def categories(): db_session = DBSession() categories = db_session.query(Category).all() new_items = db_session.query(Item).order_by( Item.timestamp.desc() ).limit(5).all() session_cookie = request.cookies.get('token') # Verify the session cookie. In this case an # additional check is added to detect if the # user's Firebase session was revoked, user # deleted/disabled, etc. try: auth.verify_session_cookie( session_cookie, check_revoked=True ) return render_template('index.html', items=new_items, logged=True) except ValueError as e: # Session cookie is unavailable or invalid. Force user to login. print(e) return render_template('index.html', items=new_items, logged=False) except auth.AuthError as e: # Session revoked. Force user to login. print(e) return render_template('index.html', items=new_items, logged=False)
def test_verify_session_cookie_revoked(new_user, api_key): custom_token = auth.create_custom_token(new_user.uid) id_token = _sign_in(custom_token, api_key) session_cookie = auth.create_session_cookie( id_token, expires_in=datetime.timedelta(days=1)) time.sleep(1) auth.revoke_refresh_tokens(new_user.uid) claims = auth.verify_session_cookie(session_cookie, check_revoked=False) user = auth.get_user(new_user.uid) # verify_session_cookie succeeded because it didn't check revoked. assert claims['iat'] * 1000 < user.tokens_valid_after_timestamp with pytest.raises(auth.AuthError) as excinfo: claims = auth.verify_session_cookie(session_cookie, check_revoked=True) assert excinfo.value.code == auth._SESSION_COOKIE_REVOKED assert str( excinfo.value) == 'The Firebase session cookie has been revoked.' # Sign in again, verify works. id_token = _sign_in(custom_token, api_key) session_cookie = auth.create_session_cookie( id_token, expires_in=datetime.timedelta(days=1)) claims = auth.verify_session_cookie(session_cookie, check_revoked=True) assert claims['iat'] * 1000 >= user.tokens_valid_after_timestamp
def test_revoked_cookie_check_revoked(self, user_mgt_app, revoked_tokens, cookie): _overwrite_cert_request(user_mgt_app, MOCK_REQUEST) _instrument_user_manager(user_mgt_app, 200, revoked_tokens) with pytest.raises(auth.AuthError) as excinfo: auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=True) assert excinfo.value.code == 'SESSION_COOKIE_REVOKED' assert str(excinfo.value) == 'The Firebase session cookie has been revoked.'
def test_certificate_request_failure(self, user_mgt_app): _overwrite_cert_request(user_mgt_app, testutils.MockRequest(404, 'not found')) with pytest.raises(auth.CertificateFetchError) as excinfo: auth.verify_session_cookie(TEST_SESSION_COOKIE, app=user_mgt_app) assert 'Could not fetch certificates' in str(excinfo.value) assert isinstance(excinfo.value, exceptions.UnknownError) assert excinfo.value.cause is not None assert excinfo.value.http_response is None
def test_verify_session_cookie_timeout(self, options, timeout): app = firebase_admin.initialize_app(MOCK_CREDENTIAL, options=options) recorder = self._instrument_session(app) auth.verify_session_cookie(TEST_SESSION_COOKIE) assert len(recorder) == 1 assert recorder[0]._extra_kwargs['timeout'] == timeout
def test_expired_cookie(self, user_mgt_app): _overwrite_cert_request(user_mgt_app, MOCK_REQUEST) cookie = self.invalid_cookies['ExpiredCookie'] with pytest.raises(auth.ExpiredSessionCookieError) as excinfo: auth.verify_session_cookie(cookie, app=user_mgt_app) assert isinstance(excinfo.value, auth.InvalidSessionCookieError) assert 'Token expired' in str(excinfo.value) assert excinfo.value.cause is not None assert excinfo.value.http_response is None
def test_check_disabled_before_revoked(self, user_mgt_app, user_disabled_and_revoked, cookie): _overwrite_cert_request(user_mgt_app, MOCK_REQUEST) _instrument_user_manager(user_mgt_app, 200, user_disabled_and_revoked) with pytest.raises(auth.UserDisabledError) as excinfo: auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=True) assert str(excinfo.value) == 'The user record is disabled.'
def index(): session_cookie = request.cookies.get('session') if not session_cookie: return redirect('/login') try: auth.verify_session_cookie(session_cookie, check_revoked=True) return 'Index Page' except auth.InvalidSessionCookieError: return redirect('/login')
def verify_session_token(request): try: idToken = extract_bearer_token(request) return auth.verify_session_cookie(idToken, check_revoked=True) except: try: cookie = request.cookies.get("accessToken") return auth.verify_session_cookie(cookie, check_revoked=True) except: raise BaseException("Invalid access Token")
def test_invalid_cookie(self, user_mgt_app, cookie_key): cookie = self.invalid_cookies[cookie_key] if _is_emulated() and cookie_key in self.cookies_accepted_in_emulator: self._assert_valid_cookie(cookie, user_mgt_app) return _overwrite_cert_request(user_mgt_app, MOCK_REQUEST) with pytest.raises(auth.InvalidSessionCookieError) as excinfo: auth.verify_session_cookie(cookie, app=user_mgt_app) assert isinstance(excinfo.value, exceptions.InvalidArgumentError) assert excinfo.value.http_response is None
def decorated_function(*args, **kwargs): print('in decorator') session_cookie = request.cookies.get('firebase') if not session_cookie: # Session cookie is unavailable. Force user to login. return redirect(url_for('auth.login', next=request.url)) try: # Verify the session cookie. In this case an additional check is added to detect # if the user's Firebase session was revoked, user deleted/disabled, etc. auth.verify_session_cookie(session_cookie, check_revoked=True) return f(*args, **kwargs) except auth.InvalidSessionCookieError: # Session cookie is invalid, expired or revoked. Force user to login. return redirect(url_for('auth.login', next=request.url))
def _get_auth_claims_from_session_cookie(cookie): """Returns claims from the session cookie, or None if invalid. Args: cookie: str|None. The session cookie to extract claims from. Returns: AuthClaims|None. The claims from the session cookie, if available. Otherwise returns None. """ # It's OK for a session cookie to be None, it just means that the request # isn't authenticated. if cookie: try: with _firebase_admin_context(): return _create_auth_claims( firebase_auth.verify_session_cookie(cookie)) # NOTE: Session cookies only provide temporary authentication, so they # are expected to become obsolete over time. The following errors are # situations where this can happen. except (firebase_auth.ExpiredSessionCookieError, firebase_auth.RevokedSessionCookieError): # NOTE: logging.exception appends the stack trace automatically. logging.exception('User session has ended and must be renewed') return None
def login_checker(): # user的資料 auth_user = { 'is_login': False, # 設計一個權限概念 'is_admin': False, 'user': {} } # 取得session_cookie session_cookie = request.cookies.get(cookie_name) # 驗證session_cookie try: # 透過session_cookie取得user的資料 user = auth.verify_session_cookie(session_cookie) # 設定為登入狀態 auth_user['is_login'] = True auth_user['user'] = user # 取回文件 admins/{EMAIL},即使文件不存在還是會要回一個空字串 admin_doc = db.document(f'admins/{user["email"]}').get() # 檢查文件是否存在 if admin_doc.exists: # 設定此人是管理者 auth_user['is_admin'] = True except: print("驗證失敗") # 回傳auth_user給每一個模板 return dict(auth_user=auth_user) # dict是context_processor的特別規定
def sessionLogin(): # Get the ID token sent by the client idToken = request.data # Set session expiration to 5 days. expires_in = datetime.timedelta(days=5) try: # Create the session cookie. This will also verify the ID # token in the process. The session cookie will have the # same claims as the ID token. session_cookie = auth.create_session_cookie(idToken, expires_in=expires_in) decoded_claims = auth.verify_session_cookie(session_cookie) session['sub'] = decoded_claims['uid'] session['name'] = decoded_claims['name'] response = jsonify({'status': 'success'}) # Set cookie policy for session cookie. expires = datetime.datetime.now() + expires_in response.set_cookie( 'token', session_cookie, expires=expires, httponly=True ) return response except auth.AuthError: return abort(401, 'Failed to create a session cookie')
def editItem(item_id): session_cookie = request.cookies.get('token') decoded_claims = auth.verify_session_cookie(session_cookie, check_revoked=True) db_session = DBSession() item = db_session.query(Item).get(item_id) if item.sub != decoded_claims['uid']: return abort(401, 'Insufficient permissions') categories = db_session.query(Category).all() if request.method == 'GET': return render_template('edit_item.html', categories=categories, item=item, logged=True) else: category_id = request.form['category'] category = db_session.query(Category).get(category_id) item.name = request.form['name'] item.description = request.form['description'] item.price = request.form['price'] item.image = request.form['image'] item.category = category db_session.add(item) db_session.commit() flash("Item updated correctly!") return redirect(url_for('item', item_id=item_id))
def newItem(): session_cookie = request.cookies.get('token') decoded_claims = auth.verify_session_cookie(session_cookie, check_revoked=True) db_session = DBSession() categories = db_session.query(Category).all() new_items = db_session.query(Item).order_by( Item.timestamp.desc() ).limit(5).all() if request.method == 'GET': return render_template('new_item.html', items=new_items, logged=True) else: category_id = request.form['category'] category = db_session.query(Category).get(category_id) newItem = Item( name=request.form['name'], description=request.form['description'], price=request.form['price'], image=request.form['image'], category=category, sub=decoded_claims['uid'] ) db_session.add(newItem) db_session.commit() flash("New Item created!") return redirect(url_for('item', item_id=newItem.id))
def index_page(): flash_msg = None if ("session_id" in session): try: # verify session_id decoded_clamis = auth.verify_session_cookie(session["session_id"]) #flash(decoded_clamis) session['email_addr'] = decoded_clamis['email'] session['user_id'] = decoded_clamis['user_id'] # # Trying to implement users connected chats list # user_doc = users_coll.document(decoded_clamis['user_id']) user_details = user_doc.get().to_dict() connected_chats = user_details.get("connected_chats") #flash(decoded_clamis) connected_chats_list = [] for i in connected_chats: connected_chats_list.append(i.get().to_dict()) return render_template("index.html", user_name=user_details.get('name'), chats_list=connected_chats_list[::-1]) except Exception as e: # if unable to verify session_id for any reason # maybe invalid or expired, redirect to login flash_msg = "Your session is expired!" flash(flash_msg) return redirect(url_for("user_login")) return redirect(url_for("user_login"))
def _get_auth_claims_from_session_cookie( cookie: Optional[str]) -> Optional[auth_domain.AuthClaims]: """Returns claims from the session cookie, or None if invalid. Args: cookie: str|None. The session cookie to extract claims from. Returns: AuthClaims|None. The claims from the session cookie, if available. Otherwise returns None. Raises: InvalidAuthSessionError. The cookie has an invalid value. StaleAuthSessionError. The cookie has lost its authority. """ # It's OK for a session cookie to be None or empty, it just means that the # request hasn't been authenticated. if not cookie: return None try: claims = firebase_auth.verify_session_cookie(cookie, check_revoked=True) except firebase_auth.ExpiredSessionCookieError: raise auth_domain.StaleAuthSessionError('session has expired') except firebase_auth.RevokedSessionCookieError: raise auth_domain.StaleAuthSessionError('session has been revoked') except (firebase_exceptions.FirebaseError, ValueError) as error: raise auth_domain.InvalidAuthSessionError('session invalid: %s' % error) else: return _create_auth_claims(claims)
def authCookies(request_data): session_cookie = '' user_id = None err = '' try: # Extract the firebase token from the HTTP header session_cookie = request.headers['Authorization'].replace( 'Bearer ', '') except: err = f'No "session" cookie information given.' # else return an error return request_data, user_id, err # Verify the cookie while checking if the cookie is revoked by # passing check_revoked=True. try: # Validate the cookie decoded_cookie = auth.verify_session_cookie(session_cookie, app=auth_app, check_revoked=True) # Token is valid and not revoked. user_id = decoded_cookie['uid'] request_data['userID'] = user_id except Exception as e: err = f'Unable to authenticate the user, err = {e}' # else return an error return request_data, user_id, err
def get_token_from_context(ctx): try: token = auth.verify_session_cookie(ctx.cookies.get('session'), check_revoked=True) return token except Exception: return None
def checkPermission(request: Request) -> Dict[str, str]: token = _cookieValid(request) if not token: token = _authorizationHeader(request) try: return auth.verify_session_cookie(token) except Exception: raise BaseException("Invalid access Token")
def decorated_function(*args, **kwargs): session_cookie = request.cookies.get('unique-key') try: g.user = auth.verify_session_cookie(session_cookie, check_revoked=True) return f(*args, **kwargs) except Exception as exp: return redirect('/login')
def get_user(request): """ Return the firebase user instance associated with the given request session. If no user, return user with is_authenticated False """ user = User() if FIREBASE_USER not in request.session: return user try: auth.verify_session_cookie(request.session[FIREBASE_SESSION_COOKIES], check_revoked=True) user.set_attributes(request.session[FIREBASE_USER]) except auth.InvalidSessionCookieError: request.session.flush() return user
def test_verify_session_cookie_disabled(new_user, api_key): custom_token = auth.create_custom_token(new_user.uid) id_token = _sign_in(custom_token, api_key) session_cookie = auth.create_session_cookie(id_token, expires_in=datetime.timedelta(days=1)) # Disable the user record. auth.update_user(new_user.uid, disabled=True) # Verify the session cookie without checking revocation. This should # not raise. claims = auth.verify_session_cookie(session_cookie, check_revoked=False) assert claims['sub'] == new_user.uid # Verify the session cookie while checking revocation. This should # raise an exception. with pytest.raises(auth.UserDisabledError) as excinfo: auth.verify_session_cookie(session_cookie, check_revoked=True) assert str(excinfo.value) == 'The user record is disabled.'
def test_valid_cookie_check_revoked(self, user_mgt_app, cookie): _overwrite_cert_request(user_mgt_app, MOCK_REQUEST) _instrument_user_manager(user_mgt_app, 200, MOCK_GET_USER_RESPONSE) claims = auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=True) assert claims['admin'] is True assert claims['uid'] == claims['sub']
def test_revoked_cookie_does_not_check_revoked(self, user_mgt_app, revoked_tokens, cookie): _overwrite_cert_request(user_mgt_app, MOCK_REQUEST) _instrument_user_manager(user_mgt_app, 200, revoked_tokens) claims = auth.verify_session_cookie(cookie, app=user_mgt_app, check_revoked=False) assert claims['admin'] is True assert claims['uid'] == claims['sub']
def session_logout(): session_cookie = flask.request.cookies.get('session') try: decoded_claims = auth.verify_session_cookie(session_cookie) auth.revoke_refresh_tokens(decoded_claims['sub']) response = flask.make_response(flask.redirect('/login')) response.set_cookie('session', expires=0) return response except ValueError: return flask.redirect('/login')
def logout(): oreo = request.cookies.get("uauuccu_oreo") try: profile = auth.verify_session_cookie(oreo) auth.revoke_refresh_tokens(profile["user_id"]) print("[Logged out]") except Exception as e: print(e) print("[Failed to log out]") return redirect("/")
def post(self): try: session_cookie = request.cookies.get('session') decoded_claims = auth.verify_session_cookie(session_cookie) auth.revoke_refresh_tokens(decoded_claims['sub']) response = jsonify({}) response.set_cookie('session', expires=0) return response except: return {'message': 'Session lost, just logout'}
def test_project_id_option(self): app = firebase_admin.initialize_app( testutils.MockCredential(), options={'projectId': 'mock-project-id'}, name='myApp') _overwrite_cert_request(app, MOCK_REQUEST) try: claims = auth.verify_session_cookie(TEST_SESSION_COOKIE, app=app) assert claims['admin'] is True assert claims['uid'] == claims['sub'] finally: firebase_admin.delete_app(app)