def verify_token(token): # log.info(token) if hasattr(g, 'token_auth_type') and g.token_auth_type == 'refresh': return UserToken.check_token(token, token_type='refresh') if token else None return UserToken.check_token(token) if token else None
def test_login_happy_path(client, db_session): name = generate_username() password = generate_password() user = User(name, password, db_session=db_session) user_id = user.id reply = client.post('/login', json={ 'username': name, 'password': password }) assert reply.status_code == 200 assert list(reply.json.keys()) == ['token'] token = reply.json['token'] assert re.match('^[a-f0-9]{64}$', token) assert UserToken.get_user_id_with_token(token, db_session) == user_id # same prefix, but different suffix invalid_token = token[:32] + str(uuid.uuid4()).replace('-', '') assert UserToken.get_user_id_with_token(invalid_token, db_session) is None # same suffix, but different prefix invalid_token = str(uuid.uuid4()).replace('-', '') + token[-32:] assert UserToken.get_user_id_with_token(invalid_token, db_session) is None
def post_sync(self): # Creates the random token self.model.token = UserToken.generate_random_token(16) # Appends the token to the session config.orm.add(self.model)
def wrapper(*args, **kwargs): token = request.headers.get('X-Session') user_id = UserToken.get_user_id_with_token(token, db_session) if user_id: return handler(user_id, *args, **kwargs) return error_reply('Invalid token', 401)
def setUp(self): self.app = create_app(config_name="testing") self.user = Users(username="******", email="*****@*****.**", password="******") self.shoppinglist = ShoppingList(owner_id="1", title="Yellow Bananas", description="*****@*****.**") self.shoppinglistitem = ShoppingListItem(owner_id="1", shoppinglist_id="1", item_title="Yellow Bananas with green", item_description="And maracuja") self.usertoken = UserToken(token="a_certain_token") with self.app.app_context(): # create all tables db.create_all()
def get_user_by_token(token): if token == None or token == '': raise Exception(msg='token不能为空') user_token = UserToken.get_or_none(UserToken.token == token) if user_token == None: raise Exception(msg='token不存在') delta = user_token.expired_time - datetime.datetime.now() if delta.days < 0: raise Exception(msg='token已过期') user = User().get_by_id(user_token.user_id) if user == None: raise Exception(msg='用户已被删除') return user
def login(json): user = db_session.query(User).filter( User.name == json['username']).first() if not user: return error_reply('User not found', 404) if not user.is_valid_password(json['password']): return error_reply('Wrong password', 403) token = UserToken(user, db_session=db_session) return jsonify({'token': str(token)})
def login(session): """ 테스트전 사용자 미리 등록 :param session: :return: """ db_user = Users.create(session=session, email="*****@*****.**", pw="123") session.commit() access_token = create_access_token(data=UserToken.from_orm(db_user).dict( exclude={'pw', 'marketing_agree'}), ) return dict(Authorization=f"Bearer {access_token}")
def GET(self): # Reads the token in the HTTP request parameters token = web.input(token=None).token # Checks if the token is valid user_token = UserToken.get_token(token) if user_token is None or user_token.expired: raise http.Forbidden() # The fieldset is not bound to any specific instance : the token is passed because it contains the email user_fieldset = user_forms.NewUserFieldSet(user_token) return config.views.layout(config.views.creation_form(user_fieldset))
def test_get_token(self): # These tests work because a UserTokenData has a similar structure to a UserToken # When Tournament.__eq__ is called, it compares the fields without caring of the parameters' actual types self.assertIsNone(UserToken.get_token(None)) self.assertIsNone(UserToken.get_token("")) self.assertIsNone(UserToken.get_token("invalid_token")) self.assertIsNone(UserToken.get_token("goB9Z7fhsUrjXHDi")) self.assertIsNone(UserToken.get_token("xYCPayfPCPEPCPaL")) self.assertEquals(UserToken.get_token("znc9TNqpajeN2nEH"), UserTokenData.user_token_expired) self.assertEquals(UserToken.get_token("xjRp67wh3HdjEI6I"), UserTokenData.user_token_active)
def POST(self): # Reads the token in the HTTP request parameters token = web.input(token=None).token # Checks if the token is valid user_token = UserToken.get_token(token) if user_token is None or user_token.expired: raise http.Forbidden() # The fieldset is bound to the form data & the session : the token is passed because it contains the level user_fieldset = user_forms.NewUserFieldSet(user_token).bind(data=web.input(), session=config.orm) # Synchronizes the fieldset & registers a delayed login of the user (because the user id is not available yet) if user_fieldset.validate(): user_fieldset.sync() http.register_hook(lambda: session.login_workflow(user_fieldset.model)) raise web.seeother("/") else: return config.views.layout(config.views.creation_form(user_fieldset))
def post(self): auth_header = request.headers.get('Authorization') if auth_header: access_token = auth_header.split(" ")[1] user_id = Users.decode_token(access_token) if not isinstance(user_id, int): response = {'status': 'fail', 'message': user_id} return response, 403 else: save_used_token = UserToken(token=access_token) # insert the token db.session.add(save_used_token) db.session.commit() responseObject = { 'status': 'success', 'message': 'Successfully logged out.' } return make_response(jsonify(responseObject), 200) response = { 'status': 'fail', 'message': 'Authorization is not provided' } return response, 500
def POST(self): # Reads the token in the HTTP request parameters token = web.input(token=None).token # Checks if the token is valid user_token = UserToken.get_token(token) if user_token is None or user_token.expired: raise http.Forbidden() # The fieldset is bound to the form data & the session : the token is passed because it contains the level user_fieldset = user_forms.NewUserFieldSet(user_token).bind( data=web.input(), session=config.orm) # Synchronizes the fieldset & registers a delayed login of the user (because the user id is not available yet) if user_fieldset.validate(): user_fieldset.sync() http.register_hook( lambda: session.login_workflow(user_fieldset.model)) raise web.seeother("/") else: return config.views.layout( config.views.creation_form(user_fieldset))
async def access_control(request: Request, call_next): request.state.req_time = D.datetime() request.state.start = time.time() request.state.inspect = None request.state.user = None request.state.service = None ip = request.headers[ "x-forwarded-for"] if "x-forwarded-for" in request.headers.keys( ) else request.client.host request.state.ip = ip.split(",")[0] if "," in ip else ip headers = request.headers cookies = request.cookies url = request.url.path if await url_pattern_check(url, EXCEPT_PATH_REGEX) or url in EXCEPT_PATH_LIST: response = await call_next(request) if url != "/": await api_logger(request=request, response=response) return response try: if url.startswith("/api"): # api 인경우 헤더로 토큰 검사 if url.startswith("/api/services"): qs = str(request.query_params) qs_list = qs.split("&") session = next(db.session()) if not config.conf().DEBUG: try: qs_dict = { qs_split.split("=")[0]: qs_split.split("=")[1] for qs_split in qs_list } except Exception: raise ex.APIQueryStringEx() qs_keys = qs_dict.keys() if "key" not in qs_keys or "timestamp" not in qs_keys: raise ex.APIQueryStringEx() if "secret" not in headers.keys(): raise ex.APIHeaderInvalidEx() api_key = ApiKeys.get(session=session, access_key=qs_dict["key"]) if not api_key: raise ex.NotFoundAccessKeyEx(api_key=qs_dict["key"]) mac = hmac.new(bytes(api_key.secret_key, encoding='utf8'), bytes(qs, encoding='utf-8'), digestmod='sha256') d = mac.digest() validating_secret = str( base64.b64encode(d).decode('utf-8')) if headers["secret"] != validating_secret: raise ex.APIHeaderInvalidEx() now_timestamp = int(D.datetime(diff=9).timestamp()) if now_timestamp - 10 > int( qs_dict["timestamp"]) or now_timestamp < int( qs_dict["timestamp"]): raise ex.APITimestampEx() user_info = to_dict(api_key.users) request.state.user = UserToken(**user_info) else: # Request User 가 필요함 if "authorization" in headers.keys(): key = headers.get("Authorization") api_key_obj = ApiKeys.get(session=session, access_key=key) user_info = to_dict( Users.get(session=session, id=api_key_obj.user_id)) request.state.user = UserToken(**user_info) # 토큰 없음 else: if "Authorization" not in headers.keys(): raise ex.NotAuthorized() session.close() response = await call_next(request) return response else: if "authorization" in headers.keys(): token_info = await token_decode( access_token=headers.get("Authorization")) request.state.user = UserToken(**token_info) # 토큰 없음 else: if "Authorization" not in headers.keys(): raise ex.NotAuthorized() else: # 템플릿 렌더링인 경우 쿠키에서 토큰 검사 cookies[ "Authorization"] = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MTQsImVtYWlsIjoia29hbGFAZGluZ3JyLmNvbSIsIm5hbWUiOm51bGwsInBob25lX251bWJlciI6bnVsbCwicHJvZmlsZV9pbWciOm51bGwsInNuc190eXBlIjpudWxsfQ.4vgrFvxgH8odoXMvV70BBqyqXOFa2NDQtzYkGywhV48" if "Authorization" not in cookies.keys(): raise ex.NotAuthorized() token_info = await token_decode( access_token=cookies.get("Authorization")) request.state.user = UserToken(**token_info) response = await call_next(request) await api_logger(request=request, response=response) except Exception as e: error = await exception_handler(e) error_dict = dict(status=error.status_code, msg=error.msg, detail=error.detail, code=error.code) response = JSONResponse(status_code=error.status_code, content=error_dict) await api_logger(request=request, error=error) return response
def get_valid_token(db_session, username=None): if username is None: username = generate_username() user = User(username, generate_password(), db_session=db_session) return str(UserToken(user, db_session=db_session))
def test_all(self): all_user_tokens = UserToken.all() self.assertEqual(len(all_user_tokens), 2) [self.assertIsInstance(token, UserToken) for token in all_user_tokens]