redirect(url_for("user_accounts"))

@app.route("/validateAccount", methods=["POST"])
def validate_account() -> Tuple[Response, int]:
    """Forwards account validation requests to the backend."""
    base_url = app.config["BACKEND_URL"]
    validate_url = f"{base_url}/validateAccount"
    credentials = base64.b64decode(session["auth_credentials"]).decode()
    username, password = credentials.split(":", 1)

    try:
        response = requests.post(
            validate_url,
            auth=requests.auth.HTTPBasicAuth(username, password),
            json=request.get_json()
        )
        response.raise_for_status()
        response_data = response.json()
        if response_data.get("message") == "Account is valid and updated":
            cache.delete_memoized(user_accounts, key_prefix=make_cache_key)
            # Run the NPM config update in a background thread
            thread = threading.Thread(target=_update_npm_config_in_background)
            thread.start()
        return jsonify(response_data), response.status_code
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 500

@app.route("/get_stream_names", methods=["GET"])
def stream_names() -> Union[Response, str]:
    """Fetches and returns stream names as JSON."""
    if not session.get("logged_in"):
        return redirect(url_for("home"))
    base_url = app.config["BACKEND_URL"]
    return jsonify(get_stream_names(base_url, session["auth_credentials"]))


@app.route('/config')
def config():
    """Handles access to the configuration page."""
    if session.get('user_id') and int(session.get('user_id')) == 1:
        return redirect(url_for('config_dashboard'))
    return redirect(url_for('home'))

@app.route('/config/dashboard')
def config_dashboard():
    """Renders the configuration dashboard."""
    if not session.get('user_id') or int(session.get('user_id')) != 1:
        return redirect(url_for('home'))
    return render_template('config_dashboard.html')

@app.route('/check-expiring-accounts', methods=['POST'])
def check_expiring_accounts():
    """Proxies the request to check for expiring accounts to the backend."""
    if not session.get('user_id') or int(session.get('user_id')) != 1:
        return jsonify({'error': 'Unauthorized'}), 401

    backend_url = f"{app.config['BACKEND_URL']}/check-expiry"
    try:
        response = requests.post(backend_url)
        return Response(response.content, status=response.status_code, mimetype=response.headers['Content-Type'])
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 502


@app.route('/dns', methods=['GET', 'POST', 'DELETE'])
def proxy_dns():
    """Proxies DNS management requests to the backend."""
    if not session.get('user_id') or int(session.get('user_id')) != 1:
        return jsonify({'error': 'Unauthorized'}), 401

    backend_url = f"{app.config['BACKEND_URL']}/dns"
    credentials = base64.b64decode(session["auth_credentials"]).decode()
    username, password = credentials.split(":", 1)
    auth = requests.auth.HTTPBasicAuth(username, password)

    try:
        if request.method == 'GET':
            response = requests.get(backend_url, auth=auth)
        elif request.method == 'POST':
            response = requests.post(backend_url, auth=auth, json=request.get_json())
            if response.ok:
                cache.clear()
        elif request.method == 'DELETE':
            response = requests.delete(backend_url, auth=auth, json=request.get_json())
            if response.ok:
                cache.clear()
        
        return Response(response.content, status=response.status_code, mimetype=response.headers['Content-Type'])
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 502


@app.route('/extra_urls', methods=['GET', 'POST', 'DELETE'])
def proxy_extra_urls():
    """Proxies extra URL management requests to the backend."""
    if not session.get('user_id') or int(session.get('user_id')) != 1:
        return jsonify({'error': 'Unauthorized'}), 401

    backend_url = f"{app.config['BACKEND_URL']}/extra_urls"
    credentials = base64.b64decode(session["auth_credentials"]).decode()
    username, password = credentials.split(":", 1)
    auth = requests.auth.HTTPBasicAuth(username, password)

    try:
        if request.method == 'GET':
            response = requests.get(backend_url, auth=auth)
        elif request.method == 'POST':
            response = requests.post(backend_url, auth=auth, json=request.get_json())
            if response.ok:
                cache.clear()
        elif request.method == 'DELETE':
            response = requests.delete(backend_url, auth=auth, json=request.get_json())
            if response.ok:
                cache.clear()
        
        return Response(response.content, status=response.status_code, mimetype=response.headers['Content-Type'])
    except requests.exceptions.RequestException as e:
        return jsonify({"error": str(e)}), 502


class NginxProxyManager:
    def __init__(self, host, email, password):
        self.host = host
        self.email = email
        self.password = password
        self.token = None

    def login(self):
        url = f"{self.host}/api/tokens"
        payload = {
            "identity": self.email,
            "secret": self.password
        }
        headers = {
            "Content-Type": "application/json"
        }
        response = requests.post(url, headers=headers, data=json.dumps(payload))
        if response.status_code == 200:
            self.token = response.json()["token"]
            print("Login successful.")
        else:
            print(f"Failed to login: {response.text}")
            exit(1)

    def get_proxy_host(self, host_id):
        if not self.token:
            self.login()

        url = f"{self.host}/api/nginx/proxy-hosts/{host_id}"
        headers = {
            "Authorization": f"Bearer {self.token}"
        }
        response = requests.get(url, headers=headers)
        if response.status_code == 200:
            return response.json()
        else:
            print(f"Failed to get proxy host {host_id}: {response.text}")
            return None

    def update_proxy_host_config(self, host_id, config):
        if not self.token:
            self.login()

        url = f"{self.host}/api/nginx/proxy-hosts/{host_id}"
        
        original_host_data = self.get_proxy_host(host_id)
        if not original_host_data:
            return

        # Construct a new payload with only the allowed fields for an update
        update_payload = {
            "domain_names": original_host_data.get("domain_names", []),
            "forward_scheme": original_host_data.get("forward_scheme", "http"),
            "forward_host": original_host_data.get("forward_host"),
            "forward_port": original_host_data.get("forward_port"),
            "access_list_id": original_host_data.get("access_list_id", 0),
            "certificate_id": original_host_data.get("certificate_id", 0),
            "ssl_forced": original_host_data.get("ssl_forced", False),
            "hsts_enabled": original_host_data.get("hsts_enabled", False),
            "hsts_subdomains": original_host_data.get("hsts_subdomains", False),
            "http2_support": original_host_data.get("http2_support", False),
            "block_exploits": original_host_data.get("block_exploits", False),
            "caching_enabled": original_host_data.get("caching_enabled", False),
            "allow_websocket_upgrade": original_host_data.get("allow_websocket_upgrade", False),
            "advanced_config": config, # The updated advanced config
            "meta": original_host_data.get("meta", {}),
            "locations": original_host_data.get("locations", []),
        }
        
        headers = {
            "Authorization": f"Bearer {self.token}",
            "Content-Type": "application/json"
        }

        response = requests.put(url, headers=headers, data=json.dumps(update_payload))
        if response.status_code == 200:
            print(f"Successfully updated proxy host {host_id}")
        else:
            print(f"Failed to update proxy host {host_id}: {response.text}")



def update_config_with_streams(config, streams):
    # Get all stream names from the database
    db_stream_names = {stream['streamName'] for stream in streams}

    # Find all location blocks in the config
    location_blocks = re.findall(r'location ~ \^/(\w+)\(\.\*\)\$ \{[^}]+\}', config)

    # Remove location blocks that are not in the database
    for stream_name in location_blocks:
        if stream_name not in db_stream_names:
            print(f"Removing location block for stream: {stream_name}")
            pattern = re.compile(f'location ~ \\^/{re.escape(stream_name)}\\(\\.\\*\\)\\$ {{[^}}]+}}\\s*', re.DOTALL)
            config = pattern.sub('', config)

    # Update existing stream URLs
    for stream in streams:
        stream_name = stream['streamName']
        stream_url = stream['streamURL']
        if stream_url: # Ensure there is a URL to update to
            # Use a more specific regex to avoid replacing parts of other URLs
            pattern = re.compile(f'(location ~ \\^/{re.escape(stream_name)}\\(\\.\\*\\)\\$ {{\\s*return 302 )([^;]+)(;\\s*}})')
            config = pattern.sub(f'\\1{stream_url}/$1$is_args$args\\3', config)
            
    return config

def _update_npm_config():
    """Helper function to update the NPM config."""
    if not session.get('user_id') or int(session.get('user_id')) != 1:
        print("Unauthorized attempt to update NPM config.")
        return

    npm = NginxProxyManager(app.config['NPM_HOST'], app.config['NPM_EMAIL'], app.config['NPM_PASSWORD'])
    npm.login()
    host = npm.get_proxy_host(9)
    if host:
        current_config = host.get('advanced_config', '')
        
        backend_url = f"{app.config['BACKEND_URL']}/get_all_stream_urls"
        credentials = base64.b64decode(session["auth_credentials"]).decode()
        username, password = credentials.split(":", 1)
        auth = requests.auth.HTTPBasicAuth(username, password)
        
        try:
            response = requests.get(backend_url, auth=auth)
            response.raise_for_status()
            streams = response.json()
        except requests.exceptions.RequestException as e:
            print(f"Failed to fetch streams from backend: {e}")
            return

        if streams:
            new_config = update_config_with_streams(current_config, streams)
            npm.update_proxy_host_config(9, new_config)
            print("NPM config updated successfully.")
    else:
        print("Failed to update NPM config.")

def _update_npm_config_in_background():
    with app.app_context():
        _update_npm_config()

@app.route('/update_host_9_config', methods=['POST'])
def update_host_9_config():
    if not session.get('user_id') or int(session.get('user_id')) != 1:
        return jsonify({'error': 'Unauthorized'}), 401
    
    thread = threading.Thread(target=_update_npm_config_in_background)
    thread.start()
    
    return jsonify({'message': 'NPM config update started in the background.'}), 202


if __name__ == "__main__":
    app.run(
        debug=app.config["DEBUG"],
        host=app.config["HOST"],
        port=app.config["PORT"]
    )