def sessions_put_view(request): if request.user is None: request.response.status = 400 return { 'd': error_dict('api_errors', 'not authenticated for this request') } token = request.json_body.get('token') s = request.dbsession.query(Session).filter( Session.token == token, Session.user_id == request.user.id).one_or_none() if s is None: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid token provided')} expiration_value = timedelta(weeks=2) if (datetime.now() - s.lastactive) > expiration_value: request.dbsession.delete(s) request.response.status = 400 return {'d': error_dict('api_errors', 'no valid token provided')} s.lastactive = datetime.now() request.dbsession.flush() result = dict_from_row(s) result['origin'] = request.user.origin return {'d': result}
def sessions_post_view(request): """ This will begin a new session given a username and password """ if request.user is not None and request.json_body.get('token') is not None: # Our request validated their token, so just get that token return {'d': dict_from_row(request.dbsession.query(Session)\ .filter(Session.token == request.json_body['token']).one())} username = request.json_body.get('username') if username is None or not isinstance(username, basestring): request.response.status = 400 return {'d': error_dict('api_errors', 'no valid username provided')} password = request.json_body.get('password') if password is None or not isinstance(password, basestring): request.response.status = 400 return {'d': error_dict('api_errors', 'no valid password provided')} user = request.dbsession.query(User).filter( User.username == username.lower()).one_or_none() if user is None: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid username provided')} salted_pass = binascii.b2a_hex(hash_password(password, user.salt)) if binascii.b2a_hex(user.password) != salted_pass: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid username provided')} if user.lockmessage is not None: request.response.status = 400 return {'d': error_dict('account_lock', user.lockmessage)} new_token = str(uuid4()) new_session = Session() new_session.user_id = user.id new_session.token = new_token request.dbsession.add(new_session) request.dbsession.flush() request.dbsession.refresh(new_session) since = datetime.now() - timedelta(weeks=2) request.dbsession.query(Session)\ .filter(Session.lastactive <= since)\ .filter(Session.user_id == user.id)\ .delete() result = dict_from_row(new_session) result['origin'] = user.origin return {'d': result}
def test_no_password(self): """ When we don't give a password, we get an error back about not having a password """ self.request.json_body = {'username': '******'} result = sessions_post_view(self.request)['d'] self.assertIsInstance(result, dict) self.assertEqual( result, error_dict('api_errors', 'no valid password provided'))
def test_no_user(self): """ If we try to get info without a login, get an error back """ self.request.user = None result = sessions_put_view(self.request)['d'] self.assertEqual( result, error_dict('api_errors', 'not authenticated for this request'))
def sessions_delete_view(request): if request.user is None: request.response.status = 400 return { 'd': error_dict('api_errors', 'not authenticated for this request') } token = request.json_body.get('token') if token is None or not isinstance(token, basestring): request.response.status = 400 return {'d': error_dict('api_errors', 'no valid token provided')} s = request.dbsession.query(Session).filter( Session.token == token).one_or_none() if s is None: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid token provided')} request.dbsession.delete(s) request.dbsession.flush() return {'d': {}}
def test_nonexistent_user(self): """ With a properly formed request, but with a nonexistent user, get the appropriate error """ self.request.json_body = { 'username': '******', 'password': '******' } result = sessions_post_view(self.request)['d'] self.assertEqual( result, error_dict('api_errors', 'no valid username provided'))
def test_nonexistent_token_provided(self): """ If the token doesn't exist, say so """ self.request.json_body = {'token': 'badtoken'} self.datautils.create_session() self.datautils.create_session() result = sessions_put_view(self.request)['d'] self.assertIsInstance(result, dict) self.assertEqual(result, error_dict('api_errors', 'no valid token provided'))
def test_bad_credentials(self): """ With a properly formed request, but with bad values (like an incorrect password), get the appropriate error """ self.request.json_body = { 'username': '******', 'password': '******' } self.datautils.create_user({'username': '******'}) result = sessions_post_view(self.request)['d'] self.assertIsInstance(result, dict) self.assertEqual( result, error_dict('api_errors', 'no valid username provided'))
def test_no_token_provided(self): """ If we do not provide a token, get an error """ self.request.json_body = {} self.datautils.create_user({ 'username': '******', 'password': '******' }) result = sessions_delete_view(self.request)['d'] self.assertIsInstance(result, dict) self.assertEqual(result, error_dict('api_errors', 'no valid token provided'))
def test_locked_account(self): """ Get the lock message if the account is locked, but we get the credentials right, get the lock message """ self.request.json_body = { 'username': '******', 'password': '******' } self.datautils.create_user({ 'username': '******', 'password': '******', 'lockmessage': 'test lock message' }) result = sessions_post_view(self.request)['d'] self.assertEqual(result, error_dict('account_lock', 'test lock message'))
def test_expired_token_provided(self): """ If the token is expired, say so, and delete it """ weeks_ago = datetime.now() - relativedelta(weeks=6) s = self.datautils.create_session({ 'lastactive': weeks_ago, 'started': weeks_ago, 'user_id': self.request.user.id }) self.assertEqual(self.session.query(Session).count(), 1) self.assertEqual(s.started, s.lastactive) self.assertEqual(s.started, weeks_ago) self.request.json_body = {'token': s.token} result = sessions_put_view(self.request)['d'] self.assertEqual(result, error_dict('api_errors', 'no valid token provided')) self.assertEqual(self.session.query(Session).count(), 0)