def login(self):
self.csrf_valid()
try:
schema = s.UserSchema.create_schema(self.request)
deserialized = schema.deserialize(self.cstruct)
headers = remember(self.request, deserialized['email'])
token = self.request.session.new_csrf_token()
response = HTTPSeeOther(location=self.request.route_url(
'main', traverse='user'),
headers=headers)
response.set_cookie('CSRF-Token',
token,
max_age=864000,
overwrite=True)
return response
except colander.Invalid as e:
self.request.response.status = 422
form_error = None
field_errors = e.asdict()
if 'email' in field_errors and 'password' in field_errors:
if field_errors['email'] == field_errors['password']:
form_error = "Username or password is incorrect."
return {
'errors': field_errors,
'form_error': form_error,
}
def login(self):
self.csrf_valid()
try:
schema = s.UserSchema.create_schema(self.request)
deserialized = schema.deserialize(self.cstruct)
headers = remember(self.request, deserialized['email'])
token = self.request.session.new_csrf_token()
response = HTTPSeeOther(location=self.request.route_url('main', traverse='user'), headers=headers)
response.set_cookie('CSRF-Token', token, max_age=864000, overwrite=True)
return response
except colander.Invalid as e:
self.request.response.status = 422
form_error = None
field_errors = e.asdict()
if 'email' in field_errors and 'password' in field_errors:
if field_errors['email'] == field_errors['password']:
form_error = "Username or password is incorrect."
return {
'errors': field_errors,
'form_error': form_error,
}
def login(request, redirect_field_name=REDIRECT_FIELD_NAME, _form_class=LoginForm):
# TODO: Logging in should reset request.user
# TODO: Configure the login view as the default view for not having
# permission to view something.
if request.authenticated_userid is not None:
return HTTPSeeOther(request.route_path("manage.projects"))
user_service = request.find_service(IUserService, context=None)
breach_service = request.find_service(IPasswordBreachedService, context=None)
redirect_to = request.POST.get(
redirect_field_name, request.GET.get(redirect_field_name)
)
form = _form_class(
request.POST,
request=request,
user_service=user_service,
breach_service=breach_service,
check_password_metrics_tags=["method:auth", "auth_method:login_form"],
)
if request.method == "POST":
if form.validate():
# Get the user id for the given username.
username = form.username.data
userid = user_service.find_userid(username)
# If the user-originating redirection url is not safe, then
# redirect to the index instead.
if not redirect_to or not is_safe_url(url=redirect_to, host=request.host):
redirect_to = request.route_path("manage.projects")
# Actually perform the login routine for our user.
headers = _login_user(request, userid)
# Now that we're logged in we'll want to redirect the user to
# either where they were trying to go originally, or to the default
# view.
resp = HTTPSeeOther(redirect_to, headers=dict(headers))
# We'll use this cookie so that client side javascript can
# Determine the actual user ID (not username, user ID). This is
# *not* a security sensitive context and it *MUST* not be used
# where security matters.
#
# We'll also hash this value just to avoid leaking the actual User
# IDs here, even though it really shouldn't matter.
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(str(userid).encode("ascii"), person=b"warehouse.userid")
.hexdigest()
.lower(),
)
return resp
return {
"form": form,
"redirect": {"field": REDIRECT_FIELD_NAME, "data": redirect_to},
}
def login(request, redirect_field_name=REDIRECT_FIELD_NAME, _form_class=LoginForm):
# TODO: Logging in should reset request.user
# TODO: Configure the login view as the default view for not having
# permission to view something.
if request.authenticated_userid is not None:
return HTTPSeeOther(request.route_path("manage.projects"))
user_service = request.find_service(IUserService, context=None)
breach_service = request.find_service(IPasswordBreachedService, context=None)
redirect_to = request.POST.get(
redirect_field_name, request.GET.get(redirect_field_name)
)
form = _form_class(
request.POST,
request=request,
user_service=user_service,
breach_service=breach_service,
check_password_metrics_tags=["method:auth", "auth_method:login_form"],
)
if request.method == "POST":
if form.validate():
# Get the user id for the given username.
username = form.username.data
userid = user_service.find_userid(username)
# If the user-originating redirection url is not safe, then
# redirect to the index instead.
if not redirect_to or not is_safe_url(url=redirect_to, host=request.host):
redirect_to = request.route_path("manage.projects")
# Actually perform the login routine for our user.
headers = _login_user(request, userid)
# Now that we're logged in we'll want to redirect the user to
# either where they were trying to go originally, or to the default
# view.
resp = HTTPSeeOther(redirect_to, headers=dict(headers))
# We'll use this cookie so that client side javascript can
# Determine the actual user ID (not username, user ID). This is
# *not* a security sensitive context and it *MUST* not be used
# where security matters.
#
# We'll also hash this value just to avoid leaking the actual User
# IDs here, even though it really shouldn't matter.
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(str(userid).encode("ascii"), person=b"warehouse.userid")
.hexdigest()
.lower(),
)
return resp
return {
"form": form,
"redirect": {"field": REDIRECT_FIELD_NAME, "data": redirect_to},
}
def two_factor_and_totp_validate(request, _form_class=TOTPAuthenticationForm):
if request.authenticated_userid is not None:
return HTTPSeeOther(request.route_path("manage.projects"))
try:
two_factor_data = _get_two_factor_data(request)
except TokenException:
request.session.flash(
request._("Invalid or expired two factor login."), queue="error")
return HTTPSeeOther(request.route_path("accounts.login"))
userid = two_factor_data.get("userid")
redirect_to = two_factor_data.get("redirect_to")
user_service = request.find_service(IUserService, context=None)
two_factor_state = {}
if user_service.has_totp(userid):
two_factor_state["totp_form"] = _form_class(
request.POST,
request=request,
user_id=userid,
user_service=user_service,
check_password_metrics_tags=[
"method:auth", "auth_method:login_form"
],
)
if user_service.has_webauthn(userid):
two_factor_state["has_webauthn"] = True
if user_service.has_recovery_codes(userid):
two_factor_state["has_recovery_codes"] = True
if request.method == "POST":
form = two_factor_state["totp_form"]
if form.validate():
_login_user(request,
userid,
two_factor_method="totp",
two_factor_label="totp")
user_service.update_user(userid,
last_totp_value=form.totp_value.data)
resp = HTTPSeeOther(redirect_to)
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(
str(userid).encode("ascii"),
person=b"warehouse.userid").hexdigest().lower(),
)
if not two_factor_state.get("has_recovery_codes", False):
send_recovery_code_reminder_email(request, request.user)
return resp
else:
form.totp_value.data = ""
return two_factor_state
def change_language(request):
lang = request.matchdict.get('lang')
resp = HTTPSeeOther(request.application_url)
if lang is None:
resp.unset_cookie('_LOCALE_')
else:
resp.set_cookie('_LOCALE_', lang, max_age=timedelta(days=365)) # max_age = year
return resp
def login(request,
redirect_field_name=REDIRECT_FIELD_NAME,
_form_class=forms.LoginForm):
# TODO: Logging in should reset request.user
# TODO: Configure the login view as the default view for not having
# permission to view something.
user_service = request.find_service(IUserService, context=None)
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name))
form = _form_class(request.POST, user_service=user_service)
if request.method == "POST" and form.validate():
# Get the user id for the given username.
username = form.username.data
userid = user_service.find_userid(username)
# If the user-originating redirection url is not safe, then redirect to
# the index instead.
if (not redirect_to
or not is_safe_url(url=redirect_to, host=request.host)):
redirect_to = "/"
# Actually perform the login routine for our user.
headers = _login_user(request, userid)
# Now that we're logged in we'll want to redirect the user to either
# where they were trying to go originally, or to the default view.
resp = HTTPSeeOther(redirect_to, headers=dict(headers))
# We'll use this cookie so that client side javascript can Determine
# the actual user ID (not username, user ID). This is *not* a security
# sensitive context and it *MUST* not be used where security matters.
#
# We'll also hash this value just to avoid leaking the actual User IDs
# here, even though it really shouldn't matter.
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
blake2b(
str(userid).encode("ascii"),
person=b"warehouse.userid",
).hexdigest().lower(),
)
return resp
return {
"form": form,
"redirect": {
"field": REDIRECT_FIELD_NAME,
"data": redirect_to,
},
}
def login(request, redirect_field_name=REDIRECT_FIELD_NAME,
_form_class=forms.LoginForm):
# TODO: Logging in should reset request.user
# TODO: Configure the login view as the default view for not having
# permission to view something.
user_service = request.find_service(IUserService, context=None)
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name))
form = _form_class(request.POST, user_service=user_service)
if request.method == "POST" and form.validate():
# Get the user id for the given username.
username = form.username.data
userid = user_service.find_userid(username)
# If the user-originating redirection url is not safe, then redirect to
# the index instead.
if (not redirect_to or
not is_safe_url(url=redirect_to, host=request.host)):
redirect_to = "/"
# Actually perform the login routine for our user.
headers = _login_user(request, userid)
# Now that we're logged in we'll want to redirect the user to either
# where they were trying to go originally, or to the default view.
resp = HTTPSeeOther(redirect_to, headers=dict(headers))
# We'll use this cookie so that client side javascript can Determine
# the actual user ID (not username, user ID). This is *not* a security
# sensitive context and it *MUST* not be used where security matters.
#
# We'll also hash this value just to avoid leaking the actual User IDs
# here, even though it really shouldn't matter.
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
blake2b(
str(userid).encode("ascii"),
person=b"warehouse.userid",
).hexdigest().lower(),
)
return resp
return {
"form": form,
"redirect": {
"field": REDIRECT_FIELD_NAME,
"data": redirect_to,
},
}
def set_color_theme(request):
cookie_name = 'color_theme'
current = request.cookies.get(cookie_name, 'default')
new_theme = request.POST.get('color_theme')
response = HTTPSeeOther(request.route_url('preferences'))
if new_theme and new_theme != current:
cookie_path = '/' # FIXME: not necessarily
if new_theme == 'default':
response.delete_cookie(cookie_name, path=cookie_path)
else:
response.set_cookie(cookie_name, new_theme, path=cookie_path)
return response
def locale(request):
form = SetLocaleForm(**request.GET)
redirect_to = request.referer
if not is_safe_url(redirect_to, host=request.host):
redirect_to = request.route_path("index")
resp = HTTPSeeOther(redirect_to)
if form.validate():
request.session.flash("Locale updated", queue="success")
resp.set_cookie(LOCALE_ATTR, form.locale_id.data)
return resp
def two_factor(request, _form_class=TwoFactorForm):
if request.authenticated_userid is not None:
return HTTPSeeOther(request.route_path("manage.projects"))
token_service = request.find_service(ITokenService, name="two_factor")
try:
two_factor_data = token_service.loads(request.query_string)
except TokenException:
request.session.flash("Invalid or expired two factor login.",
queue="error")
return HTTPSeeOther(request.route_path("accounts.login"))
userid = two_factor_data.get("userid")
if not userid:
return HTTPSeeOther(request.route_path("accounts.login"))
redirect_to = two_factor_data.get("redirect_to")
user_service = request.find_service(IUserService, context=None)
form = _form_class(
request.POST,
user_id=userid,
user_service=user_service,
check_password_metrics_tags=["method:auth", "auth_method:login_form"],
)
if request.method == "POST":
if form.validate():
# If the user-originating redirection url is not safe, then
# redirect to the index instead.
if not redirect_to or not is_safe_url(url=redirect_to,
host=request.host):
redirect_to = request.route_path("manage.projects")
_login_user(request, userid)
resp = HTTPSeeOther(redirect_to)
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(
str(userid).encode("ascii"),
person=b"warehouse.userid").hexdigest().lower(),
)
return resp
else:
form.totp_value.data = ""
return {"form": form}
def recovery_code(request, _form_class=RecoveryCodeAuthenticationForm):
if request.authenticated_userid is not None:
return HTTPSeeOther(request.route_path("manage.projects"))
try:
two_factor_data = _get_two_factor_data(request)
except TokenException:
request.session.flash(
request._("Invalid or expired two factor login."), queue="error"
)
return HTTPSeeOther(request.route_path("accounts.login"))
userid = two_factor_data.get("userid")
user_service = request.find_service(IUserService, context=None)
form = _form_class(
request.POST, request=request, user_id=userid, user_service=user_service
)
if request.method == "POST":
if form.validate():
_login_user(request, userid, two_factor_method="recovery-code")
resp = HTTPSeeOther(request.route_path("manage.account"))
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(str(userid).encode("ascii"), person=b"warehouse.userid")
.hexdigest()
.lower(),
)
user_service.record_event(
userid,
tag="account:recovery_codes:used",
ip_address=request.remote_addr,
)
request.session.flash(
request._(
"Recovery code accepted. The supplied code cannot be used again."
),
queue="success",
)
return resp
else:
form.recovery_code_value.data = ""
return {"form": form}
def two_factor(request, _form_class=TwoFactorForm):
if request.authenticated_userid is not None:
return HTTPSeeOther(request.route_path("manage.projects"))
token_service = request.find_service(ITokenService, name="two_factor")
try:
two_factor_data = token_service.loads(request.query_string)
except TokenException:
request.session.flash("Invalid or expired two factor login.", queue="error")
return HTTPSeeOther(request.route_path("accounts.login"))
userid = two_factor_data.get("userid")
if not userid:
return HTTPSeeOther(request.route_path("accounts.login"))
redirect_to = two_factor_data.get("redirect_to")
user_service = request.find_service(IUserService, context=None)
form = _form_class(
request.POST,
user_id=userid,
user_service=user_service,
check_password_metrics_tags=["method:auth", "auth_method:login_form"],
)
if request.method == "POST":
if form.validate():
# If the user-originating redirection url is not safe, then
# redirect to the index instead.
if not redirect_to or not is_safe_url(url=redirect_to, host=request.host):
redirect_to = request.route_path("manage.projects")
_login_user(request, userid)
resp = HTTPSeeOther(redirect_to)
resp.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(str(userid).encode("ascii"), person=b"warehouse.userid")
.hexdigest()
.lower(),
)
return resp
return {"form": form}
def locale(request):
form = SetLocaleForm(**request.GET)
redirect_to = request.referer
if not is_safe_url(redirect_to, host=request.host):
redirect_to = request.route_path("index")
resp = HTTPSeeOther(redirect_to)
if form.validate():
# Build a localizer for the locale we're about to switch to. This will
# happen automatically once the cookie is set, but if we want the flash
# message indicating success to be in the new language as well, we need
# to do it here.
tdirs = request.registry.queryUtility(ITranslationDirectories)
_ = make_localizer(form.locale_id.data, tdirs).translate
request.session.flash(_("Locale updated"), queue="success")
resp.set_cookie(LOCALE_ATTR, form.locale_id.data)
return resp
def callback(request):
log.debug('********* callback **********')
print_requests(request)
code = request.params.get('code')
# userid, name = OAuth(code).get_user_info()
userid ='lak'
name = 'test'
headers = remember(request, userid)
login_url = request.route_url('login')
print('login_url - ', login_url)
response = HTTPSeeOther(location=login_url, headers=headers)
response.set_cookie('name', name)
response.set_cookie('userid', userid)
return response
def set_lang(request):
new_lang = request.POST['lang']
response = HTTPSeeOther(request.route_url('preferences'))
cookie_path = '/' # FIXME: not necessarily
response.set_cookie(LOCALE_COOKIE_NAME, new_lang, path=cookie_path)
return response
