def authenticate(email, password):
ts = time() # Record the
query = dict(active=True)
# Gracefully handle extended characters in passwords.
# The password storage algorithm works in binary.
if isinstance(password, unicode):
password = password.encode('utf8')
# Build the MongoEngine query to find
query[b'email'] = email
user = User.objects(**query).first()
if not user or not User.password.check(user.password, password):
if user:
LoginHistory(user, False, web.ctx['ip']).save()
# Prevent basic timing attacks; always take at least one second to process.
sleep(max(min(1 - (time() - ts), 0), 1))
return None
# Record the fact the user signed in.
LoginHistory(user, True, web.ctx['ip']).save()
return user.id, user
def GET(self):
# Perform the initial API call and direct the user.
params = web.input()
User.authenticate(params.token)
raise web.seeother(params.redirect if hasattr(params, 'redirect') else settings['path'] + "/notes", absolute=True)
