def change_password(request): try: doc = request.json_body except: raise APIError(400, "invalid_json", "no valid json body") email = doc.get("email") old_password = doc.get("old_password") new_password = doc.get("new_password") if not email or not old_password or not new_password: raise APIError( 400, "change_password.email_and_old_password_and_new_password_required", "You need to send your email, the old password and a new password." ) user = DBSession.query(AuthUser).filter_by(email=email).first() if not user or not user.verify_password(old_password): raise APIError( 401, "change_password.email_or_old_password_invalid", "Either the email address or the old password is wrong.") if not user.active: raise APIError(400, "user_is_not_activated", "Your user is not activated.") if new_password == old_password: raise APIError(400, "change_password.may_not_be_the_same", "The new password may not be the same as the old one.") if not AuthUser.check_password_strength(new_password): raise APIError( 400, "change_password.invalid_new_password", "The new password is too weak. Minimum length is 8 characters.") user.password = new_password user.force_password_change = False DBSession.add(user) token = AuthToken.generate_token() tokenObj = AuthToken(auth_user_id=user.id, token=token) DBSession.add(tokenObj) DBSession.flush() return { "token": token, "subject": Subject.full_output(user.subject_id), }
def auth_login(request): try: doc = request.json_body except: raise APIError(400, "invalid_json", "no valid json body") user = request.user email = doc.get("email") password = doc.get("password") if user: #already logged in token = user.get_or_create_token().token else: if not email or not password: raise APIError(400, "login.email_and_password_required", "You need to send your email and password.") user = DBSession.query(AuthUser).filter_by(email=email).first() if not user or not user.verify_password(password): raise APIError( 401, "login.email_or_password_invalid", "Either the email address or the password is wrong.") if not user.active: raise APIError(400, "user_is_not_activated", "Your user is not activated.") if user.force_password_change: raise APIError(400, "user_has_to_change_password", "You have to change your password.") token = AuthToken.generate_token() tokenObj = AuthToken(auth_user_id=user.id, token=token) DBSession.add(tokenObj) return { "token": token, "subject": Subject.full_output(user.subject_id), }
def add_or_update_subject(request): """add a subject and set its metadata""" subject_id = int(request.matchdict["subject_id"]) if asbool(get_settings().get("enable_user_authentication", False)): #ensure that the subject exists and we have the permission to update it may_update = request.has_perm( perm_global_manage_subjects ) or request.has_perm( perm_own_update_subject_infos) and request.subject.id == subject_id if not may_update: raise APIError(403, "forbidden", "You may not edit this subject.") #if not exists_by_expr(t_subjects,t_subjects.c.id==subject_id): # raise APIError(403, "forbidden", "The subject does not exist. As the user authentication is enabled, you need to create the AuthUser first.") lat = None if len(request.POST.get("lat", "")) > 0: lat = float(request.POST["lat"]) lon = None if len(request.POST.get("lon", "")) > 0: lon = float(request.POST["lon"]) friends = [] if len(request.POST.get("friends", "")) > 0: friends = [int(x) for x in request.POST["friends"].split(",")] groups = [] if len(request.POST.get("groups", "")) > 0: groups = [int(x) for x in request.POST["groups"].split(",")] timezone = "UTC" if len(request.POST.get("timezone", "")) > 0: timezone = request.POST["timezone"] if not valid_timezone(timezone): timezone = 'UTC' language = None if len(request.POST.get("language", "")) > 0: language = request.POST["language"] additional_public_data = {} if len(request.POST.get("additional_public_data", "")) > 0: try: additional_public_data = json.loads( request.POST["additional_public_data"]) except: additional_public_data = {} Subject.set_infos(subject_id=subject_id, lat=lat, lng=lon, timezone=timezone, language_id=language, additional_public_data=additional_public_data) Subject.set_relations(subject_id=subject_id, relation_ids=friends) Subject.set_parent_subjects(subject_id=subject_id, parent_subject_ids=groups) return {"status": "OK", "subject": Subject.full_output(subject_id)}