def auth():
if request.method == 'GET':
return redirect(url_for('login'))
data = request.form.to_dict()
username = data["username"]
password = data["password"]
if username != ADMIN_USER or password != ADMIN_PASSWORD:
return jsonify({'login': False}), 401
expires = datetime.timedelta(days=1)
access_token = create_access_token(identity=username,
expires_delta=expires)
refresh_token = create_refresh_token(identity=username)
resp = jsonify({
'access_csrf': get_csrf_token(access_token),
'refresh_csrf': get_csrf_token(refresh_token),
'access_token': access_token
})
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
return resp, 200
def post(self):
data = _user_parser.parse_args()
user = UserModel.find_by_email(data["email"])
try:
if user and check_password_hash(user.password, data["password"]):
expires = datetime.timedelta(days=3)
access_token = create_access_token(identity=user.id,
fresh=True,
expires_delta=expires)
refresh_token = create_refresh_token(user.id)
resp = jsonify({
"csrf": get_csrf_token(access_token),
"refresh_csrf": get_csrf_token(refresh_token)
})
resp.status_code = 200
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
return resp
except Exception as e:
return {"msg": "this happened: {}".format(e)}, 500
return {"msg": "invalid credentials"}, 404
def post(self):
json_data = request.get_json()
try:
data = login_schema.load(json_data)
except ma.ValidationError as err:
return {'msg': '400 Bad Request', 'errors': err.messages}, 400
email = data.get('email')
password = data.get('password')
user = User.get_by_email(email)
if user and user.check_password(password):
if not user.is_activated:
return {'msg': 'Activeer je account'}, 403
access_token = jwt.create_access_token(identity=user.id)
refresh_token = jwt.create_refresh_token(identity=user.id)
response = jsonify({
'success':
True,
'a-csrf-token':
jwt.get_csrf_token(access_token),
'r-csrf-token':
jwt.get_csrf_token(refresh_token)
})
jwt.set_access_cookies(response, access_token)
jwt.set_refresh_cookies(response, refresh_token)
return response
return {'msg': 'Fout e-mailadres of wachtwoord'}, 401
def response_with_tokens(user: User) -> Response:
access_token = create_access_token(identity=user.id)
refresh_token = create_refresh_token(identity=user.id)
response = make_response({
"access_csrf": get_csrf_token(access_token),
"refresh_csrf": get_csrf_token(refresh_token),
})
set_access_cookies(response, access_token)
set_refresh_cookies(response, refresh_token)
return response
def post(self):
current_user = get_jwt_identity()
access_token = create_access_token(identity=current_user, fresh=False)
refresh_token = create_refresh_token(current_user)
resp = jsonify({
"csrf": get_csrf_token(access_token),
"refresh_csrf": get_csrf_token(refresh_token)
})
resp.status_code = 200
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
return resp
def login():
SITE_ROOT = os.path.realpath(os.path.dirname(__file__))
json_url = os.path.join(SITE_ROOT, "conf/config.json")
try:
username = request.json.get("email", None)
password = request.json.get("password", None)
mongo_dbh, error_obj = get_mongodb()
if error_obj != {}:
return jsonify(error_obj), 200
user = mongo_dbh["c_users"].find_one({'email' : username })
error = None
if user is None:
error = 'Incorrect username.'
else:
stored_password = user['password'].encode('utf-8')
submitted_password = password.encode('utf-8')
if bcrypt.hashpw(submitted_password, stored_password) != stored_password:
error = 'Incorrect password.'
res_obj = {"status":1}
if error is None:
# Create the tokens we will be sending back to the user
access_token = create_access_token(identity=username)
refresh_token = create_refresh_token(identity=username)
# Return the double submit values in the resulting JSON
# instead of in additional cookies
res_obj["access_csrf"] = get_csrf_token(access_token)
res_obj["refresh_csrf"] = get_csrf_token(refresh_token)
res_obj["username"] = username
res_obj = jsonify(res_obj)
# We still need to call these functions to set the
# JWTs in the cookies
set_access_cookies(res_obj, access_token)
set_refresh_cookies(res_obj, refresh_token)
else:
res_obj = jsonify({"status":0, "error":error})
except Exception as e:
res_obj = jsonify(log_error(traceback.format_exc()))
return res_obj, 200
def refresh():
'''
Get the user's id from their refresh_token and create
a new access token that will be returned in the response
Returns {Object<json>} 200
success: {string}
'''
# Get the user's id from refresh token cookie
public_id = get_jwt_identity()
# If no user id, return error
if not public_id:
return jsonify({'error': 'Invalid user request.'}), 400
# Create access tokens
expires = timedelta(seconds=1800)
access_token = create_access_token(identity=public_id,
expires_delta=expires)
# Get newly created csrf access token to return as header
csrf_access_token = get_csrf_token(access_token)
# Create json response and return access cookies and header
response = make_response(
jsonify({'success': 'Access token has been refreshed.'}), 200)
set_access_cookies(response, access_token)
response.headers['access'] = csrf_access_token
return response
def test_post_protected_endpoint_users(client, example_user, example_user_data, registered_user, example_group, monkeypatch):
''' Access a restricted API endpoint using CSRF token signature
1) Find user
2) Delete user
'''
import jots.webapp
with client.application.app_context():
access_token = create_access_token(example_user.properties.email)
csrf_code = get_csrf_token(access_token)
client.set_cookie(example_user_data['service_domain'], "access_token_cookie", access_token)
headers = {"Content-Type": "application/json",
"X-CSRF-TOKEN": csrf_code}
#1
post_data = {"email": example_user.properties.email}
result = client.post("/api/v1/users/find",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert example_user.properties.email in result.json
#2
post_data = {"userid": example_user.properties.userId}
result = client.post("/api/v1/users/delete",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert "result" in result.json
def post(self):
current_user = get_jwt_identity()
logger.info(current_user)
access_token = create_access_token(identity = current_user)
resp = jsonify({'refresh': True, 'access_csrf': get_csrf_token(access_token)})
set_access_cookies(resp, access_token)
return resp
def post(self):
user = jwt.get_jwt_identity()
access_token = jwt.create_access_token(identity=user)
response = jsonify({
'success': True,
'a-csrf-token': jwt.get_csrf_token(access_token),
})
jwt.set_access_cookies(response, access_token)
return response
def post(self):
"""Refresh token endpoint.
Get a new access token without requiring username and password—only the 'refresh token'
provided in the /login endpoint. This will generate a new access token from the refresh token,
but will mark that access token as non-fresh, as we do not actually verify a password in this endpoint.
Note that refreshed access tokens have a `fresh=False`, which means that the user may have not
given us their username and password for potentially a long time (if the token has been
refreshed many times over).
---
tags:
- Auth
responses:
200:
description: The refreshed token
"""
current_user = get_current_user()
# Create the new access token and save it to database
new_access_token = create_access_token(identity=current_user,
fresh=False)
add_token_to_database(new_access_token,
current_app.config['JWT_IDENTITY_CLAIM'])
raw_response = {'refresh': True, 'access_token': new_access_token}
if not current_app.config['JWT_CSRF_IN_COOKIES']:
# Return the double submit values in the resulting JSON
# instead of in additional cookies
raw_response.update(
{'access_csrf': get_csrf_token(new_access_token)})
# Create the response object
resp = jsonify(raw_response)
resp.status_code = 200
# This header is used for Swagger-UI, it uses this header to authenticate the following requests.
resp.headers.extend({'jwt-token': new_access_token})
resp.headers.extend({'access_csrf': get_csrf_token(new_access_token)})
# Set the JWT access cookie in the response (useful for browser apps only)
# We need to call these functions to set the JWTs in the httpOnly cookies
set_access_cookies(resp, new_access_token)
return resp
def post(self):
'''
get the user credentials from the request
verify the credentials, generate the access and refresh token,
set the tokens in the cookies
return the response
'''
data = validate_user(request.get_json())
if data['ok']:
user_data = data['user_data']
user = User.query.filter_by(email=user_data['email']).first()
# verify the user credentials
if user is None or not user.verify_password(user_data['password']):
return jsonify({"ok": False, "message": "Invalid Credentials"}), 401
if not user.active:
return jsonify({"ok": False, "message": "Unverified Email"}), 401
del user_data['password']
access_token = create_access_token(identity=user_data, fresh=True)
refresh_token = create_refresh_token(identity=user_data)
# set the tokens in cookies
response = jsonify({
"ok": True,
"logged_in_as": user.email,
"avatar": user.avatar(128),
"message": "Login Successful",
"access_csrf": get_csrf_token(access_token),
"refresh_csrf": get_csrf_token(refresh_token)
})
set_access_cookies(response, access_token)
set_refresh_cookies(response, refresh_token)
return response, 200
else:
return jsonify({"ok": False, "message": "Invalid Credentials"}), 401
def post(self):
current_user = get_jwt_identity()
access_token = create_access_token(identity=current_user, fresh=False)
response = jsonify({
"ok": True,
"access_csrf": get_csrf_token(access_token)
})
set_access_cookies(response, access_token)
return response, 200
def login():
data = request.get_json()
user_model = User()
result = user_model.login_user(parameter=data.get("username"), password = data.get("password"))
if result:
# store session
parameter = data.get("username")
user = user_model.get(parameter=parameter)
access_token = create_access_token(identity=user.get("username"))
refresh_token = create_refresh_token(identity=user.get("username"))
resp = jsonify({
'login': True,
'access_csrf': get_csrf_token(access_token),
'refresh_csrf': get_csrf_token(refresh_token)})
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
return resp, 200
return jsonify({"message": "bad username, email or password"}), 400
def post(self):
args = login_schema.dump(request.form).data
usuario = UsuarioModel.autenticate(args['usuario'], args['senha'])
if usuario:
# cria tokens
access_token = create_access_token(usuario)
refresh_token = create_refresh_token(usuario)
# resposta com csrf's
res = jsonify({
'access_csrf': get_csrf_token(access_token),
'refresh_csrf': get_csrf_token(refresh_token)
})
# Set the JWT cookies in the response
set_access_cookies(res, access_token)
set_refresh_cookies(res, refresh_token)
return res
else:
return jsonify({'login': False}), 401
def test_refresh_token(app):
refresh_token = create_refresh_token(identity=_SOME_USER_ID)
response = app.post(
"/auth/refresh",
headers={"Authorization": f"Bearer {refresh_token}"},
)
cookie = next(cookie for cookie in app.cookie_jar
if cookie.name == "access_token_cookie")
access_csrf = response.get_json()["access_csrf"]
assert access_csrf == get_csrf_token(cookie.value)
def post(self):
args = login_schema.dump(request.form)
usuario = UsuarioModel.autenticate(args['usuario'], args['senha'])
if usuario:
access_token = create_access_token(usuario, fresh=True)
res = jsonify({'access_csrf': get_csrf_token(access_token)})
set_access_cookies(res, access_token)
return res
else:
return {'error': 'Usuário ou Senha incorreto'}, 400
def _build_login_response(user, set_cookies):
access_token = create_access_token(identity=user.id_, expires_delta=False)
response = marshal_data(user, USER_SCHEMA)
response["csrf_token"] = get_csrf_token(access_token)
if set_cookies:
response = jsonify(response)
set_access_cookies(response, access_token, 10000000000)
response = make_response(response, 200)
response.mimetype = "application/json"
else:
response["access_token"] = access_token
return response
def setUp(self):
self.client = test_app.test_client()
self.connection = get_db_connection()
self.cursor = self.connection.cursor()
self.test_username = '******'
self.test_email = '*****@*****.**'
user_id = init_test_db(self.cursor, self.test_username,
self.test_email)
with test_app.app_context():
self.access_token = create_access_token(identity=user_id)
self.refresh_token = create_refresh_token(identity=user_id)
self.csrf_access = get_csrf_token(self.access_token)
self.csrf_refresh = get_csrf_token(self.refresh_token)
self.access_header = {'X-CSRF-TOKEN': f'{self.csrf_access}'}
self.client.set_cookie('localhost',
'access_token_cookie',
value=self.access_token)
self.client.set_cookie('localhost',
'refresh_token_cookie',
value=self.refresh_token)
self.connection.commit()
def mock_login(uid=None):
my_session = requests.session()
access_token = None
csrf_token = None
my_identity = default_user_ids['Owner'] if not uid else uid
with APP.app_context():
access_token = create_access_token(identity=my_identity)
refresh_token = create_refresh_token(identity=my_identity)
csrf_token = get_csrf_token(access_token)
csrf_refresh_token = get_csrf_token(refresh_token)
print('access_token: ', str(access_token))
print('csrf_token: ', str(csrf_token))
print('refresh_token: ', str(refresh_token))
print('csrf_refresh_token: ', str(csrf_refresh_token))
my_access_cookie = requests.cookies.create_cookie(name='access_token_cookie', value=access_token, domain=os.environ['TEST_HOST'])
my_session.cookies.set_cookie(my_access_cookie)
my_refresh_cookie = requests.cookies.create_cookie(name='refresh_token_cookie', value=refresh_token, domain=os.environ['TEST_HOST'])
my_session.cookies.set_cookie(my_refresh_cookie)
return {
'session': my_session,
'csrf_token': csrf_token,
'csrf_refresh_token': csrf_refresh_token
}
def refresh_token():
current_user = get_jwt_identity()
access_token = create_access_token(identity=current_user)
response_body = {
'refresh': True,
'access_csrf_token': get_csrf_token(access_token)
}
response = make_response(response_body)
set_access_cookies(response, access_token)
return response
def login():
body = rebar.validated_body
username = body['username']
password = body['password']
user = User.query.filter_by(username=username).first()
if user and bcrypt.checkpw(password, user.password):
access_token = create_access_token(identity=user.id)
refresh_token = create_refresh_token(identity=user.id)
response_body = {
'login': True,
'access_csrf_token': get_csrf_token(access_token),
'refresh_csrf_token': get_csrf_token(refresh_token)
}
response = make_response(response_body)
set_access_cookies(response, access_token)
set_refresh_cookies(response, refresh_token)
return response
else:
return {'login': False}, 401
def test_user_registration(app):
response = app.post(
"/auth/register",
json={
"email": _SOME_USER_NEW_EMAIL,
"name": _SOME_USER_NAME,
"password": _SOME_USER_PASSWORD,
},
)
assert response.status_code == 201
cookie = next(cookie for cookie in app.cookie_jar
if cookie.name == "access_token_cookie")
access_csrf = response.get_json()["access_csrf"]
assert get_csrf_token(cookie.value) == access_csrf
def test_post_protected_endpoint_apps(client, example_user, example_user_data, registered_user, example_group, monkeypatch):
''' Access a restricted API endpoint using CSRF token signature
1) Create app
2) Find app
3) Get app key
'''
import jots.webapp
with client.application.app_context():
access_token = create_access_token(example_user.properties.email)
csrf_code = get_csrf_token(access_token)
client.set_cookie(example_user_data['service_domain'], "access_token_cookie", access_token)
headers = {"Content-Type": "application/json",
"X-CSRF-TOKEN": csrf_code}
#1
post_data = {"appname": "newappA"}
result = client.post("/api/v1/apps/new",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert "newappA" in result.json
new_app_id = result.json['newappA']['id']
new_app_key = result.json['newappA']['key']
new_app_secret = result.json['newappA']['secret']
#2
post_data = {"appname": "newappA"}
result = client.post("/api/v1/apps/find",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert "newappA" in result.json
assert result.json['newappA'] == new_app_id
#3
result = client.get("/api/v1/apps/{}/key".format(new_app_id),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert result.data.decode('utf-8') == new_app_key
def test_success_to_logout_logged_in_user(self):
with self.flask_app.test_client() as client:
access_token = ''
with self.flask_app.app_context():
identity = {
'id': '1',
'username': EXIST_USERNAME,
}
access_token = create_access_token(identity=identity)
csrf_token = get_csrf_token(access_token)
client.set_cookie('.example.com', 'access_token_cookie', access_token)
res = client.post('/auth/logout', headers={
'X-CSRF-TOKEN': csrf_token,
})
res_json = res.get_json()
self.assertEqual(res.status_code, 200)
self.assertEqual(res_json['code'], 200)
self.assertEqual(res_json['data']['user']['username'], EXIST_USERNAME)
self.assertEqual(len(res.headers.getlist('Set-Cookie')), 4) # access_token_cookie, csrf_access_token, refresh_token_cookie, csrf_refresh_token
def login():
try:
username = request.json.get('username', '')
password = request.json.get('password', '')
if not username:
raise ValueError('Username is required.')
elif not password:
raise ValueError('Password is required.')
except Exception as e:
raise BadRequest(message=e)
conn = current_app.db_engine.connect()
query = select([
users.c.id,
users.c.username,
users.c.password,
]).where(users.c.username == username)
result = conn.execute(query)
row = result.fetchone()
result.close()
if not row or not check_password_hash(row[users.c.password], password):
raise Unauthorized('Unauthorized user.')
identity = {
'id': row[users.c.id],
'username': row[users.c.username],
}
access_token = create_access_token(identity=identity)
csrf_token = get_csrf_token(access_token)
resp = jsonify(code=200,
data={
'user': identity,
'access_token': access_token,
'csrf_token': csrf_token,
})
set_access_cookies(resp, access_token)
return resp
def post(self):
"""This endpoint allows a user to login with the right credentials
First line is the summary
All following lines until the hyphens is added to description
the format of the first lines until 3 hyphens will be not yaml compliant
but everything below the 3 hyphens should be.
---
tags:
- Auth
parameters:
- in: body
name: body
schema:
type: object
properties:
username:
type: string
required: true
description: The username of the user
password:
type: string
required: true
description: The password of the user
responses:
201:
description: User logged in successfully
schema:
type: object
properties:
message:
type: string
default: User logged in successfully
401:
id: message
description: User not logged in
schema:
type: object
properties:
message:
type: string
default: Wrong credentials
422:
id: message
description: Data sent not possible to understand
schema:
type: object
properties:
message:
type: string
default: Missing JSON in request
"""
if not request.is_json:
response = jsonify({"message": "Missing JSON in request"})
response.status_code = 422
return response
data = UserLogin.parser.parse_args()
current_user = UserModel.find_by_username(data['username'])
if current_user and UserModel.verify_hash(data['password'],
current_user.password):
# create_access_token supports an optional 'fresh' argument,
# which marks the token as fresh or non-fresh accordingly.
# As we just verified their username and password, we are
# going to mark the token as fresh here.
access_token = create_access_token(identity=current_user,
fresh=True)
refresh_token = create_refresh_token(identity=current_user)
# Store the tokens in our store with a status of not currently revoked.
add_token_to_database(access_token,
current_app.config['JWT_IDENTITY_CLAIM'])
add_token_to_database(refresh_token,
current_app.config['JWT_IDENTITY_CLAIM'])
raw_response = {
'message': 'Logged in as {}'.format(current_user.username),
'access_token': access_token,
'refresh_token': refresh_token,
'user_id': current_user.id,
}
# Processing the request coming from a web browser applications
# like Swagger UI (provided in Flasgger), we setup some cookies httpOnly and headers automatically.
req_headers = request.headers.get('Referer', None)
if req_headers:
# This header is used for Swagger-UI, it uses this header to authenticate the following requests.
# response.headers.extend({'jwt-token': access_token})
if not current_app.config['JWT_CSRF_IN_COOKIES']:
# Return the double submit values in the resulting JSON
# instead of in additional cookies
raw_response.update({
'access_csrf':
get_csrf_token(access_token),
'refresh_csrf':
get_csrf_token(refresh_token)
})
# Creating the response
response = jsonify(raw_response)
response.status_code = 200
if req_headers:
# We need to call these functions to set the JWTs in the httpOnly cookies, sent through our response object
set_access_cookies(response, access_token)
set_refresh_cookies(response, refresh_token)
else:
response = jsonify({'message': 'Wrong credentials'})
response.status_code = 401
return response
def test_post_protected_endpoint_groups(client, example_user, example_user_data, registered_user, example_group, monkeypatch):
''' Access a restricted API endpoint using CSRF token signature
1) Post groupname and confirm found group matches fixtures
2) Add group member
3) Remove group member
4) Create and delete a new group
'''
import jots.webapp
with client.application.app_context():
access_token = create_access_token(example_user.properties.email)
csrf_code = get_csrf_token(access_token)
client.set_cookie(example_user_data['service_domain'], "access_token_cookie", access_token)
headers = {"Content-Type": "application/json",
"X-CSRF-TOKEN": csrf_code}
#1
post_data = {"groupname": example_group.properties.groupName}
result = client.post("/api/v1/groups/find",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert example_group.properties.groupName in result.json
assert example_group.properties.groupId in result.json[example_group.properties.groupName]
#2
post_data = {"email": registered_user.properties.email}
result = client.post("/api/v1/groups/{}/members/add".format(example_group.properties.groupId),
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert registered_user.properties.userId in result.json
#3
post_data = {"userid": registered_user.properties.userId}
result = client.post("/api/v1/groups/{}/members/remove".format(example_group.properties.groupId),
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert registered_user.properties.userId not in result.json
#4
post_data = {"groupname": "newgroupA"}
result = client.post("/api/v1/groups/new",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert post_data['groupname'] in result.json
new_group_id = result.json[post_data['groupname']]
post_data = {"groupid": new_group_id}
result = client.post("/api/v1/groups/delete",
data=json.dumps(post_data),
headers=headers,
follow_redirects=True)
assert result.status_code == 200
assert "result" in result.json
def post(self):
parser_login.parse_args()
data = request.get_json(force=True)
username = data['username'].lower()
password = data['password']
current_user = User.find_by_username(username)
if not current_user:
return make_response(
jsonify({
"message": {
"success": False,
"field": "username",
"text": 'کاربری با نام کاربری مورد نظر شما پیدا نشد'
}
}), 400)
if current_user.login_attempts == MAX_LOGIN_ATTEMPTS:
current_user.is_verified = False
current_user.is_banned = True
current_user.is_active = False
db.session.add(current_user)
db.session.commit()
msg = "حساب کاربری شما موقتا به حالت تعلیق در آمد لطفا با پشتیبانی سایت تماس حاصل کنید"
return make_response(
jsonify({
'message': {
"success": False,
"field": "banned",
"text": msg
}
}), 401)
if User.verify_hash(password, current_user.password):
if current_user.is_banned:
msg = "متاسفانه حساب کاربری شما در لیست سیاه قرار گرفته است"
return make_response(
jsonify({
'message': {
"success": False,
"field": "blacklist",
"text": msg
}
}), 401)
if not current_user.is_verified:
session['username'] = username
msg = "حساب کاربری شما باید از طریق شماره همراه فعال سازی شود"
return make_response(
jsonify({
'message': {
"success": False,
"field": "verification",
"text": msg
}
}), 401)
expires = timedelta(days=365)
access_token = create_access_token(identity=current_user.username,
expires_delta=expires,
fresh=True)
refresh_token = create_refresh_token(
identity=current_user.username, expires_delta=expires)
resp = jsonify({
'message':
'Logged in as {}'.format(current_user.username),
'access_token':
access_token,
'refresh_token':
refresh_token,
'access_csrf':
get_csrf_token(access_token),
'refresh_csrf':
get_csrf_token(refresh_token)
})
# Set the JWT cookies in the response
redirect_to_auction = False
auction_id = 0
if 'next' in data and "participate" in data['next']:
temp = data['next']
auction_id = temp.split('/')[2]
if (current_user.has_auction(int(auction_id))):
redirect_to_auction = True
if redirect_to_auction:
resp = jsonify({
'message':
'Logged in as {}'.format(current_user.username),
'access_token':
access_token,
'refresh_token':
refresh_token,
'redirect_to_auction':
redirect_to_auction,
'auction_id':
auction_id,
'access_csrf':
get_csrf_token(access_token),
'refresh_csrf':
get_csrf_token(refresh_token)
})
# create orders from session on login
if "orders" in session:
order_schema = OrderSchema(many=True)
for order in session['orders']:
new_order = Order()
item = Item.query.get(order[0]['item']['id'])
saved_before = Order.query.filter_by(
user_id=current_user.id).join(Item).filter_by(
id=item.id).first()
if not saved_before:
#calculate price base on auction participation
total = int(order[0]['total'])
item_price = (item.price - item.discount) * total
discount_status = OrderDiscountStatus.REGULAR
discount = item.discount * total
auction = current_user.auctions.join(Item).filter_by(
id=item.id).first()
if auction:
offer = Offer.query.join(Auction).filter_by(
id=auction.id).order_by(
"offers.created_at DESC").first()
discount_status = OrderDiscountStatus.INAUCTION
if offer and offer.win:
item_price = offer.total_price
discount_status = OrderDiscountStatus.AUCTIONWINNER
total = 1
discount = item.price - offer.total_price
else:
userplan = current_user.user_plans.join(
Auction).filter_by(id=auction.id).first()
auctionplan = AuctionPlan.query.filter_by(
auction_id=auction.id).join(
UserPlan).filter_by(
id=userplan.id).first()
item_price = item.price - auctionplan.discount
total = 1
discount = auctionplan.discount
new_order.item = item
new_order.total_cost = item_price
new_order.total = total
new_order.status = OrderStatus.UNPAID
new_order.discount_status = discount_status
new_order.total_discount = discount
new_order.user = current_user
db.session.add(new_order)
db.session.commit()
session.pop('orders')
# if 'remember_me' in data and data['remember_me']==True:
# login_user(current_user,remember=True)
# else:
# login_user(current_user,remember=False)
expire_date = timedelta(days=365)
set_refresh_cookies(resp, refresh_token, expire_date)
set_access_cookies(resp, access_token, expire_date)
login_user(current_user, remember=True)
return make_response(resp, 200)
else:
current_user.login_attempts += 1
db.session.add(current_user)
db.session.commit()
return make_response(
jsonify({
'message': {
"success": False,
"field": "password",
"text": 'رمز عبور شما نادرست است'
}
}), 401)
def create_user():
"""
This route adds a new user to the database, sends a
confirmation link to the user's email and returns a
success message aa a json object.
Returns {Object<json>} 200
success: {string}
Throws {Exception{Object<json>}}
error: NotAuthorized 401
NoResultFound 404
SQLAlchemyError 400
"""
# Get user's authorization credentials
auth = request.authorization
# If no authorization credentials, return error
if not auth or not auth.username or not auth.password:
return make_response(
jsonify({'error': 'Could not verify!'}), 401,
{'WWW-Authentication': 'Basic realm="Login required!"'})
# Get user data from request
data = request.get_json()
# If name or email is missing, return error
if not data['name'] or not data['email']:
return make_response(jsonify({'error': 'Missing data!'}), 400)
# Create a salted password
random_bytes = urandom(24)
salt = b64encode(random_bytes).decode('utf-8')
salted_password = auth['password'] + salt
# Hash the salted password
hashed_password = generate_password_hash(salted_password,
method='pbkdf2:sha512:80000',
salt_length=20)
# Create user object
user = User(name=data['name'],
email=data['email'],
username=auth['username'],
password=hashed_password,
salt=salt,
created_at=datetime.utcnow())
user.generate_public_id()
# Try to add user to database
try:
db.session.add(user)
db.session.commit()
# If username already in database, return error
except IntegrityError:
return jsonify({'error':
'User with name or email already exists'}), 400
# If some other sqlalchemy error is thrown, return error
except SQLAlchemyError:
return jsonify({'error': 'Some problem occurred!'}), 400
# Serialize the user object
user_schema = UserSchema()
output = user_schema.dump(user).data
# Create the tokens to be sent to the user
expires = timedelta(seconds=1800)
access_token = create_access_token(identity=user.public_id,
expires_delta=expires)
refresh_token = create_refresh_token(identity=user.public_id)
# Get the csrf tokens so they can be set as headers in response
csrf_access_token = get_csrf_token(access_token)
csrf_refresh_token = get_csrf_token(refresh_token)
# Create json response
response = make_response(
jsonify({
'user': output,
'success': 'Login successful!'
}), 200)
# Set JWT cookies and headers and return response
set_access_cookies(response, access_token)
set_refresh_cookies(response, refresh_token)
response.set_cookie('public_id', user.public_id)
response.headers['access'] = csrf_access_token
response.headers['refresh'] = csrf_refresh_token
return response
