def authorize(self):
# Perform the initial API call and direct the user.
api = API(config['api.endpoint'], config['api.identity'], config['api.private'], config['api.public'])
success = str(url.complete('/authorized'))
failure = str(url.complete('/nolove'))
result = api.core.authorize(success=success, failure=failure)
raise HTTPFound(location=result.location)
def authorize(self, success=None, failure=None):
"""Prepare a incoming session request.
Error 'message' attributes are temporary; base your logic on the status and code attributes.
success: web.core.url:URL (required)
failure: web.core.url:URL (required)
returns:
location: web.core.url:URL
the location to direct users to
"""
# Ensure success and failure URLs are present.
if success is None:
response.status_int = 400
return dict(
status='error',
code='argument.success.missing',
message=
"URL to return users to upon successful authentication is missing from your request."
)
if failure is None:
response.status_int = 400
return dict(
status='error',
code='argument.failure.missing',
message=
"URL to return users to upon authentication failure or dismissal is missing from your request."
)
# Also ensure they are valid URIs.
try:
success_ = success
success = URL(success)
except:
response.status_int = 400
return dict(status='error',
code='argument.success.malformed',
message="Successful authentication URL is malformed.")
try:
failure_ = failure
failure = URL(failure)
except:
response.status_int = 400
return dict(
status='error',
code='argument.response.malformed',
message=
"URL to return users to upon successful authentication is missing from your request."
)
# Deny localhost/127.0.0.1 loopbacks and 192.* and 10.* unless in development mode.
if not boolean(config.get('debug', False)) and (success.host in ('localhost', '127.0.0.1') or \
success.host.startswith('192.168.') or \
success.host.startswith('10.')):
response.status_int = 400
return dict(
status='error',
code='development-only',
message=
"Loopback and local area-network URLs disallowd in production."
)
# Check blacklist and bail early.
if AuthenticationBlacklist.objects(
reduce(__or__, [
Q(scheme=success.scheme),
Q(scheme=failure.scheme),
Q(protocol=success.port or success.scheme),
Q(protocol=failure.port or failure.scheme),
] + ([] if not success.host else [Q(domain=success.host)]) +
([] if not failure.host else [Q(
domain=failure.host)]))).count():
response.status_int = 400
return dict(
status='error',
code='blacklist',
message="You have been blacklisted. To dispute, contact {0}".
format(config['mail.blackmail.author']))
# TODO: Check DNS. Yes, really.
# Generate authentication token.
log.info("Creating request for {0} with callbacks {1} and {2}.".format(
request.service, success_, failure_))
ar = AuthenticationRequest(
request.
service, # We have an authenticated request, so we know the service ID is valid.
success=success_,
failure=failure_)
ar.save()
return dict(location=url.complete('/authorize/{0}'.format(ar.id)))
def authorize(self, success=None, failure=None):
"""Prepare a incoming session request.
Error 'message' attributes are temporary; base your logic on the status and code attributes.
success: web.core.url:URL (required)
failure: web.core.url:URL (required)
returns:
location: web.core.url:URL
the location to direct users to
"""
# Ensure success and failure URLs are present.
if success is None:
response.status_int = 400
return dict(
status = 'error',
code = 'argument.success.missing',
message = "URL to return users to upon successful authentication is missing from your request."
)
if failure is None:
response.status_int = 400
return dict(
status = 'error',
code = 'argument.failure.missing',
message = "URL to return users to upon authentication failure or dismissal is missing from your request."
)
# Also ensure they are valid URIs.
try:
success_ = success
success = URL(success)
except:
response.status_int = 400
return dict(
status = 'error',
code = 'argument.success.malformed',
message = "Successful authentication URL is malformed."
)
try:
failure_ = failure
failure = URL(failure)
except:
response.status_int = 400
return dict(
status = 'error',
code = 'argument.response.malformed',
message = "URL to return users to upon successful authentication is missing from your request."
)
# Deny localhost/127.0.0.1 loopbacks and 192.* and 10.* unless in development mode.
if not boolean(config.get('debug', False)) and (success.host in ('localhost', '127.0.0.1') or \
success.host.startswith('192.168.') or \
success.host.startswith('10.')):
response.status_int = 400
return dict(
status = 'error',
code = 'development-only',
message = "Loopback and local area-network URLs disallowd in production."
)
# Check blacklist and bail early.
if AuthenticationBlacklist.objects(reduce(__or__, [
Q(scheme=success.scheme), Q(scheme=failure.scheme),
Q(protocol=success.port or success.scheme), Q(protocol=failure.port or failure.scheme),
] + ([] if not success.host else [
Q(domain=success.host)
]) + ([] if not failure.host else [
Q(domain=failure.host)
]))).count():
response.status_int = 400
return dict(
status = 'error',
code = 'blacklist',
message = "You have been blacklisted. To dispute, contact {0}".format(config['mail.blackmail.author'])
)
# TODO: Check DNS. Yes, really.
# Generate authentication token.
log.info("Creating request for {0} with callbacks {1} and {2}.".format(request.service, success_, failure_))
ar = AuthenticationRequest(
request.service, # We have an authenticated request, so we know the service ID is valid.
success = success_,
failure = failure_
)
ar.save()
return dict(
location = url.complete('/authorize/{0}'.format(ar.id))
)
