Ejemplo n.º 1
0
def verify_token(token):
    # log.info(token)
    if hasattr(g, 'token_auth_type') and g.token_auth_type == 'refresh':
        return UserToken.check_token(token,
                                     token_type='refresh') if token else None

    return UserToken.check_token(token) if token else None
Ejemplo n.º 2
0
def test_login_happy_path(client, db_session):
    name = generate_username()
    password = generate_password()

    user = User(name, password, db_session=db_session)
    user_id = user.id

    reply = client.post('/login',
                        json={
                            'username': name,
                            'password': password
                        })

    assert reply.status_code == 200
    assert list(reply.json.keys()) == ['token']

    token = reply.json['token']
    assert re.match('^[a-f0-9]{64}$', token)

    assert UserToken.get_user_id_with_token(token, db_session) == user_id

    # same prefix, but different suffix
    invalid_token = token[:32] + str(uuid.uuid4()).replace('-', '')
    assert UserToken.get_user_id_with_token(invalid_token, db_session) is None

    # same suffix, but different prefix
    invalid_token = str(uuid.uuid4()).replace('-', '') + token[-32:]
    assert UserToken.get_user_id_with_token(invalid_token, db_session) is None
Ejemplo n.º 3
0
 def post_sync(self):
     
     # Creates the random token
     self.model.token = UserToken.generate_random_token(16)
     
     # Appends the token to the session
     config.orm.add(self.model)
Ejemplo n.º 4
0
        def wrapper(*args, **kwargs):
            token = request.headers.get('X-Session')
            user_id = UserToken.get_user_id_with_token(token, db_session)

            if user_id:
                return handler(user_id, *args, **kwargs)

            return error_reply('Invalid token', 401)
Ejemplo n.º 5
0
	def setUp(self):
		self.app = create_app(config_name="testing")
		self.user = Users(username="******", email="*****@*****.**", password="******")
		self.shoppinglist = ShoppingList(owner_id="1", title="Yellow Bananas", description="*****@*****.**")
		self.shoppinglistitem = ShoppingListItem(owner_id="1", shoppinglist_id="1", item_title="Yellow Bananas with green", item_description="And maracuja")
		self.usertoken = UserToken(token="a_certain_token")
		with self.app.app_context():
			# create all tables
			db.create_all()
Ejemplo n.º 6
0
def get_user_by_token(token):
    if token == None or token == '':
        raise Exception(msg='token不能为空')
    user_token = UserToken.get_or_none(UserToken.token == token)
    if user_token == None:
        raise Exception(msg='token不存在')
    delta = user_token.expired_time - datetime.datetime.now()
    if delta.days < 0:
        raise Exception(msg='token已过期')
    user = User().get_by_id(user_token.user_id)
    if user == None:
        raise Exception(msg='用户已被删除')
    return user
Ejemplo n.º 7
0
    def login(json):
        user = db_session.query(User).filter(
            User.name == json['username']).first()

        if not user:
            return error_reply('User not found', 404)

        if not user.is_valid_password(json['password']):
            return error_reply('Wrong password', 403)

        token = UserToken(user, db_session=db_session)

        return jsonify({'token': str(token)})
Ejemplo n.º 8
0
def login(session):
    """
    테스트전 사용자 미리 등록
    :param session:
    :return:
    """
    db_user = Users.create(session=session,
                           email="*****@*****.**",
                           pw="123")
    session.commit()
    access_token = create_access_token(data=UserToken.from_orm(db_user).dict(
        exclude={'pw', 'marketing_agree'}), )
    return dict(Authorization=f"Bearer {access_token}")
Ejemplo n.º 9
0
    def GET(self):

        # Reads the token in the HTTP request parameters
        token = web.input(token=None).token

        # Checks if the token is valid
        user_token = UserToken.get_token(token)

        if user_token is None or user_token.expired:
            raise http.Forbidden()

        # The fieldset is not bound to any specific instance : the token is passed because it contains the email
        user_fieldset = user_forms.NewUserFieldSet(user_token)
        return config.views.layout(config.views.creation_form(user_fieldset))
Ejemplo n.º 10
0
 def GET(self):
     
     # Reads the token in the HTTP request parameters
     token = web.input(token=None).token
     
     # Checks if the token is valid
     user_token = UserToken.get_token(token)
     
     if user_token is None or user_token.expired:
         raise http.Forbidden()
     
     # The fieldset is not bound to any specific instance : the token is passed because it contains the email
     user_fieldset = user_forms.NewUserFieldSet(user_token)
     return config.views.layout(config.views.creation_form(user_fieldset))
Ejemplo n.º 11
0
 def test_get_token(self):
     
     # These tests work because a UserTokenData has a similar structure to a UserToken
     # When Tournament.__eq__ is called, it compares the fields without caring of the parameters' actual types
     
     self.assertIsNone(UserToken.get_token(None))
     self.assertIsNone(UserToken.get_token(""))
     self.assertIsNone(UserToken.get_token("invalid_token"))
     self.assertIsNone(UserToken.get_token("goB9Z7fhsUrjXHDi"))
     self.assertIsNone(UserToken.get_token("xYCPayfPCPEPCPaL"))
     
     self.assertEquals(UserToken.get_token("znc9TNqpajeN2nEH"), UserTokenData.user_token_expired)
     self.assertEquals(UserToken.get_token("xjRp67wh3HdjEI6I"), UserTokenData.user_token_active)
Ejemplo n.º 12
0
    def test_get_token(self):

        # These tests work because a UserTokenData has a similar structure to a UserToken
        # When Tournament.__eq__ is called, it compares the fields without caring of the parameters' actual types

        self.assertIsNone(UserToken.get_token(None))
        self.assertIsNone(UserToken.get_token(""))
        self.assertIsNone(UserToken.get_token("invalid_token"))
        self.assertIsNone(UserToken.get_token("goB9Z7fhsUrjXHDi"))
        self.assertIsNone(UserToken.get_token("xYCPayfPCPEPCPaL"))

        self.assertEquals(UserToken.get_token("znc9TNqpajeN2nEH"),
                          UserTokenData.user_token_expired)
        self.assertEquals(UserToken.get_token("xjRp67wh3HdjEI6I"),
                          UserTokenData.user_token_active)
Ejemplo n.º 13
0
 def POST(self):
     
     # Reads the token in the HTTP request parameters
     token = web.input(token=None).token
     
     # Checks if the token is valid
     user_token = UserToken.get_token(token)
     
     if user_token is None or user_token.expired:
         raise http.Forbidden()
     
     # The fieldset is bound to the form data & the session : the token is passed because it contains the level
     user_fieldset = user_forms.NewUserFieldSet(user_token).bind(data=web.input(), session=config.orm)
     
     # Synchronizes the fieldset & registers a delayed login of the user (because the user id is not available yet)
     if user_fieldset.validate():
         user_fieldset.sync()
         http.register_hook(lambda: session.login_workflow(user_fieldset.model))
         raise web.seeother("/")
     else:
         return config.views.layout(config.views.creation_form(user_fieldset))
Ejemplo n.º 14
0
 def post(self):
     auth_header = request.headers.get('Authorization')
     if auth_header:
         access_token = auth_header.split(" ")[1]
         user_id = Users.decode_token(access_token)
         if not isinstance(user_id, int):
             response = {'status': 'fail', 'message': user_id}
             return response, 403
         else:
             save_used_token = UserToken(token=access_token)
             # insert the token
             db.session.add(save_used_token)
             db.session.commit()
             responseObject = {
                 'status': 'success',
                 'message': 'Successfully logged out.'
             }
             return make_response(jsonify(responseObject), 200)
     response = {
         'status': 'fail',
         'message': 'Authorization is not provided'
     }
     return response, 500
Ejemplo n.º 15
0
    def POST(self):

        # Reads the token in the HTTP request parameters
        token = web.input(token=None).token

        # Checks if the token is valid
        user_token = UserToken.get_token(token)

        if user_token is None or user_token.expired:
            raise http.Forbidden()

        # The fieldset is bound to the form data & the session : the token is passed because it contains the level
        user_fieldset = user_forms.NewUserFieldSet(user_token).bind(
            data=web.input(), session=config.orm)

        # Synchronizes the fieldset & registers a delayed login of the user (because the user id is not available yet)
        if user_fieldset.validate():
            user_fieldset.sync()
            http.register_hook(
                lambda: session.login_workflow(user_fieldset.model))
            raise web.seeother("/")
        else:
            return config.views.layout(
                config.views.creation_form(user_fieldset))
Ejemplo n.º 16
0
async def access_control(request: Request, call_next):
    request.state.req_time = D.datetime()
    request.state.start = time.time()
    request.state.inspect = None
    request.state.user = None
    request.state.service = None

    ip = request.headers[
        "x-forwarded-for"] if "x-forwarded-for" in request.headers.keys(
        ) else request.client.host
    request.state.ip = ip.split(",")[0] if "," in ip else ip
    headers = request.headers
    cookies = request.cookies

    url = request.url.path
    if await url_pattern_check(url,
                               EXCEPT_PATH_REGEX) or url in EXCEPT_PATH_LIST:
        response = await call_next(request)
        if url != "/":
            await api_logger(request=request, response=response)
        return response

    try:
        if url.startswith("/api"):
            # api 인경우 헤더로 토큰 검사
            if url.startswith("/api/services"):
                qs = str(request.query_params)
                qs_list = qs.split("&")
                session = next(db.session())
                if not config.conf().DEBUG:
                    try:
                        qs_dict = {
                            qs_split.split("=")[0]: qs_split.split("=")[1]
                            for qs_split in qs_list
                        }
                    except Exception:
                        raise ex.APIQueryStringEx()

                    qs_keys = qs_dict.keys()

                    if "key" not in qs_keys or "timestamp" not in qs_keys:
                        raise ex.APIQueryStringEx()

                    if "secret" not in headers.keys():
                        raise ex.APIHeaderInvalidEx()

                    api_key = ApiKeys.get(session=session,
                                          access_key=qs_dict["key"])

                    if not api_key:
                        raise ex.NotFoundAccessKeyEx(api_key=qs_dict["key"])
                    mac = hmac.new(bytes(api_key.secret_key, encoding='utf8'),
                                   bytes(qs, encoding='utf-8'),
                                   digestmod='sha256')
                    d = mac.digest()
                    validating_secret = str(
                        base64.b64encode(d).decode('utf-8'))

                    if headers["secret"] != validating_secret:
                        raise ex.APIHeaderInvalidEx()

                    now_timestamp = int(D.datetime(diff=9).timestamp())
                    if now_timestamp - 10 > int(
                            qs_dict["timestamp"]) or now_timestamp < int(
                                qs_dict["timestamp"]):
                        raise ex.APITimestampEx()

                    user_info = to_dict(api_key.users)
                    request.state.user = UserToken(**user_info)

                else:
                    # Request User 가 필요함
                    if "authorization" in headers.keys():
                        key = headers.get("Authorization")
                        api_key_obj = ApiKeys.get(session=session,
                                                  access_key=key)
                        user_info = to_dict(
                            Users.get(session=session, id=api_key_obj.user_id))
                        request.state.user = UserToken(**user_info)
                        # 토큰 없음
                    else:
                        if "Authorization" not in headers.keys():
                            raise ex.NotAuthorized()
                session.close()
                response = await call_next(request)
                return response
            else:
                if "authorization" in headers.keys():
                    token_info = await token_decode(
                        access_token=headers.get("Authorization"))
                    request.state.user = UserToken(**token_info)
                    # 토큰 없음
                else:
                    if "Authorization" not in headers.keys():
                        raise ex.NotAuthorized()
        else:
            # 템플릿 렌더링인 경우 쿠키에서 토큰 검사
            cookies[
                "Authorization"] = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MTQsImVtYWlsIjoia29hbGFAZGluZ3JyLmNvbSIsIm5hbWUiOm51bGwsInBob25lX251bWJlciI6bnVsbCwicHJvZmlsZV9pbWciOm51bGwsInNuc190eXBlIjpudWxsfQ.4vgrFvxgH8odoXMvV70BBqyqXOFa2NDQtzYkGywhV48"

            if "Authorization" not in cookies.keys():
                raise ex.NotAuthorized()

            token_info = await token_decode(
                access_token=cookies.get("Authorization"))
            request.state.user = UserToken(**token_info)
        response = await call_next(request)
        await api_logger(request=request, response=response)
    except Exception as e:

        error = await exception_handler(e)
        error_dict = dict(status=error.status_code,
                          msg=error.msg,
                          detail=error.detail,
                          code=error.code)
        response = JSONResponse(status_code=error.status_code,
                                content=error_dict)
        await api_logger(request=request, error=error)

    return response
Ejemplo n.º 17
0
def get_valid_token(db_session, username=None):
    if username is None:
        username = generate_username()

    user = User(username, generate_password(), db_session=db_session)
    return str(UserToken(user, db_session=db_session))
Ejemplo n.º 18
0
    def test_all(self):

        all_user_tokens = UserToken.all()
        self.assertEqual(len(all_user_tokens), 2)
        [self.assertIsInstance(token, UserToken) for token in all_user_tokens]
Ejemplo n.º 19
0
 def test_all(self):
     
     all_user_tokens = UserToken.all()
     self.assertEqual(len(all_user_tokens), 2)
     [self.assertIsInstance(token, UserToken) for token in all_user_tokens]