def user_getall(name):
"""
Returns users with the given username, email address or Twitter id
"""
names = name
userids = set() # Dupe checker
if not names:
return api_result("error", error="no_name_provided")
results = []
for name in names:
user = getuser(name)
if user and user.userid not in userids:
results.append(
{
"type": "user",
"userid": user.userid,
"buid": user.userid,
"name": user.username,
"title": user.fullname,
"label": user.pickername,
}
)
userids.add(user.userid)
if not results:
return api_result("error", error="not_found")
else:
return api_result("ok", results=results)
def user_getall(name):
"""
Returns users with the given username, email address or Twitter id
"""
names = name
buids = set() # Dupe checker
if not names:
return api_result('error', error='no_name_provided')
results = []
for name in names:
user = getuser(name)
if user and user.buid not in buids:
results.append({
'type': 'user',
'userid': user.buid,
'buid': user.buid,
'uuid': user.uuid,
'name': user.username,
'title': user.fullname,
'label': user.pickername,
'timezone': user.timezone,
'oldids': [o.buid for o in user.oldids],
'olduuids': [o.uuid for o in user.oldids],
})
buids.add(user.buid)
if not results:
return api_result('error', error='not_found')
else:
return api_result('ok', results=results)
def user_getall(name):
"""
Returns users with the given username, email address or Twitter id
"""
names = name
userids = set() # Dupe checker
if not names:
return api_result('error', error='no_name_provided')
results = []
for name in names:
user = getuser(name)
if user and user.userid not in userids:
results.append({
'type': 'user',
'userid': user.userid,
'buid': user.userid,
'name': user.username,
'title': user.fullname,
'label': user.pickername,
'timezone': user.timezone,
'oldids': [o.userid for o in user.oldids],
})
userids.add(user.userid)
if not results:
return api_result('error', error='not_found')
else:
return api_result('ok', results=results)
def validate_password(self, field):
user = getuser(self.username.data)
if user and not user.pw_hash:
raise LoginPasswordResetException()
if user is None or not user.password_is(field.data):
if not self.username.errors:
raise forms.ValidationError(_("Incorrect password"))
self.user = user
def validate_password(self, field):
if not self.username.data:
# Can't validate password without a user
return
user = getuser(self.username.data)
if user and not user.pw_hash:
raise LoginPasswordResetException()
if user is None or not user.password_is(field.data):
if not self.username.errors:
raise forms.ValidationError(_("Incorrect password"))
self.user = user
def user_get(name):
"""
Returns user with the given username, email address or Twitter id
"""
if not name:
return api_result("error", error="no_name_provided")
user = getuser(name)
if user:
return api_result("ok", type="user", userid=user.userid, name=user.username, title=user.fullname)
else:
return api_result("error", error="not_found")
def test_getuser(self):
"""
Test for retrieving username by prepending @
"""
# scenario 1: with @ starting in name and extid
crusoe = self.fixtures.crusoe
service_twitter = 'twitter'
oauth_token = environ.get('TWITTER_OAUTH_TOKEN')
oauth_token_type = 'Bearer' # NOQA: S105
externalid = models.UserExternalId(
service=service_twitter,
user=crusoe,
userid=crusoe.email.email,
username=crusoe.username,
oauth_token=oauth_token,
oauth_token_type=oauth_token_type,
)
db.session.add(externalid)
db.session.commit()
result1 = models.getuser('@crusoe')
self.assertIsInstance(result1, models.User)
self.assertEqual(result1, crusoe)
# scenario 2: with @ in name and not extid
d_email = '*****@*****.**'
daenerys = models.User(
username='******', fullname="Daenerys Targaryen", email=d_email
)
daenerys_email = models.UserEmail(email=d_email, user=daenerys)
db.session.add_all([daenerys, daenerys_email])
db.session.commit()
result2 = models.getuser(d_email)
self.assertIsInstance(result2, models.User)
self.assertEqual(result2, daenerys)
result3 = models.getuser('@daenerys')
self.assertIsNone(result3)
# scenario 3: with no @ starting in name, check by UserEmailClaim
j_email = '*****@*****.**'
jonsnow = models.User(username='******', fullname="Jon Snow")
jonsnow_email_claimed = models.UserEmailClaim(email=j_email, user=jonsnow)
db.session.add_all([jonsnow, jonsnow_email_claimed])
db.session.commit()
result4 = models.getuser(j_email)
self.assertIsInstance(result4, models.User)
self.assertEqual(result4, jonsnow)
# scenario 5: with no @ anywhere in name, fetch username
arya = models.User(username='******', fullname="Arya Stark")
db.session.add(arya)
db.session.commit()
result5 = models.getuser('arya')
self.assertEqual(result5, arya)
# scenario 6: with no starting with @ name and no UserEmailClaim or UserEmail
cersei = models.User(username='******', fullname="Cersei Lannister")
db.session.add(cersei)
db.session.commit()
result6 = models.getuser('*****@*****.**')
self.assertIsNone(result6)
def user_get(name):
"""
Returns user with the given username, email address or Twitter id
"""
if not name:
return api_result('error', error='no_name_provided')
user = getuser(name)
if user:
return api_result('ok',
type='user',
userid=user.userid,
name=user.username,
title=user.fullname)
else:
return api_result('error', error='not_found')
def test_getuser(self):
"""
Test for retrieving username by prepending @
"""
# scenario 1: with @ starting in name and extid
crusoe = self.fixtures.crusoe
service_twitter = u'twitter'
oauth_token = environ.get('TWITTER_OAUTH_TOKEN')
oauth_token_type = u'Bearer'
externalid = models.UserExternalId(service=service_twitter, user=crusoe, userid=crusoe.email.email, username=crusoe.username, oauth_token=oauth_token, oauth_token_type=oauth_token_type)
db.session.add(externalid)
db.session.commit()
result1 = models.getuser(u'@crusoe')
self.assertIsInstance(result1, models.User)
self.assertEqual(result1, crusoe)
# scenario 2: with @ in name and not extid
d_email = u'*****@*****.**'
daenerys = models.User(username=d_email, fullname=u'Daenerys Targaryen', email=d_email)
daenerys_email = models.UserEmail(email=d_email,
user=daenerys)
db.session.add_all([daenerys, daenerys_email])
db.session.commit()
result2 = models.getuser(d_email)
self.assertIsInstance(result2, models.User)
self.assertEqual(result2, daenerys)
result3 = models.getuser(u'@daenerys')
self.assertIsNone(result3)
# scenario 3: with no @ starting in name, check by UserEmailClaim
j_email = u'*****@*****.**'
jonsnow = models.User(username=u'jonsnow', fullname=u'Jon Snow')
jonsnow_email_claimed = models.UserEmailClaim(email=j_email, owner=jonsnow)
db.session.add_all([jonsnow, jonsnow_email_claimed])
db.session.commit()
result4 = models.getuser(j_email)
self.assertIsInstance(result4, models.User)
self.assertEqual(result4, jonsnow)
# scenario 5: with no @ anywhere in name, fetch username
arya = models.User(username=u'arya', fullname=u'Arya Stark')
db.session.add(arya)
db.session.commit()
result5 = models.getuser(u'arya')
self.assertEqual(result5, arya)
# scenario 6: with no starting with @ name and no UserEmailClaim or UserEmail
cersei = models.User(username=u'cersei', fullname=u'Cersei Lannister')
db.session.add(cersei)
db.session.commit()
result6 = models.getuser(u'*****@*****.**')
self.assertIsNone(result6)
def user_get(name):
"""
Returns user with the given username, email address or Twitter id
"""
if not name:
return api_result('error', error='no_name_provided')
user = getuser(name)
if user:
return api_result('ok',
type='user',
userid=user.userid,
buid=user.userid,
name=user.username,
title=user.fullname,
label=user.pickername,
timezone=user.timezone,
oldids=[o.userid for o in user.oldids])
else:
return api_result('error', error='not_found')
def user_get(name):
"""
Returns user with the given username, email address or Twitter id
"""
if not name:
return api_result('error', error='no_name_provided')
user = getuser(name)
if user:
return api_result('ok',
type='user',
userid=user.userid,
buid=user.userid,
name=user.username,
title=user.fullname,
label=user.pickername,
timezone=user.timezone,
oldids=[o.userid for o in user.oldids])
else:
return api_result('error', error='not_found')
def validate_password(self, field):
user = getuser(self.username.data)
if user is None or not user.password_is(field.data):
raise wtforms.ValidationError("Incorrect password")
self.user = user
def validate_username(self, field):
existing = getuser(field.data)
if existing is None:
raise wtforms.ValidationError("User does not exist")
def validate_username(self, field):
user = getuser(field.data)
if user is None or user != self.edit_user:
raise wtforms.ValidationError(
"This username or email does not match the user the reset code is for")
def validate_username(self, field):
user = getuser(field.data)
if user is None:
raise wtforms.ValidationError("Could not find a user with that id")
self.user = user
def oauth_token():
"""
OAuth2 server -- token endpoint (confidential clients only)
"""
# Always required parameters
grant_type = request.form.get('grant_type')
auth_client = current_auth.auth_client # Provided by @requires_client_login
scope = request.form.get('scope', '').split(' ')
# if grant_type == 'authorization_code' (POST)
code = request.form.get('code')
redirect_uri = request.form.get('redirect_uri')
# if grant_type == 'password' (POST)
username = request.form.get('username')
password = request.form.get('password')
# if grant_type == 'client_credentials'
buid = request.form.get('buid') or request.form.get(
'userid') # XXX: Deprecated userid parameter
# Validations 1: Required parameters
if not grant_type:
return oauth_token_error('invalid_request', _("Missing grant_type"))
# grant_type == 'refresh_token' is not supported. All tokens are permanent unless revoked
if grant_type not in [
'authorization_code', 'client_credentials', 'password'
]:
return oauth_token_error('unsupported_grant_type')
# Validations 2: client scope
if grant_type == 'client_credentials':
# AuthClient data; user isn't part of it OR trusted client and automatic scope
try:
# Confirm the client has access to the scope it wants
verifyscope(scope, auth_client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', str(scopeex))
if buid:
if auth_client.trusted:
user = User.get(buid=buid)
if user:
# This client is trusted and can receive a user access token.
# However, don't grant it the scope it wants as the user's
# permission was not obtained. Instead, the client's
# pre-approved scope will be used for the token's effective scope.
token = oauth_make_token(user=user,
auth_client=auth_client,
scope=[])
return oauth_token_success(
token,
userinfo=get_userinfo(
user=token.user,
auth_client=auth_client,
scope=token.effective_scope,
),
)
else:
return oauth_token_error('invalid_grant',
_("Unknown user"))
else:
return oauth_token_error('invalid_grant',
_("Untrusted client app"))
else:
token = oauth_make_token(user=None,
auth_client=auth_client,
scope=scope)
return oauth_token_success(token)
# Validations 3: auth code
elif grant_type == 'authorization_code':
authcode = AuthCode.get_for_client(auth_client=auth_client, code=code)
if not authcode:
return oauth_token_error('invalid_grant', _("Unknown auth code"))
if not authcode.is_valid():
db.session.delete(authcode)
db.session.commit()
return oauth_token_error('invalid_grant', _("Expired auth code"))
# Validations 3.1: scope in authcode
if not scope or scope[0] == '':
return oauth_token_error('invalid_scope', _("Scope is blank"))
if not set(scope).issubset(set(authcode.scope)):
return oauth_token_error('invalid_scope', _("Scope expanded"))
else:
# Scope not provided. Use whatever the authcode allows
scope = authcode.scope
if redirect_uri != authcode.redirect_uri:
return oauth_token_error('invalid_client',
_("redirect_uri does not match"))
token = oauth_make_token(user=authcode.user,
auth_client=auth_client,
scope=scope)
db.session.delete(authcode)
return oauth_token_success(
token,
userinfo=get_userinfo(
user=authcode.user,
auth_client=auth_client,
scope=token.effective_scope,
user_session=authcode.user_session,
),
)
elif grant_type == 'password':
# Validations 4.1: password grant_type is only for trusted clients
if not auth_client.trusted:
# Refuse to untrusted clients
return oauth_token_error(
'unauthorized_client',
_("AuthClient is not trusted for password grant_type"),
)
# Validations 4.2: Are username and password provided and correct?
if not username or not password:
return oauth_token_error('invalid_request',
_("Username or password not provided"))
user = getuser(username)
if not user:
return oauth_token_error(
'invalid_client',
_("No such user")) # XXX: invalid_client doesn't seem right
if not user.password_is(password):
return oauth_token_error('invalid_client', _("Password mismatch"))
# Validations 4.3: verify scope
try:
verifyscope(scope, auth_client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', str(scopeex))
# All good. Grant access
token = oauth_make_token(user=user,
auth_client=auth_client,
scope=scope)
return oauth_token_success(
token,
userinfo=get_userinfo(user=user,
auth_client=auth_client,
scope=scope),
)
def validate_username(self, field):
user = getuser(field.data)
if user is None:
raise forms.ValidationError(
_("Could not find a user with that id"))
self.user = user
def oauth_token():
"""
OAuth2 server -- token endpoint
"""
# Always required parameters
grant_type = request.form.get('grant_type')
client = g.client # Provided by @requires_client_login
scope = request.form.get('scope', u'').split(u' ')
# if grant_type == 'authorization_code' (POST)
code = request.form.get('code')
redirect_uri = request.form.get('redirect_uri')
# if grant_type == 'password' (GET)
username = request.form.get('username')
password = request.form.get('password')
# Validations 1: Required parameters
if not grant_type:
return oauth_token_error('invalid_request', "Missing grant_type")
# grant_type == 'refresh_token' is not supported. All tokens are permanent unless revoked
if grant_type not in [
'authorization_code', 'client_credentials', 'password'
]:
return oauth_token_error('unsupported_grant_type')
# Validations 2: client scope
if grant_type == 'client_credentials':
# Client data. User isn't part of it
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
token = oauth_make_token(user=None, client=client, scope=scope)
return oauth_token_success(token)
# Validations 3: auth code
elif grant_type == 'authorization_code':
authcode = AuthCode.query.filter_by(code=code, client=client).first()
if not authcode:
return oauth_token_error('invalid_grant', "Unknown auth code")
if not authcode.is_valid():
db.session.delete(authcode)
db.session.commit()
return oauth_token_error('invalid_grant', "Expired auth code")
# Validations 3.1: scope in authcode
if not scope or scope[0] == '':
return oauth_token_error('invalid_scope', "Scope is blank")
if not set(scope).issubset(set(authcode.scope)):
return oauth_token_error('invalid_scope', "Scope expanded")
else:
# Scope not provided. Use whatever the authcode allows
scope = authcode.scope
if redirect_uri != authcode.redirect_uri:
return oauth_token_error('invalid_client',
"redirect_uri does not match")
token = oauth_make_token(user=authcode.user,
client=client,
scope=scope)
db.session.delete(authcode)
return oauth_token_success(token,
userinfo=get_userinfo(
user=authcode.user,
client=client,
scope=scope,
session=authcode.session))
elif grant_type == 'password':
# Validations 4.1: password grant_type is only for trusted clients
if not client.trusted:
# Refuse to untrusted clients
return oauth_token_error(
'unauthorized_client',
"Client is not trusted for password grant_type")
# Validations 4.2: Are username and password provided and correct?
if not username or not password:
return oauth_token_error('invalid_request',
"Username or password not provided")
user = getuser(username)
if not user:
return oauth_token_error(
'invalid_client',
"No such user") # XXX: invalid_client doesn't seem right
if not user.password_is(password):
return oauth_token_error('invalid_client', "Password mismatch")
# Validations 4.3: verify scope
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
# All good. Grant access
token = oauth_make_token(user=user, client=client, scope=scope)
return oauth_token_success(token,
userinfo=get_userinfo(user=user,
client=client,
scope=scope))
def validate_username(self, field):
existing = getuser(field.data)
if existing is None:
raise wtforms.ValidationError("User does not exist")
def validate_username(self, field):
user = getuser(field.data)
if user is None or user != self.edit_user:
raise forms.ValidationError(
_("This username or email does not match the user the reset code is for"
))
def validate_password(self, field):
user = getuser(self.username.data)
if user is None or not user.password_is(field.data):
raise wtforms.ValidationError("Incorrect password")
self.user = user
def oauth_token():
"""
OAuth2 server -- token endpoint
"""
# Always required parameters
grant_type = request.form.get('grant_type')
client = g.client # Provided by @requires_client_login
scope = request.form.get('scope', u'').split(u' ')
# if grant_type == 'authorization_code' (POST)
code = request.form.get('code')
redirect_uri = request.form.get('redirect_uri')
# if grant_type == 'password' (GET)
username = request.form.get('username')
password = request.form.get('password')
# Validations 1: Required parameters
if not grant_type:
return oauth_token_error('invalid_request', "Missing grant_type")
# grant_type == 'refresh_token' is not supported. All tokens are permanent unless revoked
if grant_type not in ['authorization_code', 'client_credentials', 'password']:
return oauth_token_error('unsupported_grant_type')
# Validations 2: client scope
if grant_type == 'client_credentials':
# Client data. User isn't part of it
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
token = oauth_make_token(user=None, client=client, scope=scope)
return oauth_token_success(token)
# Validations 3: auth code
elif grant_type == 'authorization_code':
authcode = AuthCode.query.filter_by(code=code, client=client).first()
if not authcode:
return oauth_token_error('invalid_grant', "Unknown auth code")
if not authcode.is_valid():
db.session.delete(authcode)
db.session.commit()
return oauth_token_error('invalid_grant', "Expired auth code")
# Validations 3.1: scope in authcode
if not scope or scope[0] == '':
return oauth_token_error('invalid_scope', "Scope is blank")
if not set(scope).issubset(set(authcode.scope)):
return oauth_token_error('invalid_scope', "Scope expanded")
else:
# Scope not provided. Use whatever the authcode allows
scope = authcode.scope
if redirect_uri != authcode.redirect_uri:
return oauth_token_error('invalid_client', "redirect_uri does not match")
token = oauth_make_token(user=authcode.user, client=client, scope=scope)
db.session.delete(authcode)
return oauth_token_success(token, userinfo=get_userinfo(
user=authcode.user, client=client, scope=scope, session=authcode.session))
elif grant_type == 'password':
# Validations 4.1: password grant_type is only for trusted clients
if not client.trusted:
# Refuse to untrusted clients
return oauth_token_error('unauthorized_client', "Client is not trusted for password grant_type")
# Validations 4.2: Are username and password provided and correct?
if not username or not password:
return oauth_token_error('invalid_request', "Username or password not provided")
user = getuser(username)
if not user:
return oauth_token_error('invalid_client', "No such user") # XXX: invalid_client doesn't seem right
if not user.password_is(password):
return oauth_token_error('invalid_client', "Password mismatch")
# Validations 4.3: verify scope
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
# All good. Grant access
token = oauth_make_token(user=user, client=client, scope=scope)
return oauth_token_success(token, userinfo=get_userinfo(user=user, client=client, scope=scope))
