def inbound(request):
"""Authenticate from a cookie or an API key in basic auth.
"""
user = None
if 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
creds = header[len('Basic '):].decode('base64')
token, ignored = creds.split(':')
user = User.from_api_key(token)
# We don't require CSRF if they basically authenticated.
csrf_token = csrf._get_new_csrf_key()
request.headers.cookie['csrf_token'] = csrf_token
request.headers['X-CSRF-TOKEN'] = csrf_token
if 'Referer' not in request.headers:
request.headers['Referer'] = \
'https://%s/' % csrf._get_host(request)
elif 'session' in request.headers.cookie:
token = request.headers.cookie['session'].value
user = User.from_session_token(token)
if user is None:
user = User()
request.context['user'] = user
def test_user_can_be_loaded_from_session_token(self):
self.make_participant('alice')
user = User.from_username('alice')
user.sign_in()
token = user.participant.session_token
actual = User.from_session_token(token).participant.username
assert actual == 'alice'
def inbound(request):
"""Authenticate from a cookie or an API key in basic auth.
"""
user = None
if 'Authorization' in request.headers:
header = request.headers['authorization']
if header.startswith('Basic '):
creds = header[len('Basic '):].decode('base64')
token, ignored = creds.split(':')
user = User.from_api_key(token)
# We don't require CSRF if they basically authenticated.
csrf_token = csrf._get_new_csrf_key()
request.headers.cookie['csrf_token'] = csrf_token
request.headers['X-CSRF-TOKEN'] = csrf_token
if 'Referer' not in request.headers:
request.headers['Referer'] = \
'https://%s/' % csrf._get_host(request)
elif 'session' in request.headers.cookie:
token = request.headers.cookie['session'].value
user = User.from_session_token(token)
if user is None:
user = User()
request.context['user'] = user
def test_user_from_expired_session_is_anonymous(self):
self.make_participant('alice')
user = User.from_username('alice')
user.sign_in(SimpleCookie())
token = user.participant.session_token
user.participant.set_session_expires(utcnow())
user = User.from_session_token(token)
assert user.ANON
def inbound(request):
"""Authenticate from a cookie or an API key in basic auth.
"""
user = None
if request.line.uri.startswith("/assets/"):
pass
elif "Authorization" in request.headers:
header = request.headers["authorization"]
if header.startswith("Basic "):
creds = header[len("Basic ") :].decode("base64")
token, ignored = creds.split(":")
user = User.from_api_key(token)
# We don't require CSRF if they basically authenticated.
csrf_token = csrf._get_new_csrf_key()
request.headers.cookie["csrf_token"] = csrf_token
request.headers["X-CSRF-TOKEN"] = csrf_token
if "Referer" not in request.headers:
request.headers["Referer"] = "https://%s/" % csrf._get_host(request)
elif "session" in request.headers.cookie:
token = request.headers.cookie["session"].value
user = User.from_session_token(token)
request.context["user"] = user or User()
def test_user_from_None_session_token_is_anonymous(self):
self.make_participant('alice')
self.make_participant('bob')
user = User.from_session_token(None)
assert user.ANON
def test_user_from_bad_session_token_is_anonymous(self):
user = User.from_session_token('deadbeef')
assert user.ANON
