def api_authGithubAuthorized():
"""Handle a callback from a successful OAUTH request.
Tracks oauth users in a database.
"""
# clear temporary cookie values first
expect = cookie.unchecked_remove(_COOKIE_NONCE) or '<missing-nonce>'
t = cookie.unchecked_remove(_COOKIE_SIM_TYPE)
oc = _oauth_client()
if not oc.authorize_access_token():
util.raise_forbidden('missing oauth response')
got = flask.request.args.get('state', '<missing-state>')
if expect != got:
pkdlog(
'mismatch oauth state: expected {} != got {}',
expect,
got,
)
auth.login_fail_redirect(t, this_module, 'oauth-state', reload_js=True)
raise AssertionError('auth.login_fail_redirect returned unexpectedly')
d = oc.get('user').json()
with auth_db.thread_lock:
u = AuthGithubUser.search_by(oauth_id=d['id'])
if u:
# always update user_name
u.user_name = d['login']
else:
u = AuthGithubUser(oauth_id=d['id'], user_name=d['login'])
u.save()
auth.login(this_module, model=u, sim_type=t, want_redirect=True)
raise AssertionError('auth.login returned unexpectedly')
def api_authGuestLogin(simulation_type):
"""You have to be an anonymous or logged in user at this point"""
req = http_request.parse_params(type=simulation_type)
# if already logged in as guest, just redirect
if auth.user_if_logged_in(AUTH_METHOD):
auth.login_success_response(req.type)
auth.login(this_module, sim_type=req.type)
raise AssertionError('auth.login returned unexpectedly')
def test_migration():
"""See if user gets migrated"""
from pykern.pkunit import pkeq, pkok, pkexcept, work_dir
from pykern.pkdebug import pkdp
from sirepo import auth
# deprecated methods raise Unauthorized, but still login
with pkexcept('UNAUTHORIZED'):
auth.login(auth.github, uid='jeTJR5G4')
# verify logged in
pkeq('jeTJR5G4', auth.user_if_logged_in('github'))
pkok(work_dir().join('db/auth.db').exists(), 'auth.db does not exist')
def api_authEmailAuthorized(simulation_type, token):
"""Clicked by user in an email
Token must exist in db and not be expired.
"""
t = sirepo.template.assert_sim_type(simulation_type)
with auth_db.thread_lock:
u = AuthEmailUser.search_by(token=token)
if u and u.expires >= datetime.datetime.utcnow():
u.query.filter(
(AuthEmailUser.user_name == u.unverified_email),
AuthEmailUser.unverified_email != u.unverified_email,
).delete()
u.user_name = u.unverified_email
u.token = None
u.expires = None
u.save()
return auth.login(this_module, sim_type=t, model=u)
if not u:
pkdlog('login with invalid token={}', token)
else:
pkdlog(
'login with expired token={}, email={}',
token,
u.unverified_email,
)
return auth.login_fail_redirect(t, this_module, 'email-token')
def api_authGuestLogin(simulation_type):
"""You have to be an anonymous or logged in user at this point"""
t = sirepo.template.assert_sim_type(simulation_type)
# if already logged in as guest, just redirect
if auth.user_if_logged_in(AUTH_METHOD):
return auth.login_success_redirect(t)
return auth.login(this_module, sim_type=t)
def test_login():
from pykern import pkunit
from pykern.pkdebug import pkdp
from pykern.pkunit import pkeq, pkok, pkre, pkexcept
from sirepo import auth
import flask
import sirepo.auth.guest
import sirepo.cookie
import sirepo.http_request
r = auth.api_authState()
pkre('LoggedIn": false.*Registration": false', r.data)
delattr(flask.g, 'sirepo_cookie')
auth.process_request()
with pkunit.pkexcept('SRException.*routeName=login'):
auth.logged_in_user()
with pkexcept('SRException.*routeName=login'):
auth.require_user()
sirepo.cookie.set_sentinel()
# copying examples for new user takes time
with pkunit.pkexcept('SRException.*routeName=None'):
r = auth.login(sirepo.auth.guest, sim_type='myapp')
r = auth.api_authState()
pkre('LoggedIn": true.*Registration": false', r.data)
u = auth.logged_in_user()
pkok(u, 'user should exist')
# guests do not require completeRegistration
auth.require_user()
def test_login():
from pykern import pkunit, pkcompat
from pykern.pkunit import pkeq, pkok, pkre, pkfail, pkexcept
from sirepo import auth
import flask
import sirepo.auth.guest
import sirepo.cookie
import sirepo.http_request
import sirepo.util
r = auth.api_authState()
pkre('LoggedIn": false.*Registration": false', pkcompat.from_bytes(r.data))
delattr(flask.g, 'sirepo_cookie')
auth.process_request()
with pkunit.pkexcept('SRException.*routeName=login'):
auth.logged_in_user()
with pkexcept('SRException.*routeName=login'):
auth.require_user()
sirepo.cookie.set_sentinel()
# copying examples for new user takes time
try:
r = auth.login(sirepo.auth.guest, sim_type='myapp')
pkfail('expecting sirepo.util.Response')
except sirepo.util.Response as e:
r = e.sr_args.response
pkre(r'LoggedIn":\s*true.*Registration":\s*false',
pkcompat.from_bytes(r.data))
u = auth.logged_in_user()
pkok(u, 'user should exist')
# guests do not require completeRegistration
auth.require_user()
def api_authEmailAuthorized(simulation_type, token):
"""Clicked by user in an email
Token must exist in db and not be expired.
"""
if http_request.is_spider():
sirepo.util.raise_forbidden('robots not allowed')
req = http_request.parse_params(type=simulation_type)
with auth_db.thread_lock:
u = AuthEmailUser.search_by(token=token)
if u and u.expires >= srtime.utc_now():
n = _verify_confirm(req.type, token,
auth.need_complete_registration(u))
u.query.filter(
(AuthEmailUser.user_name == u.unverified_email),
AuthEmailUser.unverified_email != u.unverified_email,
).delete()
u.user_name = u.unverified_email
u.token = None
u.expires = None
u.save()
auth.login(this_module, sim_type=req.type, model=u, display_name=n)
raise AssertionError('auth.login returned unexpectedly')
if not u:
pkdlog('login with invalid token={}', token)
else:
pkdlog(
'login with expired token={}, email={}',
token,
u.unverified_email,
)
# if user is already logged in via email, then continue to the app
if auth.user_if_logged_in(AUTH_METHOD):
pkdlog(
'user already logged in. ignoring invalid token: {}, user: {}',
token,
auth.logged_in_user(),
)
raise sirepo.util.Redirect(sirepo.uri.local_route(req.type))
auth.login_fail_redirect(req.type, this_module, 'email-token')
def api_authGithubAuthorized():
"""Handle a callback from a successful OAUTH request.
Tracks oauth users in a database.
"""
# clear temporary cookie values first
oc = _client(cookie.unchecked_remove(_COOKIE_NONCE))
t = cookie.unchecked_remove(_COOKIE_SIM_TYPE)
if not oc.authorize_access_token():
auth.login_fail_redirect(t, this_module, 'oauth-state', reload_js=True)
raise AssertionError('auth.login_fail_redirect returned unexpectedly')
d = oc.get('user').json()
with auth_db.thread_lock:
u = AuthGithubUser.search_by(oauth_id=d['id'])
if u:
# always update user_name
u.user_name = d['login']
else:
u = AuthGithubUser(oauth_id=d['id'], user_name=d['login'])
u.save()
auth.login(this_module, model=u, sim_type=t, want_redirect=True)
raise AssertionError('auth.login returned unexpectedly')
def api_authBlueskyLogin():
req = http_request.parse_json()
auth_hash(req, verify=True)
sid = req.simulationId
sim_type = req.simulationType
path = simulation_db.find_global_simulation(
sim_type,
sid,
checked=True,
)
r = auth.login(
this_module,
uid=simulation_db.uid_from_dir_name(path),
)
if r:
return r
return http_reply.gen_json_ok(dict(
data=simulation_db.open_json_file(req.simulationType, sid=req.simulationId),
schema=simulation_db.get_schema(req.simulationType),
))
def test_login():
from pykern import pkunit
from pykern.pkdebug import pkdp
from pykern.pkunit import pkeq, pkok, pkre
from sirepo import auth
import flask
import sirepo.auth.guest
import sirepo.cookie
import sirepo.http_request
r = auth.api_authState()
pkre('LoggedIn": false.*Registration": false', r.data)
delattr(flask.g, 'sirepo_cookie')
auth.process_request()
with pkunit.pkexcept('Unauthorized'):
auth.logged_in_user()
r = auth.require_user()
pkeq(400, r.status_code, 'status should be BAD REQUEST')
pkre('"routeName": "login"', r.data)
sirepo.cookie.set_sentinel()
# copying examples for new user takes time
r = auth.login(sirepo.auth.guest)
pkeq(None, r, 'user created')
r = auth.api_authState()
pkre('LoggedIn": true.*Registration": true', r.data)
u = auth.logged_in_user()
pkok(u, 'user should exist')
r = auth.require_user()
pkeq(400, r.status_code, 'status should be BAD REQUEST')
pkre('"routeName": "completeRegistration"', r.data)
flask.request = 'abcdef'
def parse_json(*args, **kwargs):
return pkcollections.Dict(simulationType='myapp',
displayName='Joe Bob')
setattr(sirepo.http_request, 'parse_json', parse_json)
auth.api_authCompleteRegistration()
r = auth.api_authState()
pkre('Name": "Joe Bob".*In": true.*.*Registration": false', r.data)
