def validate_redirect_uri(self, request, redirect_uri):
# redirect URL must be part of a registered domain
# redirect domain must match referrer domain
req_domain_name = get_domain(request)
rdr_domain_name = get_domain(redirect_uri)
domain = DomainProfile.apply_wildcard(request.db_session,
req_domain_name)
return (domain and req_domain_name == rdr_domain_name)
def validate_redirect_uri(self, request, redirect_uri):
# redirect URL must be part of a registered domain
# redirect domain must match referrer domain
req_domain_name = get_domain(request)
rdr_domain_name = get_domain(redirect_uri)
domain = DomainProfile.apply_wildcard(request.db_session,
req_domain_name)
return (domain and req_domain_name == rdr_domain_name)
def initial_login_tween(request):
"""Verify the user has logged into a referring site at least once.
"""
logger = logging.getLogger('speak_friend.initial_login_tween')
response = handler(request)
if not request.user:
return response
domain_name = get_domain(request)
if not domain_name:
return response
try:
query = request.user.activity_query(request.db_session,
u'login')
except DetachedInstanceError:
request.db_session.add(request.user)
query = request.user.activity_query(request.db_session,
u'login')
query = query.filter(UserActivity.came_from_fqdn == domain_name)
domain_logins = query.count()
local_request = request.host == domain_name
if domain_logins == 0 and not local_request:
logger.info('User has not logged in from here yet: %r, %s',
request.user, domain_name)
response = logout(request, request.route_url('home'))
msg = 'You must log in again to be returned to: %s' % domain_name
request.session.flash(msg, queue='error')
if 'openid.mode' in request.params:
rp_dict = dict(request.params.items())
request.session['openid_request'] = rp_dict
request.session.save()
request.session.changed()
return response
def notify(self, user):
mailer = get_mailer(self.request)
came_from = get_domain(self.request)
reset_token = ResetToken(user.username, came_from)
response = render_to_response(self.path, {'token': reset_token.token},
self.request)
self.request.db_session.add(reset_token)
message = Message(subject=self.subject,
sender=self.sender,
recipients=[user.full_email],
html=response.unicode_body)
mailer.send(message)
msg = "A link to reset %s's password has been sent to their email."
self.request.session.flash(msg % user.username, queue='success')
def notify(self, user):
mailer = get_mailer(self.request)
came_from = get_domain(self.request)
reset_token = ResetToken(user.username, came_from)
response = render_to_response(self.path,
{'token': reset_token.token},
self.request)
self.request.db_session.add(reset_token)
message = Message(subject=self.subject,
sender=self.sender,
recipients=[user.full_email],
html=response.unicode_body)
mailer.send(message)
msg = "A link to reset %s's password has been sent to their email."
self.request.session.flash(msg % user.username, queue='success')
def __init__(self, request, user,
actor=None, **activity_detail):
if self.activity not in ACTIVITIES:
raise ValueError(u'No such activity defined: %s' % self.activity)
self.request = request
self.user = user
self.actor = actor
if actor is None:
self.actor = request.user
if 'came_from' in activity_detail:
self.came_from = activity_detail.pop('came_from')
else:
self.came_from = get_referrer(self.request)
if 'came_from_fqdn' in activity_detail:
self.came_from_fqdn = activity_detail.pop('came_from_fqdn')
else:
self.came_from_fqdn = get_domain(self.came_from)
self.activity_detail = activity_detail
def last_checkid_domain(self):
if not hasattr(self, '_domain'):
user = self.request.user
if user:
db_session = self.request.db_session
activity = UserActivity.last_checkid(db_session, user)
name = activity and activity.came_from_fqdn
else:
came_from = self.rendering_val.get('came_from', self.request)
name = get_domain(came_from)
domain = None
if name:
domain = DomainProfile.apply_wildcard(
self.request.db_session, name)
if domain:
self._domain = domain
logger.debug('Came from: %s', getattr(self, '_domain', None))
return getattr(self, '_domain', None)
def last_checkid_domain(self):
if not hasattr(self, '_domain'):
user = self.request.user
if user:
db_session = self.request.db_session
activity = UserActivity.last_checkid(db_session, user)
name = activity and activity.came_from_fqdn
else:
came_from = self.rendering_val.get('came_from', self.request)
name = get_domain(came_from)
domain = None
if name:
domain = DomainProfile.apply_wildcard(self.request.db_session,
name)
if domain:
self._domain = domain
logger.debug('Came from: %s', getattr(self, '_domain', None))
return getattr(self, '_domain', None)
def valid_referrer_tween(request):
"""Verify the referring domain is valid.
"""
response = handler(request)
if 'location' in response.headers:
domain_name = get_domain(response.headers['location'])
domain = DomainProfile.apply_wildcard(request.db_session,
domain_name)
local_request = request.host == domain_name
if not local_request and domain is None and domain_name:
msg = 'Invalid requesting domain, not redirecting: %s'
request.session.flash(msg % domain_name, queue='error')
response.headers.pop('location')
response = HTTPFound(request.route_url('home'),
headers=response.headers)
return response
def get(self):
appstruct = {'came_from': get_referrer(self.request)}
domain_name = get_domain(self.request)
host_without_port = self.request.host.split(':')[0]
local_request = host_without_port == domain_name or \
appstruct['came_from'] == '/'
if local_request:
if self.request.matched_route.name == 'authorize_client':
# for OAuth2 requests, go back to our authorization page
# instead of back to the client application
self.request.session['came_from'] = self.request.url
else:
self.request.session['came_from'] = appstruct['came_from']
if 'login' in self.request.params:
appstruct['login'] = self.request.params['login']
return {
'forms': [self.frm],
'rendered_form': self.frm.render(appstruct=appstruct),
}
def password_timeout_tween(request):
"""Verify the last login timestamp is still valid.
"""
logger = logging.getLogger('speakfriend.password_timeout_tween')
response = handler(request)
if not request.user:
return response
cp = ControlPanel(request)
domain_name = get_domain(request)
domain = DomainProfile.apply_wildcard(request.db_session,
domain_name)
if domain:
pw_valid = timedelta(minutes=domain.get_password_valid(cp))
else:
pw_valid = timedelta(minutes=MAX_PASSWORD_VALID)
now = datetime.utcnow()
utc_now = now.replace(tzinfo=FixedOffsetTimezone(offset=0))
try:
last_login = request.user.last_login(request.db_session)
except DetachedInstanceError:
request.db_session.add(request.user)
last_login = request.user.last_login(request.db_session)
if last_login and last_login.activity_ts + pw_valid < utc_now:
msg = 'You must log in again to be returned to: %s' % domain_name
request.session.flash(msg, queue='error')
logger.info('Password validity time out: %r, %r, %s',
request.user, last_login, pw_valid)
response = logout(request, request.route_url('home'))
if 'openid.mode' in request.params:
rp_dict = dict(request.params.items())
request.session['openid_request'] = rp_dict
request.session.save()
return response
def test_get_domain_with_port(self):
domain = get_domain('http://foo.com:123')
self.assertTrue(domain == 'foo.com')
def test_get_no_domain(self):
domain = get_domain('')
self.assertTrue(domain == '')
def test_get_string_domain(self):
domain = get_domain('http://foo.com')
self.assertTrue(domain == 'foo.com')
def test_get_domain(self):
req = testing.DummyRequest(referrer='http://foo.com')
domain = get_domain(req)
self.assertTrue(domain == 'foo.com')