Beispiel #1
0
    def test_expired_tokens_garbage_collected(self):
        with set_datetime(2019, 1, 1, 10, 0):
            token = AuthToken.generate('test', self.user)
            token.save()
            self.assertEqual(AuthToken.objects.count(), 1)

        with set_datetime(2019, 1, 1, 15, 59):
            # Not expired.
            AuthToken.garbage_collect()
            self.assertEqual(AuthToken.objects.count(), 1)

        with set_datetime(2019, 1, 1, 16, 1):
            # Expired.
            AuthToken.garbage_collect()
            self.assertEqual(AuthToken.objects.count(), 0)
Beispiel #2
0
    def test_invalid_tokens_garbage_collected(self):
        with set_datetime(2019, 1, 1, 10, 0):
            token = AuthToken.generate('test', self.user)
            token.save()
            self.assertEqual(AuthToken.objects.count(), 1)

        with set_datetime(2019, 1, 1, 15, 59):
            # Not invalid.
            AuthToken.garbage_collect()
            self.assertEqual(AuthToken.objects.count(), 1)

            # Invalid.
            self.user.is_active = False
            self.user.save()
            AuthToken.garbage_collect()
            self.assertEqual(AuthToken.objects.count(), 0)
Beispiel #3
0
    def get_redirect_url(self, *args, **kwargs):
        initiator_name = self.request.GET.get(self.client_id_query)
        state = self.request.GET.get(self.state_query)

        if not state:
            raise ValueError("missing state")

        client = settings.AUTH_TOKEN_CLIENTS[initiator_name]

        auth_token = AuthToken.generate(initiator_name, self.request.user)
        auth_token.save()

        # Piggy-back on the view to do garbage collection.
        AuthToken.garbage_collect()
        redirect_data = {'code': auth_token.code, 'state': state}

        if 'next' in self.request.GET:
            redirect_data['next'] = self.request.GET.get('next')

        return client.redirect_url + '?' + urlencode(redirect_data)
Beispiel #4
0
    def post(self, request, *args, **kwargs):
        def error(reason):
            return HttpResponseBadRequest(json.dumps({"error": reason}))

        if request.content_type != 'application/json':
            return error("expected JSON payload")

        try:
            payload = json.loads(request.body.decode())
            client_id = payload[self.client_id_param]
            client_secret = payload[self.client_secret_param]
            identifier = self.get_identifier(payload)
        except Exception:
            return error("malformed JSON payload")

        try:
            client = settings.AUTH_TOKEN_CLIENTS[client_id]
        except KeyError:
            return error("unknown client")

        if not constant_time_compare(client.secret, client_secret):
            return error("invalid client secret")

        try:
            auth_token = self.get_token(client_id, identifier)
        except ObjectDoesNotExist:
            return error("token does not exist (may have expired)")
        except Exception as exc:
            return error(
                "unexpected error while retrieving token: {}".format(exc))

        self.on_success(auth_token)

        # Piggy-back on the view to do garbage collection.
        AuthToken.garbage_collect()

        return JsonResponse(auth_token.as_dict())