def login(): ''' This router function attempts to fulfill a login request. During its attempt, it returns a json string, with two values: - username, user attempting to login - integer, codified indicator of login attempt: - 0, successful login - 1, username does not exist - 2, username does not have a password - 3, supplied password does not match stored password - 4, generic login failure: - https://www.owasp.org/index.php/Authentication_Cheat_Sheet ''' if request.method == 'POST': account = Account() if request.form: # local variables username = request.form.getlist('user[login]')[0] password = request.form.getlist('user[password]')[0] # validate: check username exists if ( account.check_username(username)['result'] and account.get_uid(username)['result'] ): # database query: get hashed password, and userid hashed_password = account.get_password(username)['result'] uid = account.get_uid(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # set session: uid corresponds to primary key, from the # user database table, and a unique integer # representing the username. session['uid'] = uid # return user status if session['uid']: return json.dumps({'status': 0}) else: return json.dumps({'status': 4}) # notification: incorrect password else: return json.dumps({'status': 4}) # notification: user does not have a password else: return json.dumps({'status': 4}) # notification: username does not exist else: return json.dumps({'status': 4})
def login(): ''' This router function attempts to fulfill a login request. During its attempt, it returns a json string, with two values: - username, user attempting to login - integer, codified indicator of login attempt: - 0, successful login - 1, username does not exist - 2, username does not have a password - 3, supplied password does not match stored password - 4, generic login failure: - https://www.owasp.org/index.php/Authentication_Cheat_Sheet ''' if request.method == 'POST': account = Account() if request.form: # local variables username = request.form.getlist('user[login]')[0] password = request.form.getlist('user[password]')[0] # validate: check username exists if (account.check_username(username)['result'] and account.get_uid(username)['result']): # database query: get hashed password, and userid hashed_password = account.get_password(username)['result'] uid = account.get_uid(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # set session: uid corresponds to primary key, from the # user database table, and a unique integer # representing the username. session['uid'] = uid # return user status if session['uid']: return json.dumps({'status': 0}) else: return json.dumps({'status': 4}) # notification: incorrect password else: return json.dumps({'status': 4}) # notification: user does not have a password else: return json.dumps({'status': 4}) # notification: username does not exist else: return json.dumps({'status': 4})
def test_login(client, live_server): ''' This method tests the user login process. Specifically, the tests include verifying the user credentials (i.e. username, and password). Then, it checks, if the flask session has successfully stored the userid (i.e. uid), into flask's session implementation. ''' live_server.start() # local variables username = '******' password = '******' authenticate = Account() # validate: username exists if authenticate.check_username(username)['result']: # database query: get hashed password hashed_password = authenticate.get_password(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # post requests: login response payload = {'user[login]': username, 'user[password]': password} login = client.post( '/login', headers={'Content-Type': 'application/json'}, data=json.dumps(payload) ) assert login.status_code == 200 assert login.json['status'] == 0 assert login.json['access_token'] else: assert False # notification: user does not have a password else: assert False # notification: username does not exist else: assert False
def test_login(client, live_server): ''' This method tests the user login process. Specifically, the tests include verifying the user credentials (i.e. username, and password). Then, it checks, if the flask session has successfully stored the userid (i.e. uid), into flask's session implementation. ''' live_server.start() # local variables username = '******' password = '******' authenticate = Account() # validate: username exists if authenticate.check_username(username)['result']: # database query: get hashed password hashed_password = authenticate.get_password(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # post requests: login response payload = {'user[login]': username, 'user[password]': password} login = client.post( '/login', headers={'Content-Type': 'application/json'}, data=json.dumps(payload) ) assert login.status_code == 200 assert login.json['status'] == 0 else: assert False # notification: user does not have a password else: assert False # notification: username does not exist else: assert False
def login(): ''' This router function attempts to fulfill a login request. During its attempt, it returns a json string, with two values: - username, user attempting to login - integer, codified indicator of login attempt: - 0, successful login - 1, username does not exist - 2, username does not have a password - 3, supplied password does not match stored password - 4, generic login failure: - https://www.owasp.org/index.php/Authentication_Cheat_Sheet Note: token authentication is stateless, since it doesn't require anything to be queried from the server, to verify the user. The token is setup, in such a way, where it is known, if the token is valid or not, and if the token has been tampered with. Note: more information on basic flask-jwt token authentication: http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html ''' if request.method == 'POST': account = Account() # programmatic-interface: implement flask-jwt token if request.get_json(): results = request.get_json() username = results['user[login]'] password = results['user[password]'] # validate: check username exists if ( account.check_username(username)['result'] and account.get_uid(username)['result'] ): # database query: get hashed password, and userid hashed_password = account.get_password(username)['result'] uid = account.get_uid(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # create and serialize uid token access_token = create_access_token(identity=uid) # return status return json.dumps({'status': 0, 'access_token': access_token}) # notification: incorrect password else: return json.dumps({'status': 4}) # notification: user does not have a password else: return json.dumps({'status': 4}) # notification: username does not exist else: return json.dumps({'status': 4})
def login(): ''' This router function attempts to fulfill a login request. During its attempt, it returns a json string, with two values: - username, user attempting to login - integer, codified indicator of login attempt: - 0, successful login - 1, username does not exist - 2, username does not have a password - 3, supplied password does not match stored password - 4, generic login failure: - https://www.owasp.org/index.php/Authentication_Cheat_Sheet Note: token authentication is stateless, since it doesn't require anything to be queried from the server, to verify the user. The token is setup, in such a way, where it is known, if the token is valid or not, and if the token has been tampered with. Note: more information on basic flask-jwt token authentication: http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html ''' if request.method == 'POST': account = Account() # programmatic-interface: implement flask-jwt token if request.get_json(): results = request.get_json() username = results['user[login]'] password = results['user[password]'] # validate: check username exists if ( account.check_username(username)['result'] and account.get_uid(username)['result'] ): # database query: get hashed password, and userid hashed_password = account.get_password(username)['result'] uid = account.get_uid(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # create and serialize uid token access_token = create_access_token(identity=uid) # return status return json.dumps({'status': 0, 'access_token': access_token}) # notification: incorrect password else: return json.dumps({'status': 4}) # notification: user does not have a password else: return json.dumps({'status': 4}) # notification: username does not exist else: return json.dumps({'status': 4}) # web-interface: store user session in redis elif request.form: # local variables username = request.form.getlist('user[login]')[0] password = request.form.getlist('user[password]')[0] # validate: check username exists if ( account.check_username(username)['result'] and account.get_uid(username)['result'] ): # database query: get hashed password, and userid hashed_password = account.get_password(username)['result'] uid = account.get_uid(username)['result'] # notification: verify hashed password exists if hashed_password: # notification: verify password if verify_pass(str(password), hashed_password): # set session: uid corresponds to primary key, from the # user database table, and a unique integer # representing the username. session['uid'] = uid # return user status if session['uid']: return json.dumps({'status': 0}) else: return json.dumps({'status': 4}) # notification: incorrect password else: return json.dumps({'status': 4}) # notification: user does not have a password else: return json.dumps({'status': 4}) # notification: username does not exist else: return json.dumps({'status': 4})