def unauthenticated_userid(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Cookie header.
request.add_response_callback(add_vary_callback("Cookie"))
# Dispatch to the real SessionAuthenticationPolicy
return super().unauthenticated_userid(request)
def unauthenticated_userid(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Cookie header.
request.add_response_callback(add_vary_callback("Cookie"))
# Dispatch to the real SessionAuthenticationPolicy
return super().unauthenticated_userid(request)
def wrapper_view(context, request):
try:
cacher = request.find_service(IOriginCache)
except LookupError:
pass
else:
request.add_response_callback(
functools.partial(cacher.cache,
["all-html", renderer.name]))
# This is a custom header set in our VCL based on the _LOCALE_
# cookie value
request.add_response_callback(add_vary_callback("PyPI-Locale"))
return view(context, request)
def unauthenticated_userid(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Authorization header.
request.add_response_callback(add_vary_callback("Authorization"))
# Dispatch to the real basic authentication policy
username = super().unauthenticated_userid(request)
# Assuming we got a username from the basic authentication policy, we
# want to locate the userid from the IUserService.
if username is not None:
login_service = request.find_service(IUserService, context=None)
return str(login_service.find_userid(username))
def unauthenticated_userid(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Authorization header.
request.add_response_callback(add_vary_callback("Authorization"))
# Dispatch to the real basic authentication policy
username = super().unauthenticated_userid(request)
# Assuming we got a username from the basic authentication policy, we
# want to locate the userid from the IUserService.
if username is not None:
login_service = request.find_service(IUserService, context=None)
return str(login_service.find_userid(username))
def unauthenticated_userid(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Authorization header.
request.add_response_callback(add_vary_callback("Authorization"))
# We need to extract our Macaroon from the request.
macaroon = _extract_http_macaroon(request)
if macaroon is None:
return None
# Check to see if our Macaroon exists in the database, and if so
# fetch the user that is associated with it.
macaroon_service = request.find_service(IMacaroonService, context=None)
return str(macaroon_service.find_userid(macaroon))
def identity(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Authorization header.
request.add_response_callback(add_vary_callback("Authorization"))
request.authentication_method = AuthenticationMethod.BASIC_AUTH
credentials = extract_http_basic_credentials(request)
if credentials is None:
return None
username, password = credentials
if not _basic_auth_check(username, password, request):
return None
# Like sessions; basic auth can only authenticate users.
login_service = request.find_service(IUserService, context=None)
return login_service.get_user_by_username(username)
def esi_include(ctx, path, cookies=False):
request = ctx.get("request") or get_current_request()
if request.registry.settings.get("warehouse.prevent_esi", False):
return ""
try:
cacher = request.find_service(IOriginCache)
except ValueError:
subreq = Request.blank(path)
if cookies:
subreq.cookies.update(request.cookies)
request.add_response_callback(add_vary_callback("Cookie"))
resp = request.invoke_subrequest(subreq, use_tweens=True)
include = resp.body.decode(resp.charset)
else:
include = cacher.esi_include(request, path, cookies=cookies)
return jinja2.Markup(include)
def esi_include(ctx, path, cookies=False):
request = ctx.get("request") or get_current_request()
if request.registry.settings.get("warehouse.prevent_esi", False):
return ""
try:
cacher = request.find_service(IOriginCache)
except ValueError:
subreq = Request.blank(path)
if cookies:
subreq.cookies.update(request.cookies)
request.add_response_callback(add_vary_callback("Cookie"))
resp = request.invoke_subrequest(subreq, use_tweens=True)
include = resp.body.decode(resp.charset)
else:
include = cacher.esi_include(request, path, cookies=cookies)
return jinja2.Markup(include)
def identity(self, request):
# If we're calling into this API on a request, then we want to register
# a callback which will ensure that the response varies based on the
# Cookie header.
request.add_response_callback(add_vary_callback("Cookie"))
request.authentication_method = AuthenticationMethod.SESSION
# A route must be matched
if not request.matched_route:
return None
# Session authentication cannot be used for uploading
if request.matched_route.name == "forklift.legacy.file_upload":
return None
userid = self._session_helper.authenticated_userid(request)
if userid is None:
return None
login_service = request.find_service(IUserService, context=None)
# A user might delete their account and immediately issue a request
# while the deletion is processing, causing the session check
# (via authenticated_userid above) to pass despite the user no longer
# existing. We catch that here to avoid raising during the password
# staleness check immediately below.
user = login_service.get_user(userid)
if user is None:
return None
# Our session might be "valid" despite predating a password change.
if request.session.password_outdated(
login_service.get_password_timestamp(userid)):
request.session.invalidate()
request.session.flash("Session invalidated by password change",
queue="error")
return None
# Sessions can only authenticate users, not any other type of identity.
return user
