def validHMACHash(clientHash, data, email, timestamp):
"""Returns true if the client hash matches the hash created from the data and timestamp."""
if clientHash is not None and timestamp is not None:
now = datetime.datetime.strptime(getUTCTimestamp(), '%Y-%m-%d %H:%M:%S')
# Check the time difference between now and the timestamp from the client.
# If it exceeds five minutes then it is invalid.
timeDifference = now - datetime.datetime.strptime(timestamp, '%Y-%m-%d %H:%M:%S')
if timeDifference.seconds < 5 * 60:
# Get the token from the database stored for the current user session and use it as key in hash.
token = database_helper.getUserTokenByEmail(email)
if token is not None:
hmacObj = hmac.new(token.encode(), '', hashlib.sha256)
for value in data:
hmacObj.update(value.encode('utf-8'))
hmacObj.update("×tamp=" + timestamp)
serverHash = hmacObj.hexdigest()
return clientHash == serverHash
return False
def signOut(email):
"""Signs out a user."""
data = ['email=' + email]
clientHash = request.headers.get('Hash-Hmac')
utcTimestamp = request.headers.get('Hash-Timestamp')
if validHMACHash(clientHash, data, email, utcTimestamp):
token = database_helper.getUserTokenByEmail(email)
if token is not None:
result = database_helper.deleteSignedInUser(token)
if result == True:
global webSockets
if webSockets.has_key(email):
del webSockets[email]
sendUsersCounter();
return json.dumps({'success': True, 'message': 'Successfully signed out.'}), 200
else:
return json.dumps({'success': False, 'message': 'Could not delete signed in user.'}), 503
else:
return json.dumps({'success': False, 'message': 'You are not signed in.'}), 405
else:
return json.dumps({'success': False, 'message': 'Invalid hash.'}), 405
