def check_xsrf_cookie(self):
token = self.get_xsrf()
if not token:
self.on_response_fail(self.http_response_code_fail, "'_xsrf' argument missing from POST")
return
_, token, _ = self._decode_xsrf_token(token)
_, expected_token, _ = self._get_raw_xsrf_token()
if not _time_independent_equals(utf8(token), utf8(expected_token)):
self.on_response_fail(self.http_response_code_fail, "XSRF cookie does not match POST argument")
def decode_url_signed_value(self, token):
token = utf8(token)
parts = utf8(token).split("-")
if len(parts) != 2:
return False
signature = _create_signature_v1(self.application.settings["cookie_secret"], parts[0])
if not _time_independent_equals(parts[1], signature):
return False
try:
return parts[0]
except Exception:
return False
def check_xsrf_cookie(self):
print(self.xsrf_token)
token = json.loads(self.request.body).get('_xsrf')
if not token:
raise HTTPError(403, "'_xsrf' argument missing from POST")
token = self.get_secure_cookie('_xsrf', token)
_, token, _ = self._decode_xsrf_token(b_utf(token))
_, expected_token, _ = self._get_raw_xsrf_token()
if not token:
raise HTTPError(403, "'_xsrf' argument has invalid format")
if not _time_independent_equals(token, expected_token):
raise HTTPError(403, "XSRF cookie does not match POST argument")
def decode_url_signed_value(self, token):
token = utf8(token)
parts = utf8(token).split("-")
if len(parts) != 2:
return False
signature = _create_signature_v1(
self.application.settings["cookie_secret"], parts[0])
if not _time_independent_equals(parts[1], signature):
return False
try:
return parts[0]
except Exception:
return False
def VerifyAccessToken(self, client, access_token):
"""Verifies the correctness of the given access token, that was previously generated in
response to a CreateAccessTokenURL call. Verification will fail if any of these conditions
is false.
1. The access token is expired.
2. Too many incorrect attempts to guess the token have been made in the past.
3. The access token does not match.
"""
identity_type, identity_value = Identity.SplitKey(self.key)
now = time.time()
if identity_type == 'Email':
error = ExpiredError(EXPIRED_EMAIL_LINK_ERROR)
else:
error = ExpiredError(EXPIRED_ACCESS_CODE_ERROR)
if self.authority != 'Viewfinder':
# The most likely case here is that the user clicked an old link in their inbox. In the interim since
# receiving the link, they may have logged in with Google, which would update the authority to Google.
# In this case, the ExpiredError is an appropriate error message since the link is expired.
logging.warning(
'the authority is not "Viewfinder" for identity "%s"',
self.key)
raise error
if now >= self.expires:
# Either the access token has expired, or has already been used up.
logging.warning('the access token has expired for identity "%s"',
self.key)
raise error
# Fail if too many incorrect guesses have been made.
guess_id = self._ConstructAccessTokenGuessId(identity_type,
self.user_id)
if not (yield Guess.CheckGuessLimit(client, guess_id,
Identity._MAX_GUESSES)):
logging.warning(
'too many access token guesses have been made for identity "%s"',
self.key)
raise TooManyGuessesError(TOO_MANY_GUESSES_ERROR)
# Increment incorrect guess account and raise permission error if the access code did not match.
if not web._time_independent_equals(self.access_token, access_token):
logging.warning(
'the access token "%s" does not match for identity "%s"',
access_token, self.key)
yield Guess.ReportIncorrectGuess(client, guess_id)
raise PermissionError(INCORRECT_ACCESS_CODE,
identity_value=Identity.GetDescription(
self.key))
def ValidatePassword(client, user_id, password, salt, expected_hash):
"""Hashes the given user's password using the given salt, and validates that it matches the
expected hash. Also ensures that the maximum incorrect guess count has not been exceeded.
Raises a PermissionError if validation fails.
"""
actual_hash = HashPassword(password, salt)
# Limit the number of incorrect password guesses.
guess_id = Guess.ConstructGuessId('pw', user_id)
if not (yield Guess.CheckGuessLimit(client, guess_id, _MAX_PASSWORD_GUESSES)):
raise PermissionError(TOO_MANY_GUESSES_ERROR)
# If password does not match, increase incorrect guess count and raise error.
if not web._time_independent_equals(actual_hash, expected_hash):
yield Guess.ReportIncorrectGuess(client, guess_id)
raise PermissionError(_PASSWORD_MISMATCH)
def ValidatePassword(client, user_id, password, salt, expected_hash):
"""Hashes the given user's password using the given salt, and validates that it matches the
expected hash. Also ensures that the maximum incorrect guess count has not been exceeded.
Raises a PermissionError if validation fails.
"""
actual_hash = HashPassword(password, salt)
# Limit the number of incorrect password guesses.
guess_id = Guess.ConstructGuessId('pw', user_id)
if not (yield Guess.CheckGuessLimit(client, guess_id,
_MAX_PASSWORD_GUESSES)):
raise PermissionError(TOO_MANY_GUESSES_ERROR)
# If password does not match, increase incorrect guess count and raise error.
if not web._time_independent_equals(actual_hash, expected_hash):
yield Guess.ReportIncorrectGuess(client, guess_id)
raise PermissionError(_PASSWORD_MISMATCH)
def VerifyAccessToken(self, client, access_token):
"""Verifies the correctness of the given access token, that was previously generated in
response to a CreateAccessTokenURL call. Verification will fail if any of these conditions
is false.
1. The access token is expired.
2. Too many incorrect attempts to guess the token have been made in the past.
3. The access token does not match.
"""
identity_type, identity_value = Identity.SplitKey(self.key)
now = time.time()
if identity_type == 'Email':
error = ExpiredError(EXPIRED_EMAIL_LINK_ERROR)
else:
error = ExpiredError(EXPIRED_ACCESS_CODE_ERROR)
if self.authority != 'Viewfinder':
# The most likely case here is that the user clicked an old link in their inbox. In the interim since
# receiving the link, they may have logged in with Google, which would update the authority to Google.
# In this case, the ExpiredError is an appropriate error message since the link is expired.
logging.warning('the authority is not "Viewfinder" for identity "%s"', self.key)
raise error
if now >= self.expires:
# Either the access token has expired, or has already been used up.
logging.warning('the access token has expired for identity "%s"', self.key)
raise error
# Fail if too many incorrect guesses have been made.
guess_id = self._ConstructAccessTokenGuessId(identity_type, self.user_id)
if not (yield Guess.CheckGuessLimit(client, guess_id, Identity._MAX_GUESSES)):
logging.warning('too many access token guesses have been made for identity "%s"', self.key)
raise TooManyGuessesError(TOO_MANY_GUESSES_ERROR)
# Increment incorrect guess account and raise permission error if the access code did not match.
if not web._time_independent_equals(self.access_token, access_token):
logging.warning('the access token "%s" does not match for identity "%s"', access_token, self.key)
yield Guess.ReportIncorrectGuess(client, guess_id)
raise PermissionError(INCORRECT_ACCESS_CODE, identity_value=Identity.GetDescription(self.key))
