def test_user_can_be_loaded_from_session_token(self):
self.make_participant('alice')
user = User.from_username('alice')
user.sign_in(SimpleCookie())
token = user.participant.session_token
actual = User.from_session_token(token).participant.username
assert actual == 'alice'
def get_auth_from_request(request):
"""Authenticate from a cookie or an API key in basic auth.
"""
user = None
if request.line.uri.startswith('/assets/'):
pass
elif 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
creds = header[len('Basic '):].decode('base64')
token, ignored = creds.split(':')
user = User.from_api_key(token)
# We don't require CSRF if they basically authenticated.
csrf_token = csrf._get_new_csrf_key()
request.headers.cookie['csrf_token'] = csrf_token
request.headers['X-CSRF-TOKEN'] = csrf_token
if 'Referer' not in request.headers:
request.headers['Referer'] = \
'https://%s/' % csrf._get_host(request)
elif SESSION in request.headers.cookie:
token = request.headers.cookie[SESSION].value
user = User.from_session_token(token)
request.context['user'] = user or User()
def get_auth_from_request(request):
"""Authenticate from a cookie or an API key in basic auth.
"""
user = None
if request.line.uri.startswith('/assets/'):
pass
elif 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
creds = header[len('Basic '):].decode('base64')
token, ignored = creds.split(':')
user = User.from_api_key(token)
# We don't require CSRF if they basically authenticated.
csrf_token = csrf._get_new_csrf_key()
request.headers.cookie['csrf_token'] = csrf_token
request.headers['X-CSRF-TOKEN'] = csrf_token
if 'Referer' not in request.headers:
request.headers['Referer'] = \
'https://%s/' % csrf._get_host(request)
elif SESSION in request.headers.cookie:
token = request.headers.cookie[SESSION].value
user = User.from_session_token(token)
request.context['user'] = user or User()
def test_user_from_expired_session_is_anonymous(self):
self.make_participant('alice')
user = User.from_username('alice')
user.sign_in(SimpleCookie())
token = user.participant.session_token
user.participant.set_session_expires(utcnow())
user = User.from_session_token(token)
assert user.ANON
def authenticate_user_if_possible(request, user):
"""This signs the user in.
"""
if request.line.uri.startswith('/assets/'):
pass
elif 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
user = _get_user_via_basic_auth(header)
if not user.ANON:
_turn_off_csrf(request)
elif SESSION in request.headers.cookie:
token = request.headers.cookie[SESSION].value
user = User.from_session_token(token)
return {'user': user}
def authenticate_user_if_possible(request, user):
"""This signs the user in.
"""
if request.line.uri.startswith('/assets/'):
pass
elif 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
user = _get_user_via_basic_auth(header)
if not user.ANON:
_turn_off_csrf(request)
elif SESSION in request.headers.cookie:
token = request.headers.cookie[SESSION].value
user = User.from_session_token(token)
return {'user': user}
def set_request_context_user(request):
"""Set request.context['user']. This signs the user in.
"""
request.context['user'] = user = ANON # Make sure we always have a user object, even if
# there's an exception in the rest of this function.
if request.line.uri.startswith('/assets/'):
pass
elif 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
user = _get_user_via_basic_auth(header)
if not user.ANON:
_turn_off_csrf(request)
elif SESSION in request.headers.cookie:
token = request.headers.cookie[SESSION].value
user = User.from_session_token(token)
request.context['user'] = user
def test_user_from_None_session_token_is_anonymous(self):
self.make_participant('alice')
self.make_participant('bob')
user = User.from_session_token(None)
assert user.ANON
def test_user_from_bad_session_token_is_anonymous(self):
user = User.from_session_token('deadbeef')
assert user.ANON
