def login(authentication_method, user_id=None, user_email=None): if user_id: user = get_user_by_id(user_id) if not user: logging.warning('Attempt to sign in nonexistent user %s', user_id) abort(400) else: user = get_or_create_user(user_email, get_organization_id_for_email(user_email)) allowed_authentication_methods = get_allowed_authentication_methods( user.organization) if allowed_authentication_methods is not None and authentication_method not in allowed_authentication_methods: logging.warning( "User %s attempted to authenticate with method '%s'. Allowed methods are %s.", user.id, authentication_method, allowed_authentication_methods) abort( redirect( f'/_/auth/login?e=auth_not_allowed-{authentication_method}')) if not user.accepted_terms_at: # all login methods now have UI for consenting to terms user.accepted_terms_at = datetime.datetime.utcnow() user.put() login_user(user)
def use_transfer_link(transfer_link_token): user_facing_error = None try: padded_token = transfer_link_token + '=' * (4 - len(transfer_link_token) % 4) # add any missing base64 padding payload = jwt.decode(base64.urlsafe_b64decode(padded_token), config.get_config()['sessions_secret'], 'HS256') except (jwt.exceptions.ExpiredSignatureError, jwt.exceptions.InvalidSignatureError, jwt.exceptions.DecodeError) as e: if type(e) is jwt.exceptions.ExpiredSignatureError: user_facing_error = 'Your transfer link has expired' logging.info('Attempt to use expired token: %s', transfer_link_token) if type(e) is jwt.exceptions.InvalidSignatureError: logging.warning('Attempt to use invalid token: %s', transfer_link_token) abort(403, user_facing_error or 'Your transfer link is no longer valid') try: if not payload['sub'].startswith('link:'): raise InvalidTransferToken('Subject is not link') if 'transfer' != payload['tp']: raise InvalidTransferToken('Invalid token permission') link_id = int(payload['sub'][len('link:'):]) link = models.ShortLink.get_by_id(link_id) if not link: raise InvalidTransferToken('Link does not exist') owner_from_token = user_helpers.get_user_by_id(payload['o']) if not owner_from_token or link.owner != owner_from_token.email: user_facing_error = f'The owner of rfg/{link.shortpath} has changed since your transfer link was created' raise InvalidTransferToken('Owner from token does not match current owner') if not check_mutate_authorization(link_id, payload['by']): user_facing_error = f'The user who created your transfer link no longer has edit rights for rfg/{link.shortpath}' raise InvalidTransferToken('Token from unauthorized user') if current_user.organization != link.organization: raise InvalidTransferToken("Current user does not match link's organization") except (InvalidTransferToken, KeyError) as e: logging.warning(e) logging.warning('Attempt to use invalid token: %s', transfer_link_token) abort(403, user_facing_error or 'Your transfer link is no longer valid') link.owner = current_user.email link.put() return '', 201
def get_user(user_id): if user_id == 'me': return jsonify(_user_info(current_user)) user = get_user_by_id(int(user_id)) if not user or not is_user_admin(copy.copy(current_user), user.organization): abort(403) return jsonify(_user_info(user))
def check_mutate_authorization(link_id, user_id=None): if user_id: user = user_helpers.get_user_by_id(user_id) else: user = current_user try: existing_link = models.ShortLink.get_by_id(link_id) except Exception as e: logging.warning(str(e)) return False if not existing_link: return False if (existing_link.owner != user.email and not (user.organization == existing_link.organization and user_helpers.is_user_admin(user))): return False return existing_link
def load_user(user_id): from modules.users.helpers import get_user_by_id return get_user_by_id(user_id)
def load_user(user_id): from modules.users.helpers import get_user_by_id sentry_sdk.set_user({'id': user_id}) return get_user_by_id(user_id)
def load_user(user_id): return get_user_by_id(user_id)