def login_for_apps(): """Login for API access only""" if request.method == "GET": session['unsigned_access_token'] = random_token() session['logged_in'] = False return jsonify({ "token": session['unsigned_access_token'], "signature": server_key.sign_message(session['unsigned_access_token']) }) elif request.method == "POST": # Client posts it's login name and a signed token. data = request.get_json() # Verify signed token against stored public key for that name. pubkey = APIKey(db.get_pub_key(data['login'])['pubkey']) try: pubkey.verify_message(session['unsigned_access_token'], data['signature']) except Exception, e: session['logged_in'] = False del session['unsigned_access_token'] return make_response(jsonify({'error': 'Bad token signature.'}), 401) # Token has valid signature, grant login: session['user_id'] = data['login'] session['logged_in'] = True # Mark this session as safe to bypass csrf protection, due to the ECDSA authentication: session['bypass_csrf'] = True return jsonify({'success': 'Logged in'})
def login_for_apps(): """Login for API access only""" if request.method == "GET": session["unsigned_access_token"] = random_token() session["logged_in"] = False return jsonify( { "token": session["unsigned_access_token"], "signature": server_key.sign_message(session["unsigned_access_token"]), } ) elif request.method == "POST": # Client posts it's login name and a signed token. data = request.get_json() # Verify signed token against stored public key for that name. pubkey = APIKey(db.get_pub_key(data["login"])["pubkey"]) try: pubkey.verify_message(session["unsigned_access_token"], data["signature"]) except Exception, e: session["logged_in"] = False del session["unsigned_access_token"] return make_response(jsonify({"error": "Bad token signature."}), 401) # Token has valid signature, grant login: session["user_id"] = data["login"] session["logged_in"] = True # Mark this session as safe to bypass csrf protection, due to the ECDSA authentication: session["bypass_csrf"] = True return jsonify({"success": "Logged in"})
def authenticate(): token_to_sign = random_token() cmd = Command.new(ws, action='authenticate', token=token_to_sign) response = cmd.send() context['cluster'] = cluster = response['cluster'] client_pubkey = db.get_pub_key(cluster) client_apikey = APIKey(client_pubkey['pubkey']) # Verify the client correctly signed the token: try: client_apikey.verify_message(token_to_sign, response.get('signature')) except: response.respond(message='Bad Signature of token for authentication', done=True) log.error('client provided bad signature for auth token') raise response.respond(authenticated=True, done=True) # Client will ask us to authenticate too: command = receive_data(ws) assert command.get('action') == 'authenticate' data = {'signature' :context['apikey'].sign_message(command['token'])} response = command.respond(**data) if response.get('authenticated') != True: raise UnauthenticatedError("Our peer could not validate our signed auth token")
def authenticate(): token_to_sign = random_token() cmd = Command.new(ws, action='authenticate', token=token_to_sign) response = cmd.send() context['cluster'] = cluster = response['cluster'] client_pubkey = db.get_pub_key(cluster) client_apikey = APIKey(client_pubkey['pubkey']) # Verify the client correctly signed the token: try: client_apikey.verify_message(token_to_sign, response.get('signature')) except: response.respond( message='Bad Signature of token for authentication', done=True) log.error('client provided bad signature for auth token') raise response.respond(authenticated=True, done=True) # Client will ask us to authenticate too: command = receive_data(ws) assert command.get('action') == 'authenticate' data = {'signature': context['apikey'].sign_message(command['token'])} response = command.respond(**data) if response.get('authenticated') != True: raise UnauthenticatedError( "Our peer could not validate our signed auth token")
def create_credentials(): """Create ecdsa keypair for authenticating with server. Save these to a config file in the home directory.""" print("Config file is : {config_path}".format( config_path=CLIENT_CONFIG_PATH)) # Check for cluster name: config = ConfigParser.RawConfigParser() config.read(CLIENT_CONFIG_PATH) if not config.has_section("cluster"): config.add_section("cluster") if config.has_option('cluster', 'name'): cluster_name = config.get('cluster', 'name') else: while True: cluster_name = raw_input('Enter a name for this cluster: ') if not re.match(r'^[a-zA-Z0-9_-]+$', cluster_name): print( "Cluster name must be of the characters a-z, A-Z, 0-9, _ and -" ) continue break config.set('cluster', 'name', cluster_name) with open(CLIENT_CONFIG_PATH, "wb") as f: config.write(f) os.chmod(CLIENT_CONFIG_PATH, 0600) print( "Cluster name is: {cluster_name}\n".format(cluster_name=cluster_name)) # Check for existing client key: try: # Load existing config: apikey = APIKey.load() except BadConfigFileException: apikey = APIKey.new() apikey.save() print("Your public key is: {key}\n".format(key=apikey.get_pub_key())) # Check for existing server key: try: # Load existing config: apikey = APIKey.load(key_type='server') except BadConfigFileException: server_key = raw_input("Input the server's public key:") try: apikey = APIKey(server_key) except: print("Invalid server key, does not decode to a valid ecdsa key.") exit(1) # Verify server key: verify_code = raw_input("Input the server verify code: ") token, sig = base64.decodestring(verify_code).split("|") apikey.verify_message(token, sig) apikey.save(key_type='server') print("Server public key is: {key}".format(key=apikey.get_pub_key()))
def create_credentials(): """Create ecdsa keypair for authenticating with server. Save these to a config file in the home directory.""" print("Config file is : {config_path}".format(config_path=CLIENT_CONFIG_PATH)) # Check for cluster name: config = ConfigParser.RawConfigParser() config.read(CLIENT_CONFIG_PATH) if not config.has_section("cluster"): config.add_section("cluster") if config.has_option('cluster', 'name'): cluster_name = config.get('cluster', 'name') else: while True: cluster_name = raw_input('Enter a name for this cluster: ') if not re.match(r'^[a-zA-Z0-9_-]+$', cluster_name): print("Cluster name must be of the characters a-z, A-Z, 0-9, _ and -") continue break config.set('cluster', 'name', cluster_name) with open(CLIENT_CONFIG_PATH, "wb") as f: config.write(f) os.chmod(CLIENT_CONFIG_PATH, 0600) print("Cluster name is: {cluster_name}\n".format(cluster_name=cluster_name)) # Check for existing client key: try: # Load existing config: apikey = APIKey.load() except BadConfigFileException: apikey = APIKey.new() apikey.save() print("Your public key is: {key}\n".format(key=apikey.get_pub_key())) # Check for existing server key: try: # Load existing config: apikey = APIKey.load(key_type='server') except BadConfigFileException: server_key = raw_input("Input the server's public key:") try: apikey = APIKey(server_key) except: print("Invalid server key, does not decode to a valid ecdsa key.") exit(1) # Verify server key: verify_code = raw_input("Input the server verify code: ") token, sig = base64.decodestring(verify_code).split("|") apikey.verify_message(token, sig) apikey.save(key_type='server') print("Server public key is: {key}".format(key=apikey.get_pub_key()))