async def create_story( story: schemas.StoryCreate, request: Request, db: Session = Depends(get_db), ): token_data = await main.get_token_if_present(request) user = main.get_user_from_token(db, token_data) story_to_update = main.get_existing_story(user, token_data, db) if story_to_update: db_story = crud.update_story(db, story_to_update, story) else: db_story = crud.create_story(db=db, story=story, user=user) jsonStory = jsonable_encoder(schemas.Story.from_orm(db_story)) # prepare response response = JSONResponse(jsonStory, status_code=200) if not token_data: access_token = main.create_access_token(data={"story_id": db_story.id}) response.set_cookie( "Authorization", value=f"Bearer {access_token}", httponly=True, ) return response
async def check_in(commander_check_in: CommanderCheckIn): """ Post your name to receive key to control room """ name = unidecode(commander_check_in.name) if name not in [c.name for c in commanders]: commander = Commander(name) commanders.append(commander) reactors.append(ReactorCore(commander.uuid)) content = { "message": f"Take the key to your control room. " f"Keep it safe. use it as resource path to check on your RMBK-100 reactor! " "Use following: /{key}/control_room to gain knowledge how to operate reactor. " "You may see if the core is intact here: /{key}/reactor_core . " "If anything goes wrong push AZ-5 safety button to put all control rods in place!" "Good luck Commander.", "key": f"{commander.uuid}" } response = JSONResponse(status_code=status.HTTP_201_CREATED, content=content) response.set_cookie( "secret_documentation", "Reactor will blow up if it is poisoned, overpowered and you press AZ5" f"${{flag_keeper_of_secrets_{commander.name}}}") return response else: return JSONResponse( status_code=422, content={ "message": "A spy?! That Power Plant Tech Commander has already checked in!" })
async def login_for_access_token( request: Request, form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db), ): token_data = await main.get_token_if_present(request) user = crud.authenticate_user(form_data.username, form_data.password, token_data, db) if not user: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect email or password", headers={"WWW-Authenticate": "Bearer"}, ) access_token = main.create_access_token(data={"email": user.email}) response = JSONResponse({}, status_code=200) response.set_cookie( "Authorization", value=f"Bearer {access_token}", httponly=True, # max_age=os.environ["COOKIE_EXPIRATION_SECONDS"], # expires=os.environ["COOKIE_EXPIRATION_SECONDS"], ) return response
async def bookmark(request: Request): if not request.session.get("user"): raise HTTPException(404) resource_id = request.path_params.get("resource_id") user = request.session["user"] bookmarks = user.get("bookmarks") or [] if request.method == "DELETE": if resource_id not in bookmarks: return JSONResponse({"error": "Materialet var ikke bogmærket"}) # update db # bookmark = {"user_id": user["openid"], "resource_id": resource_id} # await queries.delete_bookmark(bookmark) # update session bookmarks.remove(resource_id) user["bookmarks"] = bookmarks # generate response response = JSONResponse({"msg": "Bogmærke fjernet"}) response.set_cookie("user", user) return response
async def login( response: JSONResponse, internal_user: str = Depends(auth_token_scheme) ) -> JSONResponse: """ Login endpoint for authenticating a user after he has received an authentication token. If the token is valid it generates an access token and inserts it in a HTTPOnly cookie. Args: internal_auth_token: Internal authentication token Returns: response: A JSON response with the status of the user's session """ async with exception_handling(): access_token = await auth_util.create_internal_access_token( InternalAccessTokenData( sub=internal_user.internal_sub_id, ) ) response = JSONResponse( content=jsonable_encoder({ "userLoggedIn": True, "userName": internal_user.username, }), ) # Make this a secure cookie for production use response.set_cookie(key="access_token", value=f"Bearer {access_token}", httponly=True) return response
async def searches(request: Request): if not request.session.get("user"): raise HTTPException(404) user = request.session["user"] searches = user.get("searches", []) if request.method == "GET": context = {"request": request, "user": user} # searches = await queries.get_searches(user["openid"]) if searches: context["searches"] = searches return render("users/searches.html", context) if request.method == "POST": search = await request.json() url = search.get("url") if not url: return JSONResponse({"error": "Manglende søgestreng"}) if url in searches: return JSONResponse({"error": "Søgningen var allerede gemt"}) # update db # search = {"user_id": user["openid"], "url": url, "description": search.get("description")} # await queries.insert_search(search) # update session user["searches"] = searches.extend(url) # generate response response = JSONResponse({"msg": "Søgning gemt"}) response.set_cookie("user", user) return response
async def authenticate(form_data: OAuth2PasswordRequestForm = Depends()): """Verify login details and issue JWT in httpOnly cookie. Raises: HTTPException: 401 error if username or password are not recognised. """ user = _USER_DB.get(form_data.username) if user["password"] != form_data.password: raise HTTPException(status_code=401, detail="Incorrect email or password") data = { "user": form_data.username, "user_id": user["user_id"], "scopes": user["scopes"], } issued_at = datetime.utcnow() expire = issued_at + timedelta(minutes=15) data.update({"exp": expire, "iat": issued_at, "sub": "jwt-cookies-test"}) encoded_jwt = jwt.encode(data, "i am a secret", algorithm="HS256").decode("utf-8") response = JSONResponse({"status": "authenticated"}) # NOTE: we should also set secure=True to mark this as a `secure` cookie # https://tools.ietf.org/html/rfc6265#section-4.1.2.5 response.set_cookie(oauth2_scheme.token_name, encoded_jwt, httponly=True) return response
async def google_login_auth(request): token = await oauth.google.authorize_access_token(request) user = await oauth.google.parse_id_token(request, token) if not user["email_verified"]: return JSONResponse({"error": "Email not verified"}, status_code=400) email = user["email"] user = await services.social_login( SocialLoginInput( email=email, social_account=SocialAccount( social_id=user["sub"], fullname=user["name"], first_name=user["given_name"], last_name=user["family_name"], ), ), users_repository=request.state.users_repository, ) # response = RedirectResponse(url="/") # Temporary response = JSONResponse({"ok": True}) response.set_cookie( SOCIAL_LOGIN_JWT_COOKIE_NAME, json.dumps({"jwt": user.generate_token()}) ) return response
async def login_for_access_token(login_data: LoginParam, db: Session = Depends(deps.get_db)): user = crud.user.authenticate_user(db, login_data.login, login_data.password) if not user: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password", headers={"WWW-Authenticate": "Bearer"}, ) access_token = crud.user.create_access_token(data={ "sub": user.login, }) response = JSONResponse(content={"details": "ok"}) response.set_cookie(settings.access_token_cookie_name, access_token, max_age=settings.token_expire_minutes * 60, secure=settings.secure_cookie, httponly=True, samesite="strict") csrf_token = secrets.token_hex(12) response.set_cookie(settings.csrf_token_cookie_name, csrf_token, max_age=settings.token_expire_minutes * 60, secure=settings.secure_cookie, httponly=False, samesite="strict") return response
def format_response(self, user: User, token: str, status_code: int = HTTP_200_OK): schema = UserSchema() user_data = schema.dump(user) response = JSONResponse( { "success": True, "result": user_data, "token": token }, status_code=status_code, ) response.set_cookie( AUTH_COOKIE_NAME, token, expires=settings.AUTH_EXPIRES, path=settings.COOKIE_PATH, domain=settings.APP_DOMAIN, secure=not settings.DEBUG, httponly=True, ) return response
def create_new_user(token: str, database: Session): new_user_id = "".join( random.choices(string.ascii_letters + string.digits, k=32)) crud.create_user( database, schemas.UserCreate(access_token=token, user_id=new_user_id)) content = {"message": "OK"} response = JSONResponse(content=content) response.set_cookie(key="user_id", value=new_user_id) return response
async def signin(request): if request.method == "GET": return home(request) if request.method == "POST": data = await request.json() message, status, session_id = await Auth.LoginUser.execute(data) response = JSONResponse(message, status) response.set_cookie('session_id', session_id) return response
async def route_login_and_set_cookie(api_key: APIKey = Depends(get_api_key)): response = JSONResponse({"you are authenticated": "yes you are"}) response.set_cookie( API_KEY_NAME, value=api_key, domain=COOKIE_DOMAIN, httponly=True, max_age=1800, expires=1800, ) return response
async def login_check(req): data = await req.json() username = data.get("username") password = data.get("password") if not username: return JSONResponse({"retcode": 1, "stderr": "用户名不能为空"}) if not password: return JSONResponse({"retcode": 1, "stderr": "密码不能为空"}) username = username.strip() password = password.strip() if username == config_info("username") and password == config_info( "password"): # 审计记录 await audit_record(event=f"{username}登陆", event_type="login", level=1, timestamp=time.strftime("%Y-%m-%d %H:%M:%S")) # session: key=hash(username), value=hash(user-agent, 客户端的浏览器环境) user_agent = "user-agent-default" headers = req.scope.get("headers") if isinstance(headers, (list, )): for k, v in headers: if k == "user-agent": user_agent = v username_hash = hmac_salt(SALT, username) SESSION.setex(key=username_hash, value=hmac_salt(SALT, user_agent), ttl=EXPIRE) resp = JSONResponse({"retcode": 0, "stdout": "/"}) # cookies: key=uid, value=hash(username) resp.set_cookie( key="uid", value=username_hash, max_age=EXPIRE, expires=EXPIRE, path="/", domain=None, # 只允许在https访问 secure=False, # 防止xss httponly=True, ) return resp return JSONResponse({"retcode": 1, "stderr": "用户信息校验失败"})
async def get_login(api_key: APIKey = Depends(get_api_key)): content = {"message": "Logged In Successfully!"} response = JSONResponse(content=content) response.set_cookie( API_KEY_NAME, value=api_key, domain=COOKIE_DOMAIN, httponly=True, max_age=1800, expires=1800, ) return response
async def login(request: Request = None, db: Session = Depends(get_db)): token = await create_access_token(request, db) response = JSONResponse({"access_token": token, "token_type": "bearer"}) response.set_cookie( key=COOKIE_AUTHORIZATION_NAME, value=f"Bearer {token}", domain=COOKIE_DOMAIN, httponly=True, max_age=1800, expires=1800, ) return response
async def csrf(request): # pylint: disable=unused-argument """CSRF route. Set the CSRF cookie and return a `JSONResponse with the token`. We need this REST endpoint to protect against CSRF because all GraphQL queries use POST method, so they are not safe to transmit the token. """ token = get_new_token() response = JSONResponse({"csrftoken": token}) response.set_cookie( settings.CSRF_COOKIE_NAME, token, httponly=settings.CSRF_COOKIE_HTTPONLY, secure=settings.CSRF_COOKIE_SECURE, ) return response
async def check_user_and_make_token(request: Request, db: Session = Depends(get_db)): formdata = await request.form() print(request) print(formdata) print("the scopes are .......") #print(formdata.scopes) print(formdata["username"], formdata["password"]) authenticated_user = authenticate_user(db, formdata["username"], formdata["password"]) print(authenticated_user) if authenticated_user is None: raise HTTPException(status_code=401, detail="Invalid username or password") access_token_expires = timedelta(hours=ACCESS_TOKEN_EXPIRE_HOURS) log_info(logging, authenticated_user.email) user_scope = authenticated_user.position # if isinstance(authenticated_user.position, list) else [authenticated_user.position] print("the user scope is........") print(user_scope) access_token = create_access_token(data={ "sub": authenticated_user.email, "scopes": user_scope }, expires_delta=access_token_expires) #################### SUCCESSFULLY LOGED IN USING CUSTOM DETAILS ###################### #crud.logged_in(authenticated_user.id,"custom",request) token = jsonable_encoder(access_token) print("token is----------------------") print(token) response = JSONResponse({"access_token": token, "token_type": "bearer"}) response.set_cookie( key=COOKIE_AUTHORIZATION_NAME, value=f"Bearer {token}", domain=COOKIE_DOMAIN, httponly=True, max_age=10800, # 3 hours expires=10800, # 3 hours ) print(response.__dict__) return response
def login(user_registration: UserRegistration): user = User(user_registration.username, user_registration.password) cookie = None if user in USERS: content = {"message": f"Welcome, {user.username}, in the Primer!"} status_code = status.HTTP_202_ACCEPTED cookie = { "key": "session", "value": "${{flag_{user.uuid}_may_the_4th_b_with_u}}" } else: content = { "message": f"Failed to login. Wrong username or password.", "flag": "${flag_naughty_aint_ya}" } status_code = status.HTTP_401_UNAUTHORIZED response = JSONResponse(content=content, status_code=status_code) if cookie: response.set_cookie(**cookie) return response
async def on_post(self, session: models.Session, username: str, password: str, location: str = None, **kwargs) -> Union[HTMLResponse, JSONResponse]: """ Handle POST requests """ user_data = await self.authenticate(session, username=username, password=password, **kwargs) if not user_data: # ref: OWASP error = "Login failed; Invalid userID or password" html = await run_in_threadpool(self.render, username=username, error=error) return HTMLResponse(content=html, status_code=self.error_status_code) result = await self.payload(user_data) expiry = tz.utcnow() + tz.timedelta(seconds=self.token_expiry) # jwt_encode will convert this to an epoch inside the token result["exp"] = expiry token = await self.jwt_encode(result) result["token"] = token result["exp"] = expiry.isoformat() headers = {"location": location or self.location} response = JSONResponse(content=result, status_code=303, headers=headers) response.set_cookie(self.cookie_name, token, path="/", expires=int(expiry.timestamp()), secure=self.secure) return response
async def external_login( request: Request, form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db), ): user = crud.get_user_by_email(db, email=form_data.username) if not user: new_user = schemas.UserCreate(email=form_data.username, password="") user = crud.create_user(db=db, user=new_user) access_token = main.create_access_token(data={"email": user.email}) response = JSONResponse({}, status_code=200) response.set_cookie( "Authorization", value=f"Bearer {access_token}", httponly=True, # max_age=os.environ["COOKIE_EXPIRATION_SECONDS"], # expires=os.environ["COOKIE_EXPIRATION_SECONDS"], ) return response
def create_cookie(user): # session flag is_found = False # create session value for login user session_str = user['username'] + user['search_engine'] hashed_session = pbkdf2_sha256.hash(session_str) data = {'username': user['username'], 'session': hashed_session} # check if session is created for the user with open('session.txt', 'r') as session_file: sessions = session_file.readlines() for session in sessions: # convert str to json obj session_obj = json.loads(session) if (user['username'] in session_obj['username']): is_found = True break # write session info to a text file if not found if not is_found: with open('session.txt', 'a') as session_file: json.dump(data, session_file) session_file.write('\n') content = {'detail': 'Login success'} response = JSONResponse(content=content, status_code=200) # session cookie settings response.set_cookie( key=user['username'], value=hashed_session, secure=True, max_age=1800, expires=1800, ) return response
async def login(request: Request) -> JSONResponse: """Login user and save him into a session. :return: {"success": bool}. :rtype: JSONResponse """ try: params = await request.json() auth = Authenticator(MONGO) try: user_info = auth.login_user(params["login"], params["password"]) if user_info["success"]: response = JSONResponse(user_info) response.set_cookie("user_token", str(user_info["token"])) response.set_cookie("user_id", str(user_info["id"])) response.set_cookie("username", str(user_info["username"])) return response return JSONResponse({ "success": False, "username": user_info["username"], "userID": user_info["id"], }) except ValueError as err: logger.exception(err) except JSONDecodeError as err: logger.exception(err)
async def login_user(request): # TODO: oauth2-jwt: https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/ # Is data signed? try: session = Session() token = session.query(Tokens).filter_by( idUser=request.user.id).one_or_none() session.commit() except exc.SQLAlchemyError: return JSONResponse({ "message": "Database failure", "code": "1" }, status_code=404) if not token: try: session = Session() token = Tokens(idUser=request.user.id, ) session.add(token) session.commit() except exc.SQLAlchemyError: return JSONResponse( { "message": "Failed to generate token", "code": "1" }, status_code=409) response = JSONResponse({"message": "success"}, status_code=201) response.set_cookie( key="token", value=token.token, max_age=300, path="/", secure=True, # assert it's only valid through SSL/HTTPS samesite="strict", ) return response
async def bookmarks(request: Request): user = request.session["user"] if not user: raise HTTPException(404) bookmarks = user.get("bookmarks") or [] if request.method == "GET": context = {"request": request, "user": user} if bookmarks: context["bookmarks"] = bookmarks # fetch full records # context["bookmarks"] = await api.get_records(id_list=bookmarks) return render("users/bookmarks.html", context) if request.method == "POST": bookmark = await request.json() resource_id = bookmark.get("resource_id") if not resource_id: return JSONResponse({"error": "Manglende materialeID"}) if resource_id in bookmarks: return JSONResponse({"error": "Materialet var allerede bogmærket"}) # update db # bookmark = {"user_id": user["openid"], "resource_id": resource_id} # await queries.insert_bookmark(bookmark) # update session user["bookmarks"] = bookmarks.extend(resource_id) # generate response response = JSONResponse({"msg": "Bogmærke tilføjet"}) response.set_cookie("user", user) return response
async def post_auth(request: Request, watchdog_auth: str = Cookie(''), redirect: str = '/'): # two scene for set new password, update new password if has password, else return the html # 1. not set watchdog_auth; 2. already authenticated password = loads(await request.body())['password'] auth_not_set = not Config.watchdog_auth already_authed = watchdog_auth and watchdog_auth == Config.watchdog_auth need_new_pwd = auth_not_set or already_authed if password: if need_new_pwd: old_password = Config.password Config.password = password await refresh_token() resp = JSONResponse({'ok': True, 'redirect': redirect}) resp.set_cookie('watchdog_auth', Config.watchdog_auth, max_age=Config.cookie_max_age, httponly=True) logger.warning( f'password changed {old_password}->{Config.password}.') return resp elif (await md5_checker(password, Config.watchdog_auth, freq=True)): resp = JSONResponse({'ok': True, 'redirect': redirect}) resp.set_cookie('watchdog_auth', Config.watchdog_auth, max_age=Config.cookie_max_age, httponly=True) logger.info('correct password, login success.') return resp # invalid password, clear cookie resp = JSONResponse({'ok': False}) # resp.set_cookie('watchdog_auth', '') resp.delete_cookie('watchdog_auth') logger.info(f'invalid password: {password}') return resp
async def encrypted_message( credentials: HTTPBasicCredentials = Depends(security)): if has_credentials(credentials): user = User(credentials.username, credentials.password) if not MESSAGES.get(user.uuid): flag = f"${{flag_agency_decryptor_{user.uuid}}}" flag = to_base64(flag) flag = to_base64(flag) flag = rot13(flag) flag = to_base64(flag) flag = to_base64(flag) flag = to_base64(flag) flag = rot13(flag) flag = to_base64(flag) MESSAGES[user.uuid] = {} MESSAGES[user.uuid]["flag"] = flag message_for_hq = f"We serve the People's Internet Network Deciphering Agency" message_for_hq = to_base64(message_for_hq) message_for_hq = rot13(message_for_hq) message_for_hq = to_base64(message_for_hq) message_for_hq = to_base64(message_for_hq) message_for_hq = to_base64(message_for_hq) message_for_hq = rot13(message_for_hq) message_for_hq = rot13(message_for_hq) message_for_hq = rot13(message_for_hq) message_for_hq = to_base64(message_for_hq) message_for_hq = to_base64(message_for_hq) message_for_hq = to_base64(message_for_hq) MESSAGES[user.uuid]["secret"] = message_for_hq response = JSONResponse( content={ "message": MESSAGES.get(user.uuid).get("flag"), "securityInformation": f"Codename {user.uuid}! You will see this message only once!", "secret": "POST /{unique identification number}/headquarters with a decoded secret, " f"but first GET the secret from the /box" }) response.set_cookie("message", "UBURUBUBUBURUBUB") response.set_cookie("secret", "UBUBUBURURURUBUBUBURUB") return response else: response = JSONResponse( status_code=status.HTTP_404_NOT_FOUND, content={"message": "I told you. ONLY ONCE!"}) response.set_cookie("flag", "${flag_there_can_be_only_one}") return response
async def post(self, request: Request) -> Response: # Some middleware (for example CSRF) has already awaited the request # body, and adds it to the request. body = request.scope.get("form") if not body: try: body = await request.json() except JSONDecodeError: body = await request.form() username = body.get("username", None) password = body.get("password", None) return_html = body.get("format") == "html" if (not username) or (not password): error_message = "Missing username or password" if return_html: return self._render_template( request, template_context={"error": error_message}, ) else: raise HTTPException(status_code=422, detail=error_message) # Run pre_login hooks if self._hooks and self._hooks.pre_login: hooks_response = await self._hooks.run_pre_login(username=username) if isinstance(hooks_response, str): return self._get_error_response( request=request, error=hooks_response, response_format="html" if return_html else "plain", ) # Check CAPTCHA if self._captcha: token = body.get(self._captcha.token_field, None) validate_response = await self._captcha.validate(token=token) if isinstance(validate_response, str): if return_html: return self._render_template( request, template_context={"error": validate_response}, ) else: raise HTTPException(status_code=401, detail=validate_response) # Attempt login user_id = await self._auth_table.login(username=username, password=password) if user_id: # Run login_success hooks if self._hooks and self._hooks.login_success: hooks_response = await self._hooks.run_login_success( username=username, user_id=user_id) if isinstance(hooks_response, str): return self._get_error_response( request=request, error=hooks_response, response_format="html" if return_html else "plain", ) else: # Run login_failure hooks if self._hooks and self._hooks.login_failure: hooks_response = await self._hooks.run_login_failure( username=username) if isinstance(hooks_response, str): return self._get_error_response( request=request, error=hooks_response, response_format="html" if return_html else "plain", ) if return_html: return self._render_template( request, template_context={ "error": "The username or password is incorrect." }, ) else: raise HTTPException(status_code=401, detail="Login failed") now = datetime.now() expiry_date = now + self._session_expiry max_expiry_date = now + self._max_session_expiry session: SessionsBase = await self._session_table.create_session( user_id=user_id, expiry_date=expiry_date, max_expiry_date=max_expiry_date, ) if self._redirect_to is not None: response: Response = RedirectResponse( url=self._redirect_to, status_code=HTTP_303_SEE_OTHER) else: response = JSONResponse(content={"message": "logged in"}, status_code=200) if not self._production: message = ( "If running sessions in production, make sure 'production' " "is set to True, and serve under HTTPS.") warnings.warn(message) cookie_value = t.cast(str, session.token) response.set_cookie( key=self._cookie_name, value=cookie_value, httponly=True, secure=self._production, max_age=int(self._max_session_expiry.total_seconds()), samesite="lax", ) return response
async def post(self, request: Request) -> Response: # Some middleware (for example CSRF) has already awaited the request # body, and adds it to the request. body = request.scope.get("form") if not body: try: body = await request.json() except JSONDecodeError: body = await request.form() username = body.get("username", None) password = body.get("password", None) if (not username) or (not password): raise HTTPException( status_code=401, detail="Missing username or password" ) user_id = await self._auth_table.login( username=username, password=password ) if not user_id: if body.get("format") == "html": return self.render_template( request, template_context={ "error": "The username or password is incorrect." }, ) else: raise HTTPException(status_code=401, detail="Login failed") now = datetime.now() expiry_date = now + self._session_expiry max_expiry_date = now + self._max_session_expiry session: SessionsBase = await self._session_table.create_session( user_id=user_id, expiry_date=expiry_date, max_expiry_date=max_expiry_date, ) if self._redirect_to is not None: response: Response = RedirectResponse( url=self._redirect_to, status_code=HTTP_303_SEE_OTHER ) else: response = JSONResponse( content={"message": "logged in"}, status_code=200 ) if not self._production: message = ( "If running sessions in production, make sure 'production' " "is set to True, and serve under HTTPS." ) warnings.warn(message) cookie_value = t.cast(str, session.token) response.set_cookie( key=self._cookie_name, value=cookie_value, httponly=True, secure=self._production, max_age=int(self._max_session_expiry.total_seconds()), samesite="lax", ) return response
async def set_cookie(): """ Set api key into cookies """ response = JSONResponse(f'API key has been set into cookie as {API_KEY_NAME}') response.set_cookie(key=API_KEY_NAME, value=API_KEY_VALUE) return response