def validate(cls, document):
for key in list(document.keys()):
if key not in cls.schema or document[key] is None:
del document[key]
try:
if cls.schema[key]['type'] == 'datetime':
document[key] = parser.parse(document[key])
elif cls.schema[key]['type'] == 'object_id':
document[key] = ObjectId(document[key])
except KeyError:
pass
validator = Validator(
schema=cls.schema
)
if not validator.validate(document):
(document, errors) = cls._remove_unknown(document, validator.errors)
if len(errors):
from core.helpers.raise_error import raise_error
raise_error('validation', 'fields_invalid', code=400, fields=errors)
return document
def preprocess(cls, document):
try:
if 'password' in document and document['password'] is not None:
user = app.mongo.db[User.collection_name].find_one_or_404(
{'email': document['email']})
if user['password'] != hashlib.sha256(
document['password'].encode('utf-8') +
user['password_salt'].encode('utf-8')).hexdigest():
raise_error('auth', 'password_incorrect', 403)
document['user_id'] = user['_id']
request.user_id = document['user_id']
try:
document['is_admin'] = user['is_admin']
except KeyError:
pass
del document['email']
del document['password']
else:
document['user_id'] = User.create(
{'email': document['email']})['_id']
request.user_id = document['user_id']
del document['email']
except KeyError:
pass
return super().preprocess(document)
def create(cls, document):
if 'token_id' in document:
try:
document['token_id'] = Token.get_where({'_id': document['token_id']})['_id']
except NotFound:
raise_error('auth', 'token_not_found', 404)
secret = uuid.uuid4().hex
document['secret_hash_salt'] = uuid.uuid4().hex
document['secret_hash'] = hashlib.sha256(secret.encode('utf-8') + document['secret_hash_salt'].encode('utf-8')).hexdigest()
document['_id'] = ObjectId()
document['session_id'] = document['_id']
document = super().create(document)
document['secret'] = secret
try:
document['user_id'] = request.user_id
except AttributeError:
pass
return document
def not_found(error):
if 'application/json' in request.headers['Accept']:
return raise_error('server', 'not_found', 404, no_abort=True)
else:
try:
path = request.path
if path.endswith('/'):
return redirect(redirects[path[:-1]])
else:
return redirect(redirects[request.path])
except KeyError:
cached_template = app.caches['/errors'].get(request.path)
if cached_template is None or app.config['DEBUG']:
response = {
# 'pieces': Interface._values(),
'pages': Page.list(),
'hotels': Hotel.list(),
'current_path': request.path,
'debugging': app.config['DEBUG']
}
# response['interface_json'] = json.dumps(response['pieces'], sort_keys=False, default=json_formater)
response['lang_route'] = '/'
render = render_template('errors/' + str(error.code) + '.html',
**response)
app.caches['/errors'].set(request.path, render, timeout=0)
return render
else:
return cached_template
def create(cls, document):
try:
user = User.get_where({'email': document['email']})
except NotFound:
raise_error('auth', 'user_not_found', 404)
document['code'] = uuid.uuid4().hex
document['user_id'] = user['_id']
try:
document['is_admin'] = user['is_admin']
except KeyError:
pass
return super().create(document)
def create(cls, document):
if 'token_code' in document:
try:
token = Token.get_where({'code': document['token_code']})
if datetime.now(
timezone(app.config['TIMEZONE'])
) > token['created_at'] + relativedelta(days=+1):
raise_error('auth', 'token_expired', 403)
document['token_id'] = token['_id']
document['user_id'] = token['user_id']
request.user_id = document['user_id']
try:
document['is_admin'] = token['is_admin']
except KeyError:
pass
del document['token_code']
except NotFound:
raise_error('auth', 'token_not_found', 404)
secret = uuid.uuid4().hex
document['secret_hash_salt'] = uuid.uuid4().hex
document['secret_hash'] = hashlib.sha256(
secret.encode('utf-8') +
document['secret_hash_salt'].encode('utf-8')).hexdigest()
document['_id'] = ObjectId()
document['session_id'] = document['_id']
document = super().create(document)
document['secret'] = secret
try:
document['user_id'] = request.user_id
except AttributeError:
pass
return document
def create(cls, document):
try:
user = User.get_where({'email': document['email']})
except NotFound:
raise_error('auth', 'user_not_found', 404)
document['code'] = uuid.uuid4().hex
document['user_id'] = user['_id']
try:
document['is_admin'] = user['is_admin']
except KeyError:
pass
# trigger_tasks.apply_async(('token_created', {
# 'token': document,
# 'user': user
# }))
return super().create(document)
def not_found(error):
if 'application/json' in request.headers['Accept']:
return raise_error('server', 'not_found', 404, no_abort=True)
else:
cached_template = app.caches['/errors'].get(request.path)
if cached_template is None or app.config['DEBUG']:
response = {
'pieces': {},
'current_path': request.path,
'root': request.host_url,
'debugging': app.config['DEBUG']
}
response['pieces_json'] = json.dumps(response['pieces'],
sort_keys=False,
default=json_formater)
render = render_template('errors/' + str(error.code) + '.html',
**response)
app.caches['/errors'].set(request.path, render, timeout=0)
return render
else:
return cached_template
def verify_headers():
from core.models.auth.session import Session
if request.method == 'OPTIONS':
return make_response()
else:
try:
request.current_session = app.mongo.db[
Session.collection_name].find_one_or_404(
{'_id': ObjectId(request.cookies['X-Session-Id'])})
if request.current_session['secret_hash'] != hashlib.sha256(
request.cookies['X-Session-Secret'].encode('utf-8') +
request.current_session['secret_hash_salt'].encode('utf-8')
).hexdigest():
raise_error('auth', 'invalid_secret', 403)
except KeyError:
pass
if hasattr(request.url_rule, 'route'):
try:
request.requires_admin = request.url_rule.route[
'requires_admin']
except KeyError:
request.requires_admin = False
try:
request.requires_user = request.url_rule.route['requires_user']
except KeyError:
request.requires_user = False
try:
request.requires_session = request.url_rule.route[
'requires_session']
except KeyError:
request.requires_session = False
if request.requires_admin or request.requires_user or request.requires_session:
try:
if hasattr(request, 'current_session'):
try:
if request.headers[
'X-Session-Secret'] != request.cookies[
'X-Session-Secret']:
raise_error('auth', 'cookies_dont_match', 403)
except KeyError:
pass
else:
try:
request.current_session = app.mongo.db[
Session.collection_name].find_one_or_404(
{'_id': request.cookies['X-Session-Id']})
except KeyError:
raise_error('auth', 'missing_session_id', 403)
if request.current_session[
'secret_hash'] != hashlib.sha256(
request.cookies['X-Session-Secret'].encode(
'utf-8') +
request.current_session['secret_hash_salt']
.encode('utf-8')).hexdigest():
raise_error('auth', 'invalid_secret', 403)
if request.requires_admin and not request.current_session[
'is_admin']:
raise_error('auth', 'requires_admin', 403)
if request.requires_user:
if not request.current_session['user_id']:
raise_error('auth', 'requires_user', 403)
except KeyError:
raise_error('auth', 'missing_secret', 403)
try:
request.current_session_is_admin = request.current_session[
'is_admin']
except AttributeError:
request.current_session_is_admin = False
