def login(authentication_method, user_id=None, user_email=None):
if user_id:
user = get_user_by_id(user_id)
if not user:
logging.warning('Attempt to sign in nonexistent user %s', user_id)
abort(400)
else:
user = get_or_create_user(user_email,
get_organization_id_for_email(user_email))
allowed_authentication_methods = get_allowed_authentication_methods(
user.organization)
if allowed_authentication_methods is not None and authentication_method not in allowed_authentication_methods:
logging.warning(
"User %s attempted to authenticate with method '%s'. Allowed methods are %s.",
user.id, authentication_method, allowed_authentication_methods)
abort(
redirect(
f'/_/auth/login?e=auth_not_allowed-{authentication_method}'))
if not user.accepted_terms_at:
# all login methods now have UI for consenting to terms
user.accepted_terms_at = datetime.datetime.utcnow()
user.put()
login_user(user)
def use_transfer_link(transfer_link_token):
user_facing_error = None
try:
padded_token = transfer_link_token + '=' * (4 - len(transfer_link_token) % 4) # add any missing base64 padding
payload = jwt.decode(base64.urlsafe_b64decode(padded_token),
config.get_config()['sessions_secret'],
'HS256')
except (jwt.exceptions.ExpiredSignatureError,
jwt.exceptions.InvalidSignatureError,
jwt.exceptions.DecodeError) as e:
if type(e) is jwt.exceptions.ExpiredSignatureError:
user_facing_error = 'Your transfer link has expired'
logging.info('Attempt to use expired token: %s', transfer_link_token)
if type(e) is jwt.exceptions.InvalidSignatureError:
logging.warning('Attempt to use invalid token: %s', transfer_link_token)
abort(403, user_facing_error or 'Your transfer link is no longer valid')
try:
if not payload['sub'].startswith('link:'):
raise InvalidTransferToken('Subject is not link')
if 'transfer' != payload['tp']:
raise InvalidTransferToken('Invalid token permission')
link_id = int(payload['sub'][len('link:'):])
link = models.ShortLink.get_by_id(link_id)
if not link:
raise InvalidTransferToken('Link does not exist')
owner_from_token = user_helpers.get_user_by_id(payload['o'])
if not owner_from_token or link.owner != owner_from_token.email:
user_facing_error = f'The owner of rfg/{link.shortpath} has changed since your transfer link was created'
raise InvalidTransferToken('Owner from token does not match current owner')
if not check_mutate_authorization(link_id, payload['by']):
user_facing_error = f'The user who created your transfer link no longer has edit rights for rfg/{link.shortpath}'
raise InvalidTransferToken('Token from unauthorized user')
if current_user.organization != link.organization:
raise InvalidTransferToken("Current user does not match link's organization")
except (InvalidTransferToken,
KeyError) as e:
logging.warning(e)
logging.warning('Attempt to use invalid token: %s', transfer_link_token)
abort(403, user_facing_error or 'Your transfer link is no longer valid')
link.owner = current_user.email
link.put()
return '', 201
def get_user(user_id):
if user_id == 'me':
return jsonify(_user_info(current_user))
user = get_user_by_id(int(user_id))
if not user or not is_user_admin(copy.copy(current_user), user.organization):
abort(403)
return jsonify(_user_info(user))
def check_mutate_authorization(link_id, user_id=None):
if user_id:
user = user_helpers.get_user_by_id(user_id)
else:
user = current_user
try:
existing_link = models.ShortLink.get_by_id(link_id)
except Exception as e:
logging.warning(str(e))
return False
if not existing_link:
return False
if (existing_link.owner != user.email
and not (user.organization == existing_link.organization
and user_helpers.is_user_admin(user))):
return False
return existing_link
def load_user(user_id):
from modules.users.helpers import get_user_by_id
return get_user_by_id(user_id)
def load_user(user_id):
from modules.users.helpers import get_user_by_id
sentry_sdk.set_user({'id': user_id})
return get_user_by_id(user_id)
def load_user(user_id): return get_user_by_id(user_id)