def user_registration_input(request: FlaskRequest) -> Type[Schema]:
attributes: MarshmallowSchema = {}
attributes["name"] = fields.Str(required=True)
attributes["surname"] = fields.Str(required=True)
# This is because Email is not typed on marshmallow
attributes["email"] = fields.Email( # type: ignore
required=True,
metadata={"label": "Username (email address)"},
validate=validate.Length(max=100),
)
attributes["password"] = fields.Str(
required=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
)
attributes["password_confirm"] = fields.Str(
required=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={
"label": "Password confirmation",
"password": True
},
)
if custom_fields := mem.customizer.get_custom_input_fields(
request=None, scope=mem.customizer.REGISTRATION):
attributes.update(custom_fields)
class NewPassword(Schema):
password = fields.Str(
required=True,
metadata={"password": True},
# Not needed to check the length of the current password... if set...
# validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
)
new_password = fields.Str(
required=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
)
password_confirm = fields.Str(
required=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
)
totp_code = fields.TOTP(required=False)
class Credentials(Schema):
username = fields.Email(required=True)
password = fields.Str(
required=True,
password=True,
# Otherwise default testing password, like test, will fail
# validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH)
)
new_password = fields.Str(
required=False,
password=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
)
password_confirm = fields.Str(
required=False,
password=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
)
totp_code = TOTP(required=False)
class Credentials(Schema):
# This is because Email is not typed on marshmallow
username = fields.Email( # type: ignore
required=True, validate=validate.Length(max=100))
password = fields.Str(
required=True,
metadata={"password": True},
# Otherwise default testing password, like test, will fail
# validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH)
)
new_password = fields.Str(
required=False,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
)
password_confirm = fields.Str(
required=False,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
)
totp_code = fields.TOTP(required=False)
def getInputSchema(request):
# as defined in Marshmallow.schema.from_dict
attributes: Dict[str, Union[fields.Field, type]] = {}
attributes["name"] = fields.Str(required=True)
attributes["surname"] = fields.Str(required=True)
attributes["email"] = fields.Email(required=True,
label="Username (email address)")
attributes["password"] = fields.Str(
required=True,
password=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
)
attributes["password_confirm"] = fields.Str(
required=True,
password=True,
label="Password confirmation",
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
)
if custom_fields := mem.customizer.get_custom_input_fields(
request=None, scope=mem.customizer.REGISTRATION):
attributes.update(custom_fields)
class InputSchema(Schema):
mystr = fields.Str(required=True, validate=validate.Length(min=1))
mydate = fields.DateTime(
required=True,
format=ISO8601UTC,
# validate=validate.Range(
# max=datetime.now(pytz.utc).replace(hour=23, minute=59, second=59),
# min=datetime(1900, 1, 1, tzinfo=pytz.utc),
# max_inclusive=True,
# error="Invalid date",
# ),
)
myint_exclusive = fields.Int(
required=True,
validate=validate.Range(
min=1, max=10, min_inclusive=False, max_inclusive=False
),
)
myint_inclusive = fields.Int(
required=True,
validate=validate.Range(min=1, max=10),
)
class MailInput(Schema):
subject = fields.Str(required=True,
metadata={"description": "Subject of your email"})
body = fields.Str(
required=True,
validate=validate.Length(max=9999),
metadata={
"description": "Body of your email. You can use html code here."
},
)
# This is because Email is not typed on marshmallow
to = fields.Email( # type: ignore
required=True,
metadata={"label": "Destination email address"})
cc = fields.DelimitedList(
# This is because Email is not typed on marshmallow
fields.Email(), # type: ignore
metadata={
"label": "CC - Carbon Copy",
"description": "CC email addresses (comma-delimited list)",
},
)
bcc = fields.DelimitedList(
# This is because Email is not typed on marshmallow
fields.Email(), # type: ignore
metadata={
"label": "BCC - Blind Carbon Copy",
"description": "BCC email addresses (comma-delimited list)",
},
)
dry_run = fields.Boolean(
required=True,
metadata={
"label": "Dry run execution",
"description": "Only simulate the email, do not send it",
},
)
def admin_user_input(request: FlaskRequest, is_post: bool) -> Type[Schema]:
is_admin = HTTPTokenAuth.is_session_user_admin(request, auth)
attributes: MarshmallowSchema = {}
if is_post:
# This is because Email is not typed on marshmallow
attributes["email"] = fields.Email( # type: ignore
required=is_post,
validate=validate.Length(max=100))
attributes["name"] = fields.Str(
required=is_post,
validate=validate.Length(min=1),
metadata={"label": "First Name"},
)
attributes["surname"] = fields.Str(
required=is_post,
validate=validate.Length(min=1),
metadata={"label": "Last Name"},
)
attributes["password"] = fields.Str(
required=is_post,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
)
if Connector.check_availability("smtp"):
attributes["email_notification"] = fields.Bool(
metadata={"label": "Notify password by email"})
attributes["is_active"] = fields.Bool(
dump_default=True,
required=False,
metadata={"label": "Activate user"},
)
roles = {r.name: r.description for r in auth.get_roles()}
if not is_admin and RoleEnum.ADMIN.value in roles:
roles.pop(RoleEnum.ADMIN.value)
attributes["roles"] = fields.List(
fields.Str(validate=validate.OneOf(
choices=[r for r in roles.keys()],
labels=[r for r in roles.values()],
)),
dump_default=[auth.default_role],
required=False,
unique=True,
metadata={
"label": "Roles",
"description": "",
"extra_descriptions": auth.role_descriptions,
},
)
group_keys = []
group_labels = []
for g in auth.get_groups():
group_keys.append(g.uuid)
group_labels.append(f"{g.shortname} - {g.fullname}")
if len(group_keys) == 1:
default_group = group_keys[0]
else:
default_group = None
attributes["group"] = fields.Str(
required=is_post,
dump_default=default_group,
validate=validate.OneOf(choices=group_keys, labels=group_labels),
metadata={
"label": "Group",
"description": "The group to which the user belongs",
},
)
attributes["expiration"] = fields.DateTime(
required=False,
allow_none=True,
metadata={
"label": "Account expiration",
"description": "This user will be blocked after this date",
},
)
if custom_fields := mem.customizer.get_custom_input_fields(
request=request, scope=mem.customizer.ADMIN):
attributes.update(custom_fields)
class RecoverPassword(EndpointResource):
depends_on = [
"MAIN_LOGIN_ENABLE", "ALLOW_PASSWORD_RESET", "AUTH_ENABLE"
]
labels = ["authentication"]
@decorators.use_kwargs(
# This is because Email is not typed on marshmallow
{"reset_email": fields.Email(required=True)} # type: ignore
)
@decorators.endpoint(
path="/auth/reset",
summary="Request password reset via email",
description="Request password reset via email",
responses={
200: "Reset email is valid",
400: "Invalid reset email",
403: "Account not found or already active",
},
)
def post(self, reset_email: str) -> Response:
reset_email = reset_email.lower()
self.auth.verify_blocked_username(reset_email)
user = self.auth.get_user(username=reset_email)
if user is None:
raise Forbidden(
f"Sorry, {reset_email} is not recognized as a valid username",
)
self.auth.verify_user_status(user)
reset_token, payload = self.auth.create_temporary_token(
user, self.auth.PWD_RESET)
server_url = get_frontend_url()
rt = reset_token.replace(".", "+")
uri = Env.get("RESET_PASSWORD_URI", "/public/reset")
complete_uri = f"{server_url}{uri}/{rt}"
sent = send_password_reset_link(user, complete_uri, reset_email)
if not sent: # pragma: no cover
raise ServiceUnavailable("Error sending email, please retry")
##################
# Completing the reset task
self.auth.save_token(user,
reset_token,
payload,
token_type=self.auth.PWD_RESET)
msg = "We'll send instructions to the email provided if it's associated "
msg += "with an account. Please check your spam/junk folder."
self.log_event(self.events.reset_password_request, user=user)
return self.response(msg)
@decorators.use_kwargs({
"new_password":
fields.Str(
required=False,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
),
"password_confirm":
fields.Str(
required=False,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
metadata={"password": True},
),
})
@decorators.endpoint(
path="/auth/reset/<token>",
summary="Change password as conseguence of a reset request",
description="Change password as conseguence of a reset request",
responses={
200: "Reset token is valid, password changed",
400: "Invalid reset token",
},
)
def put(
self,
token: str,
new_password: Optional[str] = None,
password_confirm: Optional[str] = None,
) -> Response:
token = token.replace("%2B", ".")
token = token.replace("+", ".")
try:
# valid, token, jti, user
_, _, jti, user = self.auth.verify_token(
token, raiseErrors=True, token_type=self.auth.PWD_RESET)
# If token is expired
except jwt.exceptions.ExpiredSignatureError:
raise BadRequest(
"Invalid reset token: this request is expired")
# if token is not active yet
except jwt.exceptions.ImmatureSignatureError as e:
log.info(e)
raise BadRequest("Invalid reset token")
# if token does not exist (or other generic errors)
except Exception as e:
log.info(e)
raise BadRequest("Invalid reset token")
if user is None: # pragma: no cover
raise BadRequest("Invalid activation token")
# Recovering token object from jti
tokens_obj = self.auth.get_tokens(token_jti=jti)
# Can't happen because the token is refused from verify_token function
if len(tokens_obj) == 0: # pragma: no cover
raise BadRequest(
"Invalid reset token: this request is no longer valid")
token_obj = tokens_obj.pop(0)
emitted = token_obj["emitted"]
last_change = None
# If user logged in after the token emission invalidate the token
if user.last_login is not None:
last_change = user.last_login
# If user changed the pwd after the token emission invalidate the token
# Can't happen because the change password also invalidated the token
elif user.last_password_change is not None: # pragma: no cover
last_change = user.last_password_change
if last_change is not None:
# Can't happen because the change password also invalidated the token
if last_change > emitted: # pragma: no cover
self.auth.invalidate_token(token)
raise BadRequest(
"Invalid reset token: this request is no longer valid",
)
# The reset token is valid, do something
# No password to be changed, just a token verification
if new_password is None and password_confirm is None:
return self.empty_response()
# Something is missing
if new_password is None or password_confirm is None:
raise BadRequest("Invalid password")
if new_password != password_confirm:
raise BadRequest(
"New password does not match with confirmation")
self.auth.change_password(user, user.password, new_password,
password_confirm)
# I really don't know why this save is required... since it is already
# in change_password ... But if I remove it the new pwd is not saved...
self.auth.save_user(user)
# Bye bye token (reset tokens are valid only once)
self.auth.invalidate_token(token)
return self.response("Password changed")
def getInputSchema(request, is_post):
# as defined in Marshmallow.schema.from_dict
attributes: Dict[str, Union[fields.Field, type]] = {}
if is_post:
attributes["email"] = fields.Email(required=is_post)
attributes["name"] = fields.Str(required=is_post,
validate=validate.Length(min=1))
attributes["surname"] = fields.Str(required=is_post,
validate=validate.Length(min=1))
attributes["password"] = fields.Str(
required=is_post,
password=True,
validate=validate.Length(min=auth.MIN_PASSWORD_LENGTH),
)
if Connector.check_availability("smtp"):
attributes["email_notification"] = fields.Bool(
label="Notify password by email")
attributes["is_active"] = fields.Bool(label="Activate user",
default=True,
required=False)
roles = {r.name: r.description for r in auth.get_roles()}
attributes["roles"] = AdvancedList(
fields.Str(validate=validate.OneOf(
choices=[r for r in roles.keys()],
labels=[r for r in roles.values()],
)),
required=False,
label="Roles",
description="",
unique=True,
multiple=True,
)
group_keys = []
group_labels = []
for g in auth.get_groups():
group_keys.append(g.uuid)
group_labels.append(f"{g.shortname} - {g.fullname}")
if len(group_keys) == 1:
default_group = group_keys[0]
else:
default_group = None
attributes["group"] = fields.Str(
label="Group",
description="The group to which the user belongs",
required=is_post,
default=default_group,
validate=validate.OneOf(choices=group_keys, labels=group_labels),
)
attributes["expiration"] = fields.DateTime(
required=False,
allow_none=True,
label="Account expiration",
description="This user will be blocked after this date",
)
if custom_fields := mem.customizer.get_custom_input_fields(
request=request, scope=mem.customizer.ADMIN):
attributes.update(custom_fields)
class InputSchema(Schema):
# lowercase key without label defined. label will be key.title() in schema
mystr = fields.Str(required=True, validate=validate.Length(min=4))
# non-lowercase key without label defined. label will be == to key in schema
MYDATE = fields.Date(required=True)
MYDATETIME = fields.AwareDateTime(
required=True,
format=ISO8601UTC,
default_timezone=pytz.utc,
validate=validate.Range(
max=datetime.now(pytz.utc).replace(hour=23, minute=59, second=59),
min=datetime(1900, 1, 1, tzinfo=pytz.utc),
max_inclusive=True,
error="Invalid date",
),
)
myint_exclusive = fields.Int(
required=True,
# Explicit label definition... but missing description
validate=validate.Range(
min=1, max=10, min_inclusive=False, max_inclusive=False
),
metadata={
"label": "Int exclusive field",
},
)
myint_inclusive = fields.Int(
required=True,
# Both label and description explicit definition
validate=validate.Range(min=1, max=10),
metadata={
"label": "Int inclusive field",
"description": "This field accepts values in a defined range",
},
)
myselect = fields.Str(
required=True,
validate=validate.OneOf(choices=["a", "b"], labels=["A", "B"]),
)
myselect2 = fields.Str(
required=True,
# Wrong definition, number labels < number of choices
# Labels will be ignored and replaced by choices
validate=validate.OneOf(choices=["a", "b"], labels=["A"]),
)
mymaxstr = fields.Str(required=True, validate=validate.Length(max=7))
myequalstr = fields.Str(required=True, validate=validate.Length(equal=6))
# Note: requests (from pytest) has to json-dump the arrays and objects,
# but the normal Marshmallow fields does not json-load the inputs
# fields.Nested is a replacement of the default Nested field with the ability
# to receive json dumped data from requests or pytest
mynested = fields.Nested(Nested, required=True)
mynullablenested = fields.Nested(Nested, required=True, allow_none=True)
# fields.List is a replacement of the default List field with the ability
# to receive json dumped data from requests or pytest
# In json model the type of this field will be resolved as string[]
mylist = fields.List(fields.Str(), required=True)
# In json model the type of this field will be resolved as int[]
mylist2 = fields.List(CustomInt, required=True)
# In json model the type of this field will be resolved as mylist3[]
# The type is key[] ... should be something more explicative like FieldName[]
mylist3 = fields.List(CustomGenericField, required=True)