def create_user(**args):
token = token_service.get_token(args.get('http_request'))
user_login = token.username
has_role = token.has_role('ROLE_ADMIN')
if not has_role:
raise Exception('403 Forbidden')
user = User()
user.__dict__ = args.get('user')
old = user_db.find_one_by_kv('login', user.login)
if old is not None:
raise Exception('400 已存在同名用户')
old = user_db.find_one_by_kv('email', user.email)
if old is not None:
raise Exception('400 email已存在')
old = user_db.find_one_by_kv('phone', user.phone)
if old is not None:
raise Exception('400 phone已存在')
user.password = passwd_service.encode(user.password)
user.activated = True
user.imageUrl = ''
user.langKey = 'en'
user.createdBy = user_login
user.createdDate = mytime.now()
user.lastModifiedBy = user.createdBy
user.lastModifiedDate = mytime.now()
id = user_db.create_user(user)
return id
def update_current_account(**args):
http_request = args.get('http_request')
token = token_service.get_token(http_request)
user_login = token.username
user = User()
user.__dict__ = args.get('user')
if user_login is None or user_login != user.login:
raise Exception('403 Forbidden')
old = user_db.find_one_by_kv('email', user.email)
if old is not None and old.login != user_login:
raise Exception('400 email已存在')
old = user_db.find_one_by_kv('phone', user.phone)
if old is not None and old.login != user_login:
raise Exception('400 phone已存在')
old = user_db.find_one_by_kv('login', user_login)
if old is None:
raise Exception('400 用户不存在')
user_db.update_user_base_info(user)
return 0
def update_user(**args):
token = token_service.get_token(args.get('http_request'))
user_login = token.username
has_role = token.has_role('ROLE_ADMIN')
if not has_role:
raise Exception('403 Forbidden')
user = User()
user.__dict__ = args.get('user')
old = user_db.find_one_by_kv('email', user.email)
if old is not None and old.id != user.id:
raise Exception('400 email已存在')
old = user_db.find_one_by_kv('phone', user.phone)
if old is not None and old.id != user.id:
raise Exception('400 phone已存在')
user.lastModifiedBy = user_login
user.lastModifiedDate = mytime.now()
user_db.update_user(user)
if hasattr(user, 'password') and user.password:
user_db.change_password(user.login,
passwd_service.encode(user.password))
return 0
def verify_user_password(username, password):
user = user_db.find_one_by_kv('login', username)
if user is not None and passwd_service.verify_passwd(
user.password, password):
return user
user = user_db.find_one_by_kv('email', username)
if user is not None and passwd_service.verify_passwd(
user.password, password):
return user
user = user_db.find_one_by_kv('phone', username)
if user is not None and passwd_service.verify_passwd(
user.password, password):
return user
return None
def activate_user(**args):
key = args.get('key')
user = user_db.find_one_by_kv('activation_key', key)
if user is None:
raise Exception('400 激活码失效')
user.activated = True
user.activationKey = ''
user_db.update_user_activation(user)
return 0
def register_user(**args):
user = User()
user.__dict__ = args.get('user')
old = user_db.find_one_by_kv('login', user.login)
if old is not None:
raise Exception('400 username重名')
old = user_db.find_one_by_kv('email', user.email)
if old is not None:
raise Exception('400 email重名')
old = user_db.find_one_by_kv('phone', user.phone)
if old is not None:
raise Exception('400 phone重名')
user.password = passwd_service.encode(user.password)
user.activated = False
user.activationKey = passwd_service.gen_random_key()
user.imageUrl = ''
user.langKey = 'en'
user.createdBy = user.login
user.createdDate = mytime.now()
user.lastModifiedBy = user.login
user.lastModifiedDate = mytime.now()
user.authorities = [
'ROLE_USER',
] # 缺省所有用户都有ROLE_USER角色
user_db.create_user(user)
if not mail_service.send_activation_email(
user.email, user.activateUrlPrefix, user.activationKey):
user_db.delete_user_by_login(user.login)
raise Exception('400 发送注册邮件失败')
return 0
def password_reset_finish(**args):
new_password = args.get('newPassword')
key = args.get('key')
user = user_db.find_one_by_kv('reset_key', key)
if user is None:
raise Exception('400, 重置码失效')
expire = datetime.strptime(
user.resetDate, '%Y-%m-%dT%H:%M:%S').timestamp() + 172800 # 2 days
if datetime.now().timestamp() > expire:
raise Exception('400, 重置码失效')
user.password = passwd_service.encode(new_password)
user.resetKey = ''
user_db.update_user_password_reset(user)
return 0
def password_reset_init(**args):
if verify_code_service.validate_verify_code(**args) != 1:
raise Exception('403, 验证码错误')
user = user_db.find_one_by_kv('email', args.get('email'))
if user is None or not user.activated:
raise Exception('400, 用户不存在或未激活')
user.resetKey = passwd_service.gen_random_key()
user.resetDate = mytime.now()
user_db.update_user_password_reset(user)
if not mail_service.send_password_reset_email(
args.get('email'), args.get('resetUrlPrefix'), user.resetKey):
raise Exception('400, 发送邮件失败')
return 0
def get_user_by_phone(phone):
user = user_db.find_one_by_kv('phone', phone)
if user is not None:
user.remove_internal_values()
return user
def get_user_by_email(email):
user = user_db.find_one_by_kv('email', email)
if user is not None:
user.remove_internal_values()
return user
def get_user_by_login(login):
user = user_db.find_one_by_kv('login', login)
if user is not None:
user.remove_internal_values()
return user
def get_user_by_id(id):
user = user_db.find_one_by_kv('id', id)
if user is not None:
user.remove_internal_values()
return user
def gen_from_refresh_token(refresh_token):
try:
jwt_decoded = python_jwt.verify_jwt(refresh_token,
pub_key=jwk.JWK.from_pem(
g.config.public_key),
allowed_algs=['RS256'],
checks_optional=True,
ignore_not_implemented=True)
except:
return None
user_name = jwt_decoded[1].get('user_name')
# 用户的ROLE可能改变,所以refresh token时应该重新查询用户数据库,而不能直接用上次token中信息
user = user_db.find_one_by_kv('login', user_name)
if user is None:
return None
claims = {
'user_name': user.login,
'authorities': user.authorities,
'scope': ['openid'],
'client_id': 'web_app'
}
try:
access_token = python_jwt.generate_jwt(
claims,
priv_key=jwk.JWK.from_pem(g.config.private_key),
algorithm='RS256',
lifetime=datetime.timedelta(seconds=300), # 5 min
jti_size=16)
except:
return None
try:
jwt_decoded = python_jwt.verify_jwt(access_token,
pub_key=jwk.JWK.from_pem(
g.config.public_key),
allowed_algs=['RS256'],
checks_optional=True,
ignore_not_implemented=True)
except:
return None
try:
refresh_token = python_jwt.generate_jwt(
claims,
priv_key=jwk.JWK.from_pem(g.config.private_key),
algorithm='RS256',
lifetime=datetime.timedelta(seconds=604800), # 7 days
jti_size=16)
except:
return None
result = {
'access_token': access_token,
'refresh_token': refresh_token,
'token_type': 'bearer',
'scope': 'web-app',
'iat': jwt_decoded[1].get('iat'),
'exp': jwt_decoded[1].get('exp'),
'expires_in':
jwt_decoded[1].get('exp') - jwt_decoded[1].get('iat') - 1,
'jti': jwt_decoded[1].get('jti')
}
return result
