def setUp(self): self.app = create_app(config_name="testing") self.user = Users(username="******", email="*****@*****.**", password="******") self.shoppinglist = ShoppingList(owner_id="1", title="Yellow Bananas", description="*****@*****.**") self.shoppinglistitem = ShoppingListItem(owner_id="1", shoppinglist_id="1", item_title="Yellow Bananas with green", item_description="And maracuja") self.usertoken = UserToken(token="a_certain_token") with self.app.app_context(): # create all tables db.create_all()
def login(json):
user = db_session.query(User).filter(
User.name == json['username']).first()
if not user:
return error_reply('User not found', 404)
if not user.is_valid_password(json['password']):
return error_reply('Wrong password', 403)
token = UserToken(user, db_session=db_session)
return jsonify({'token': str(token)})
def post(self):
auth_header = request.headers.get('Authorization')
if auth_header:
access_token = auth_header.split(" ")[1]
user_id = Users.decode_token(access_token)
if not isinstance(user_id, int):
response = {'status': 'fail', 'message': user_id}
return response, 403
else:
save_used_token = UserToken(token=access_token)
# insert the token
db.session.add(save_used_token)
db.session.commit()
responseObject = {
'status': 'success',
'message': 'Successfully logged out.'
}
return make_response(jsonify(responseObject), 200)
response = {
'status': 'fail',
'message': 'Authorization is not provided'
}
return response, 500
async def access_control(request: Request, call_next):
request.state.req_time = D.datetime()
request.state.start = time.time()
request.state.inspect = None
request.state.user = None
request.state.service = None
ip = request.headers[
"x-forwarded-for"] if "x-forwarded-for" in request.headers.keys(
) else request.client.host
request.state.ip = ip.split(",")[0] if "," in ip else ip
headers = request.headers
cookies = request.cookies
url = request.url.path
if await url_pattern_check(url,
EXCEPT_PATH_REGEX) or url in EXCEPT_PATH_LIST:
response = await call_next(request)
if url != "/":
await api_logger(request=request, response=response)
return response
try:
if url.startswith("/api"):
# api 인경우 헤더로 토큰 검사
if url.startswith("/api/services"):
qs = str(request.query_params)
qs_list = qs.split("&")
session = next(db.session())
if not config.conf().DEBUG:
try:
qs_dict = {
qs_split.split("=")[0]: qs_split.split("=")[1]
for qs_split in qs_list
}
except Exception:
raise ex.APIQueryStringEx()
qs_keys = qs_dict.keys()
if "key" not in qs_keys or "timestamp" not in qs_keys:
raise ex.APIQueryStringEx()
if "secret" not in headers.keys():
raise ex.APIHeaderInvalidEx()
api_key = ApiKeys.get(session=session,
access_key=qs_dict["key"])
if not api_key:
raise ex.NotFoundAccessKeyEx(api_key=qs_dict["key"])
mac = hmac.new(bytes(api_key.secret_key, encoding='utf8'),
bytes(qs, encoding='utf-8'),
digestmod='sha256')
d = mac.digest()
validating_secret = str(
base64.b64encode(d).decode('utf-8'))
if headers["secret"] != validating_secret:
raise ex.APIHeaderInvalidEx()
now_timestamp = int(D.datetime(diff=9).timestamp())
if now_timestamp - 10 > int(
qs_dict["timestamp"]) or now_timestamp < int(
qs_dict["timestamp"]):
raise ex.APITimestampEx()
user_info = to_dict(api_key.users)
request.state.user = UserToken(**user_info)
else:
# Request User 가 필요함
if "authorization" in headers.keys():
key = headers.get("Authorization")
api_key_obj = ApiKeys.get(session=session,
access_key=key)
user_info = to_dict(
Users.get(session=session, id=api_key_obj.user_id))
request.state.user = UserToken(**user_info)
# 토큰 없음
else:
if "Authorization" not in headers.keys():
raise ex.NotAuthorized()
session.close()
response = await call_next(request)
return response
else:
if "authorization" in headers.keys():
token_info = await token_decode(
access_token=headers.get("Authorization"))
request.state.user = UserToken(**token_info)
# 토큰 없음
else:
if "Authorization" not in headers.keys():
raise ex.NotAuthorized()
else:
# 템플릿 렌더링인 경우 쿠키에서 토큰 검사
cookies[
"Authorization"] = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MTQsImVtYWlsIjoia29hbGFAZGluZ3JyLmNvbSIsIm5hbWUiOm51bGwsInBob25lX251bWJlciI6bnVsbCwicHJvZmlsZV9pbWciOm51bGwsInNuc190eXBlIjpudWxsfQ.4vgrFvxgH8odoXMvV70BBqyqXOFa2NDQtzYkGywhV48"
if "Authorization" not in cookies.keys():
raise ex.NotAuthorized()
token_info = await token_decode(
access_token=cookies.get("Authorization"))
request.state.user = UserToken(**token_info)
response = await call_next(request)
await api_logger(request=request, response=response)
except Exception as e:
error = await exception_handler(e)
error_dict = dict(status=error.status_code,
msg=error.msg,
detail=error.detail,
code=error.code)
response = JSONResponse(status_code=error.status_code,
content=error_dict)
await api_logger(request=request, error=error)
return response
def get_valid_token(db_session, username=None):
if username is None:
username = generate_username()
user = User(username, generate_password(), db_session=db_session)
return str(UserToken(user, db_session=db_session))
