def newhandler(request, *args, **kwargs): key = request.COOKIES.get(SESSION_KEY_NAME) redir = "/auth/login?redir=%s" % request.path if not key: return framework.HttpResponseRedirect(redir) dbsession = models.SessionMaker() try: session = dbsession.query(models.Session).filter_by(session_key=key).one() except models.NoResultFound: resp = framework.HttpResponseRedirect(redir) resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp if session.is_expired(): dbsession.delete(session) dbsession.commit() dbsession.close() resp = framework.HttpResponseRedirect(redir) resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp # A check to thwart cross site request forgery referer = request.environ.get("HTTP_REFERER") if referer is None: request.log_error("No referer in authenticated request.\n") resp = framework.HttpResponseRedirect("/") resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp if HOSTNAME not in referer: request.log_error("Our host not in referer.\n") resp = framework.HttpResponseRedirect("/") resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp request.session = session return handler(request, *args, **kwargs)
def handle_async_authentication(request): name = request.POST[b"username"] cram = request.POST[b"password"] key = request.POST[b"key"] redir = request.POST[b"redir"] dbsession = models.SessionMaker() try: user = dbsession.query(models.User).filter_by(username=name).one() except models.NoResultFound: return framework.JSONResponse((401, b"No such user.")) try: good = Authenticator(user).authenticate(cram, unquote(key)) except AuthenticationError as err: request.log_error("Did NOT authenticate by async: %r\n" % (name, )) return framework.JSONResponse((401, str(err))) if good: request.log_error("Authenticated by async: %s\n" % (name, )) user.set_last_login() resp = framework.JSONResponse((200, redir)) session = _set_session(resp, user, request.get_host(), "/", request.config.get("LOGIN_TIME", 24)) dbsession.add(session) dbsession.commit() dbsession.close() return resp else: request.log_error("Invalid async authentication for %r\n" % (name, )) return framework.JSONResponse((401, "Failed to authenticate."))
def handle_async_authentication(request): name = request.POST[b"username"] cram = request.POST[b"password"] key = request.POST[b"key"] redir = request.POST[b"redir"] dbsession = models.SessionMaker() try: user = dbsession.query(models.User).filter_by(username=name).one() except models.NoResultFound: return framework.JSONResponse((401, b"No such user.")) try: good = Authenticator(user).authenticate(cram, unquote(key)) except AuthenticationError, err: request.log_error("Did NOT authenticate by async: %r\n" % (name, )) return framework.JSONResponse((401, str(err)))
def get(self, request): key = request.COOKIES.get(SESSION_KEY_NAME) if key is not None: dbsession = models.SessionMaker() try: sess = dbsession.query(models.Session).filter_by(session_key=key).one() except models.NoResultFound: pass else: dbsession.delete(sess) dbsession.commit() dbsession.close() request.session = None resp = framework.HttpResponseRedirect("/") resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp
def newhandler(request, *args, **kwargs): key = request.COOKIES.get(SESSION_KEY_NAME) if not key: return framework.HttpResponseNotAuthenticated() dbsession = models.SessionMaker() try: session = dbsession.query(models.Session).filter_by(session_key=key).one() except models.NoResultFound: resp = framework.HttpResponseNotAuthenticated() resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp if session.is_expired(): dbsession.delete(session) dbsession.commit() dbsession.close() resp = framework.HttpResponseNotAuthenticated() resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host()) return resp request.session = session return handler(request, *args, **kwargs)