generate and store cookie_secret in the db

DEVELOPMENT.md

@@ -33,6 +33,8 @@ These are the path you see in the browser (AngularJS does client-side routing: n
 - /#/person/:person_id - show information about an existing person (contains the list of events the person registered for)
 - /#/person/:person_id/edit - edit form to modify an existing person
 - /#/import/persons - form used to import persons in bulk
+- /login - login form
+- /logout - when visited, the user is logged out
 
 
 Web server
@@ -53,6 +55,11 @@ The paths used to communicate with the Tornado web server:
 - /events/:event_id/persons/:person_id PUT - update the information about a person related to a given event (e.g.: if the person attended)
 - /persons/:person_id/events GET - the list of events the person registered for
 - /ebcsvpersons POST - csv file upload to import persons
+- /login - login form
+- /logout - when visited, the user is logged out
+
+Notice that the above path are the ones used by the webapp. If you plan to use them from an external application (like the _eventman_ barcode/qrcode scanner) you better prepend all the path with /v1.0, where 1.0 is the current value of API\_VERSION.
+The main advantage in doing so is that, for every call, a useful status code and a JSON value is returned (also for /v10/login that usually would show you the login page).
 
 
 Triggers
@@ -76,6 +83,8 @@ update_person_in_event and attends will receive these information:
   - PERSON_ID
   - EVENT_ID
   - EVENT_TITLE
+  - SEQ
+  - SEQ_HEX
 - via stdin, a dictionary containing:
   - dictionary **old** with the old data of the person
   - dictionary **new** with the new data of the person
@@ -113,6 +122,8 @@ Main field:
   - persons.$.company
   - persons.$.job
   - persons.$.ebqrcode
+  - persons.$.seq
+  - persons.$.seq_hex
 
 
 persons collection
@@ -126,6 +137,16 @@ Basic information about a person:
 - persons.job
 
 
+users collection
+----------------
+
+Contains a list of username and associated values, like the password used for authentication.
+
+To generate the hash, use:
+    import utils
+    print utils.hash_password('MyVerySecretPassword')
+
+
 TODO
 ====
 
@@ -143,5 +164,6 @@ Nice to have
 - notifications for form editing and other actions
 - authentication for administrators
 - i18n
+- settings page
 - logging and debugging code
 

README.md

@@ -15,10 +15,12 @@ Technological stack
 
 - [AngularJS](https://angularjs.org/) (plus some third-party modules) for the webApp
 - [Bootstrap](http://getbootstrap.com/) (plus [Angular UI](https://angular-ui.github.io/bootstrap/)) for the eye-candy
+- [Font Awesome](https://fortawesome.github.io/Font-Awesome/) for even more cuteness
 - [Tornado web](http://www.tornadoweb.org/) as web server
 - [MongoDB](https://www.mongodb.org/) to store the data
 
 The web part is incuded; you need to install Tornado, MongoDB and the pymongo module on your system (no configuration needed).
+If you want to print labels using the _print\_label_ trigger, you may also need the pycups module.
 
 
 Coding style and conventions
@@ -50,6 +52,11 @@ Open browser and navigate to: http://localhost:5242/
 
 If you store SSL key and certificate in the *ssl* directory (default names: eventman\_key.pem and eventman\_cert.pem), HTTPS will be used: https://localhost:5242/
 
+Authentication
+==============
+
+By default, authentication is required; default username and password are *admin* and *eventman*.
+
 
 License and copyright
 =====================

data/triggers-available/print_label.py

@@ -23,7 +23,7 @@ FONT_TEXT_ENCODING = 'latin-1'
 FONT_BARCODE = 'free3of9.ttf'
 
 PRINTER_NAME = None
-PRINTER_NAME = 'DYMO_LabelWriter_450'
+#PRINTER_NAME = 'DYMO_LabelWriter_450'
 
 
 def _get_resource(filename):

eventman_server.py

@@ -665,6 +665,16 @@ def run():
         db_connector.add('users',
                 {'username': 'admin', 'password': utils.hash_password('eventman')})
 
+    # If present, use the cookie_secret stored into the database.
+    cookie_secret = db_connector.query('settings', {'setting': 'server_cookie_secret'})
+    if cookie_secret:
+        cookie_secret = cookie_secret[0]['cookie_secret']
+    else:
+        # the salt guarantees its uniqueness
+        cookie_secret = utils.hash_password('__COOKIE_SECRET__')
+        db_connector.add('settings',
+                {'setting': 'server_cookie_secret', 'cookie_secret': cookie_secret})
+
     _ws_handler = (r"/ws/+event/+(?P<event_id>\w+)/+updates/?", WebSocketEventUpdatesHandler)
     _persons_path = r"/persons/?(?P<id_>\w+)?/?(?P<resource>\w+)?/?(?P<resource_id>\w+)?"
     _events_path = r"/events/?(?P<id_>\w+)?/?(?P<resource>\w+)?/?(?P<resource_id>\w+)?"