def verify(request, template=None):
"""Verify BrowserID assertion, and return whether a user is registered."""
log.debug("Verify BrowserID assertion.")
if request.method != "POST":
raise Http404
assertion = request.POST["assertion"]
if assertion is None:
return HttpResponseBadRequest()
verification = browserid_verify(assertion, get_audience(request))
if not verification:
return HttpResponseForbidden()
response_data = {"registered": False, "browserid": verification}
user = auth.authenticate(assertion=assertion, audience=get_audience(request))
if user is not None:
auth.login(request, user)
response_data = {
"registered": True,
"browserid": verification,
"manager": user.has_perm("base.can_manage"),
"localizer": user.has_perm("base.can_localize"),
}
return HttpResponse(json.dumps(response_data), mimetype="application/json")
def verify(request, template=None):
"""Verify BrowserID assertion, and return whether a user is registered."""
log.debug("Verify BrowserID assertion.")
if request.method != 'POST':
raise Http404
assertion = request.POST['assertion']
if assertion is None:
return HttpResponseBadRequest()
verification = browserid_verify(assertion, get_audience(request))
if not verification:
return HttpResponseForbidden()
response = 'error'
user = auth.authenticate(assertion=assertion, audience=get_audience(request))
if user is not None:
auth.login(request, user)
response = {'browserid': verification,
'manager': user.has_perm('base.can_manage'),
'localizer': user.has_perm('base.can_localize')
}
return HttpResponse(json.dumps(response), mimetype='application/json')
def verify(request, template=None):
"""Verify BrowserID assertion, and return whether a user is registered."""
log.debug("Verify BrowserID assertion.")
if request.method != 'POST':
log.error("Non-POST request")
raise Http404
assertion = request.POST['assertion']
if assertion is None:
return HttpResponseBadRequest()
verification = browserid_verify(assertion, get_audience(request))
if not verification:
return HttpResponseForbidden()
response = "error"
user = authenticate(assertion=assertion, audience=get_audience(request))
if user is not None:
login(request, user)
# Check for permission to localize if not granted on every login
if not user.has_perm('base.can_localize'):
user = User.objects.get(username=user)
utils.add_can_localize(user)
response = {
'browserid': verification,
'manager': user.has_perm('base.can_manage'),
}
return HttpResponse(json.dumps(response), mimetype='application/json')
def verify(request, template=None):
"""Verify BrowserID assertion, and return whether a user is registered."""
log.debug("Verify BrowserID assertion.")
if request.method != 'POST':
log.error("Non-POST request")
raise Http404
assertion = request.POST['assertion']
if assertion is None:
return HttpResponseBadRequest()
verification = browserid_verify(assertion, get_audience(request))
if not verification:
return HttpResponseForbidden()
response = "error"
user = authenticate(assertion=assertion, audience=get_audience(request))
if user is not None:
login(request, user)
# Check for permission to localize if not granted on every login
if not user.has_perm('base.can_localize'):
user = User.objects.get(username=user)
utils.add_can_localize(user)
response = {
'browserid': verification,
'manager': user.has_perm('base.can_manage'),
}
return HttpResponse(json.dumps(response), mimetype='application/json')
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(form.cleaned_data['assertion'], audience,
extra_params)
log.info('Reverify got result: %s' % result)
if result:
logged_user = request.session.get('uuid')
email = result.get('unverified-email', result.get('email'))
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
# TODO: Should we try to support this?
raise ValueError('User %r tried to reverify as '
'new email: %s' % (logged_user, email))
request.session['was_reverified'] = True
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' %
(url, audience, extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
user_hash = set_user(request, email)
redirect_url = check_pin_status(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_hash
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {'forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'allowUnverified': 'true'}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' % (url, audience,
extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
user_hash = set_user(request, email)
return {'has_pin': request.session.get('uuid_has_pin'),
'pin_create': reverse('pin.create'),
'user_hash': user_hash}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_verify(request):
next = request.REQUEST.get("next")
redirect_to = next or getattr(settings, "LOGIN_REDIRECT_URL", "/")
redirect_to_failure = getattr(settings, "LOGIN_REDIRECT_URL_FAILURE", "/")
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data["assertion"], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result["email"]
request.user.save()
return redirect(reverse("users.edit_profile"))
else:
# Verified so log in
email = result["email"]
user = User.objects.filter(email=email)
if len(user) == 0:
form = BrowserIDSignupForm()
request.session["browserid-email"] = email
return render(request, "users/browserid_signup.html", {"email": email, "next": next, "form": form})
else:
user = user[0]
user.backend = "django_browserid.auth.BrowserIDBackend"
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' % (url, audience,
extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
user_hash = set_user(request, email)
redirect_url = check_pin_status(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_hash
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data['assertion'], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result['email']
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result['email']
user = User.objects.filter(email=email)
if len(user) == 0:
form = BrowserIDSignupForm()
request.session['browserid-email'] = email
return render(request, 'users/browserid_signup.html',
{'email': email, 'next': next, 'form': form})
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def login(request):
assertion = request.POST.get('assertion')
if assertion is not None:
audience = get_audience(request)
user = auth.authenticate(assertion=assertion, audience=audience)
if user and user.is_active:
auth.login(request, user)
return get_user(request)
def verify(request, assertion=None):
"""Verifies a BrowserID assertion and caches it in the user's session."""
if assertion:
verification = browserid_verify(assertion, get_audience(request))
request.session[SESSION_VERIFY] = verification
else:
verification = request.session.get(SESSION_VERIFY)
return verification or None
def form_valid(self, form):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
self.assertion = form.cleaned_data['assertion']
self.audience = get_audience(self.request)
result = verify(self.assertion, self.audience)
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
try:
data = is_vouched(result['email'])
except BadStatusCodeError:
msg = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return self.login_failure(message=msg)
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(
username=USERNAME_ALGO(data['email']),
email=data['email'])
# Due to privacy settings, this might be missing
if 'full_name' not in data:
data['full_name'] = 'Anonymous Mozillian'
else:
user.userprofile.mozillian_username = data['username']
user.userprofile.save()
first_name, last_name = (
data['full_name'].split(' ', 1)
if ' ' in data['full_name']
else ('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(
Group.objects.get(name='Mozillians'))
if _is_valid_login:
try:
self.user = auth.authenticate(assertion=self.assertion,
audience=self.audience)
auth.login(self.request, self.user)
except BrowserIDException as e:
return self.login_failure(error=e)
if self.request.user and self.request.user.is_active:
return self.login_success()
return self.login_failure()
def verify(request, template=None):
"""Verify BrowserID assertion, and return whether a user is registered."""
log.debug("Verify BrowserID assertion.")
assertion = request.POST['assertion']
if assertion is None:
return HttpResponseBadRequest()
verification = browserid_verify(assertion, get_audience(request))
if not verification:
return HttpResponseForbidden()
response_data = {'registered': False, 'browserid': verification}
user = auth.authenticate(assertion=assertion, audience=get_audience(request))
if user is not None:
auth.login(request, user)
response_data = {'registered': True, 'browserid': verification}
return HttpResponse(json.dumps(response_data), mimetype='application/json')
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
log.info("verifying assertion")
result = verify_assertion(form.cleaned_data["assertion"], get_audience(request))
if result:
log.info("assertion ok: %s" % result)
return http.HttpResponse("ok")
return http.HttpResponseBadRequest()
def form_valid(self, form):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
self.assertion = form.cleaned_data['assertion']
self.audience = get_audience(self.request)
result = verify(self.assertion, self.audience)
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
try:
data = is_vouched(result['email'])
except BadStatusCodeError:
msg = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return self.login_failure(message=msg)
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(username=USERNAME_ALGO(
data['email']),
email=data['email'])
# Due to privacy settings, this might be missing
if not 'full_name' in data:
data['full_name'] = 'Anonymous Mozillian'
else:
user.userprofile.mozillian_username = data['username']
user.userprofile.save()
first_name, last_name = (data['full_name'].split(' ', 1)
if ' ' in data['full_name'] else
('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(Group.objects.get(name='Mozillians'))
if _is_valid_login:
try:
self.user = auth.authenticate(assertion=self.assertion,
audience=self.audience)
auth.login(self.request, self.user)
except BrowserIDException as e:
return self.login_failure(error=e)
if self.request.user and self.request.user.is_active:
return self.login_success()
return self.login_failure()
def verify(request, template=None):
"""Verify BrowserID assertion, and return whether a user is registered."""
log.debug("Verify BrowserID assertion.")
assertion = request.POST['assertion']
if assertion is None:
return HttpResponseBadRequest()
verification = browserid_verify(assertion, get_audience(request))
if not verification:
return HttpResponseForbidden()
response_data = {'registered': False, 'browserid': verification}
user = auth.authenticate(assertion=assertion,
audience=get_audience(request))
if user is not None:
auth.login(request, user)
response_data = {'registered': True, 'browserid': verification}
return HttpResponse(json.dumps(response_data), mimetype='application/json')
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
log.info('verifying assertion')
result = verify_assertion(form.cleaned_data['assertion'],
get_audience(request))
if result:
log.info('assertion ok: %s' % result)
set_user(request, result['email'])
return {'has_pin': request.session['uuid_has_pin'],
'pin_create': reverse('pin.create')}
request.session.clear()
return http.HttpResponseBadRequest()
def form_valid(self, form):
"""Handles the return post request from the browserID form and puts
interesting variables into the class. If everything checks out, then
we call handle_user to decide how to handle a valid user
"""
self.assertion = form.cleaned_data['assertion']
self.audience = django_browserid.get_audience(self.request)
self.user = auth.authenticate(browserid_assertion=self.assertion, browserid_audience=self.audience, request=self.request)
assert self.user.is_authenticated()
if self.user and self.user.is_active:
return self.login_success()
return self.login_failure()
def form_valid(self, form):
"""Handles the return post request from the browserID form and puts
interesting variables into the class. If everything checks out, then
we call handle_user to decide how to handle a valid user
"""
self.assertion = form.cleaned_data['assertion']
self.audience = django_browserid.get_audience(self.request)
self.user = auth.authenticate(browserid_assertion=self.assertion,
browserid_audience=self.audience,
request=self.request)
assert self.user.is_authenticated()
if self.user and self.user.is_active:
return self.login_success()
return self.login_failure()
def form_valid(self, form):
"""Custom mozillians login form validation"""
self.assertion = form.cleaned_data['assertion']
self.audience = get_audience(self.request)
result = verify(self.assertion, self.audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
data = is_vouched(result['email'])
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(
username=default_username_algo(data['email']),
email=data['email'])
profile = user.userprofile
profile.username = data['username']
profile.avatar_url = data['photo']
profile.save()
if _is_valid_login:
try:
self.user = auth.authenticate(assertion=self.assertion,
audience=self.audience)
auth.login(self.request, self.user)
except BrowserIDException as e:
return self.login_failure(e)
if self.user and self.user.is_active:
return self.login_success()
except BadStatusCodeError:
msg = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched'
% result['email'])
messages.warning(self.request, msg)
return self.login_failure()
messages.error(self.request, ('Login failed. Make sure you are using '
'a valid email address and you are '
'a vouched Mozillian.'))
return self.login_failure()
def mozilla_browserid_verify(request):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
data = is_vouched(result['email'])
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(
username=USERNAME_ALGO(data['email']),
email=data['email'])
first_name, last_name = (
data['full_name'].split(' ', 1)
if ' ' in data['full_name']
else ('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(Group.objects.get(name='Mozillians'))
if _is_valid_login:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
return redirect('dashboard')
except BadStatusCodeError:
message = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return login_failed(request, message)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def form_valid(self, form):
"""Custom mozillians login form validation"""
self.assertion = form.cleaned_data["assertion"]
self.audience = get_audience(self.request)
result = verify(self.assertion, self.audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result["email"]).exists():
_is_valid_login = True
else:
data = is_vouched(result["email"])
if data and data["is_vouched"]:
_is_valid_login = True
user = User.objects.create_user(
username=default_username_algo(data["email"]), email=data["email"]
)
MozillianProfile.objects.create(user=user, username=data["username"], avatar_url=data["photo"])
if _is_valid_login:
try:
self.user = auth.authenticate(assertion=self.assertion, audience=self.audience)
auth.login(self.request, self.user)
except BrowserIDException as e:
return self.login_failure(e)
if self.user and self.user.is_active:
return self.login_success()
except BadStatusCodeError:
msg = (
"Email (%s) authenticated but unable to "
"connect to Mozillians to see if you are vouched" % result["email"]
)
messages.warning(self.request, msg)
return self.login_failure()
messages.error(
self.request,
("Login failed. Make sure you are using " "a valid email address and you are " "a vouched Mozillian."),
)
return self.login_failure()
def mozilla_browserid_verify(request):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
data = is_vouched(result['email'])
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(username=USERNAME_ALGO(
data['email']),
email=data['email'])
first_name, last_name = (data['full_name'].split(
' ', 1) if ' ' in data['full_name'] else
('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(Group.objects.get(name='Mozillians'))
if _is_valid_login:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
return redirect('dashboard')
except BadStatusCodeError:
message = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return login_failed(request, message)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def create_action(self, request, serializer):
with statsd.timer('auth.browserid.verify'):
profile, msg = browserid_authenticate(
request,
serializer.data['assertion'],
browserid_audience=serializer.data['audience']
or get_audience(request),
is_mobile=serializer.data['is_mobile'],
)
if profile is None:
# Authentication failure.
log.info('No profile: %s' % (msg or ''))
raise AuthenticationFailed('No profile.')
request.user = profile
request.groups = profile.groups.all()
auth.login(request, profile)
profile.log_login_attempt(True) # TODO: move this to the signal.
user_logged_in.send(sender=profile.__class__,
request=request,
user=profile)
# We want to return completely custom data, not the serializer's.
data = {
'error': None,
'token': commonplace_token(request.user.email),
'settings': {
'display_name': request.user.display_name,
'email': request.user.email,
'enable_recommendations': request.user.enable_recommendations,
}
}
# Serializers give up if they aren't passed an instance, so we
# do that here despite PermissionsSerializer not needing one
# really.
permissions = PermissionsSerializer(context={'request': request},
instance=True)
data.update(permissions.data)
# Add ids of installed/purchased/developed apps.
data['apps'] = user_relevant_apps(profile)
return data
def browserid_login(request, browserid_audience=None):
msg = ''
if request.user.is_authenticated():
# If username is different, maybe sign in as new user?
return http.HttpResponse(status=200)
try:
is_mobile = bool(int(request.POST.get('is_mobile', 0)))
except ValueError:
is_mobile = False
with statsd.timer('auth.browserid.verify'):
profile, msg = browserid_authenticate(
request, request.POST.get('assertion'),
is_mobile=is_mobile,
browserid_audience=browserid_audience or get_audience(request))
if profile is not None:
auth.login(request, profile)
profile.log_login_attempt(True)
return http.HttpResponse(status=200)
return http.HttpResponse(msg, status=401)
def personaregister(request):
if request.method == "POST":
form = BrowserIDForm(data=request.POST)
user = request.user
# I've taken the - not - from the docs out of the next line
if form.is_valid():
result = verify(form.cleaned_data['assertion'], get_audience(request))
if result:
if is_lazy_user(user):
if User.objects.filter(email=result[u'email']):
existinguser = User.objects.get(email=result[u'email'])
existinguser.backend = 'django_browserid.auth.BrowserIDBackend'
login(request, existinguser)
else:
foo = LazyUser.objects.get(user=user)
foo.delete()
user.email = result[u'email']
user.save()
return redirect('/')
def browserid_login(request, browserid_audience=None):
msg = ''
if request.user.is_authenticated():
# If username is different, maybe sign in as new user?
return http.HttpResponse(status=200)
try:
is_mobile = bool(int(request.POST.get('is_mobile', 0)))
except ValueError:
is_mobile = False
with statsd.timer('auth.browserid.verify'):
profile, msg = browserid_authenticate(
request, request.POST.get('assertion'),
is_mobile=is_mobile,
browserid_audience=browserid_audience or get_audience(request))
if profile is not None:
auth.login(request, profile)
profile.log_login_attempt(True)
return http.HttpResponse(status=200)
return http.HttpResponse(msg, status=401)
def create_action(self, request, serializer):
with statsd.timer('auth.browserid.verify'):
profile, msg = browserid_authenticate(
request, serializer.data['assertion'],
browserid_audience=serializer.data['audience'] or
get_audience(request),
is_mobile=serializer.data['is_mobile'],
)
if profile is None:
# Authentication failure.
log.info('No profile: %s' % (msg or ''))
raise AuthenticationFailed('No profile.')
request.user = profile
request.groups = profile.groups.all()
auth.login(request, profile)
profile.log_login_attempt(True) # TODO: move this to the signal.
user_logged_in.send(sender=profile.__class__, request=request,
user=profile)
# We want to return completely custom data, not the serializer's.
data = {
'error': None,
'token': commonplace_token(request.user.email),
'settings': {
'display_name': request.user.display_name,
'email': request.user.email,
'enable_recommendations': request.user.enable_recommendations,
}
}
# Serializers give up if they aren't passed an instance, so we
# do that here despite PermissionsSerializer not needing one
# really.
permissions = PermissionsSerializer(context={'request': request},
instance=True)
data.update(permissions.data)
# Add ids of installed/purchased/developed apps.
data['apps'] = user_relevant_apps(profile)
return data
def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data['assertion'], get_audience(request))
if result:
if request.user.is_authenticated() and request.user.email != result['email']:
# User is already signed and wants to change their email.
request.user.email = result['email']
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result['email']
user = User.objects.filter(email=email)
contributor = 'contributor' in request.POST
if len(user) == 0:
# Add the email to the session and redirect to signup
request.session['browserid-email'] = email
signup_url = reverse('users.browserid_signup')
return redirect('%s?%s' % (signup_url,
urlencode({'next': next})))
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
if contributor:
add_to_contributors(request, user)
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
# TODO: when we want to require a forced-auth login across the
# entire site then how do we do it?
# See bug 836060.
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
# TODO: how do we make sure this is a proper forced
# auth assertion?
# This can also be addressed in bug 836060
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(form.cleaned_data['assertion'], audience,
extra_params)
log.info('Reverify got result: %s')
if result:
logged_user = request.session.get('uuid')
email = result.get('unverified-email', result.get('email'))
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
# TODO: Should we try to support this?
raise ValueError('A user tried to reverify herself with a '
'new email: %s' % email)
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_verify(request):
next = request.REQUEST.get("next")
redirect_to = next or getattr(settings, "LOGIN_REDIRECT_URL", "/")
redirect_to_failure = getattr(settings, "LOGIN_REDIRECT_URL_FAILURE", "/")
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data["assertion"], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result["email"]
request.user.save()
return redirect(reverse("users.edit_profile"))
else:
# Verified so log in
email = result["email"]
user = User.objects.filter(email=email)
contributor = "contributor" in request.POST
if len(user) == 0:
# Add the email to the session and redirect to signup
request.session["browserid-email"] = email
signup_url = reverse("users.browserid_signup")
return redirect("%s?%s" % (signup_url, urlencode({"next": next})))
else:
user = user[0]
user.backend = "django_browserid.auth.BrowserIDBackend"
if contributor:
add_to_contributors(request, user)
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
# TODO: when we want to require a forced-auth login across the
# entire site then how do we do it?
# See bug 836060.
extra_params = {'forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
# TODO: how do we make sure this is a proper forced
# auth assertion?
# This can also be addressed in bug 836060
'forceAuthentication': 'true',
'allowUnverified': 'true'}
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(form.cleaned_data['assertion'], audience,
extra_params)
log.info('Reverify got result: %s')
if result:
logged_user = request.session.get('uuid')
email = result.get('unverified-email', result.get('email'))
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
# TODO: Should we try to support this?
raise ValueError('A user tried to reverify herself with a '
'new email: %s' % email)
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_login(request, browserid_audience=None):
msg = ""
if waffle.switch_is_active("browserid-login"):
if request.user.is_authenticated():
# If username is different, maybe sign in as new user?
return http.HttpResponse(status=200)
try:
is_mobile = bool(int(request.POST.get("is_mobile", 0)))
except ValueError:
is_mobile = False
with statsd.timer("auth.browserid.verify"):
profile, msg = browserid_authenticate(
request,
request.POST["assertion"],
is_mobile=is_mobile,
browserid_audience=browserid_audience or get_audience(request),
)
if profile is not None:
auth.login(request, profile.user)
profile.log_login_attempt(True)
return http.HttpResponse(status=200)
else:
msg = "browserid-login waffle switch is not enabled"
return http.HttpResponse(msg, status=401)
def create_action(self, request, serializer):
with statsd.timer("auth.browserid.verify"):
profile, msg = browserid_authenticate(
request,
serializer.data["assertion"],
browserid_audience=serializer.data["audience"] or get_audience(request),
is_mobile=serializer.data["is_mobile"],
)
if profile is None:
# Authentication failure.
log.info("No profile: %s" % (msg or ""))
raise AuthenticationFailed("No profile.")
request.user, request.amo_user = profile, profile
request.groups = profile.groups.all()
auth.login(request, profile)
profile.log_login_attempt(True) # TODO: move this to the signal.
user_logged_in.send(sender=profile.__class__, request=request, user=profile)
# We want to return completely custom data, not the serializer's.
data = {
"error": None,
"token": commonplace_token(request.amo_user.email),
"settings": {"display_name": request.amo_user.display_name, "email": request.amo_user.email},
}
# Serializers give up if they aren't passed an instance, so we
# do that here despite PermissionsSerializer not needing one
# really.
permissions = PermissionsSerializer(context={"request": request}, instance=True)
data.update(permissions.data)
# Add ids of installed/purchased/developed apps.
data["apps"] = user_relevant_apps(profile)
return data
def browserid_authenticate(request, assertion, is_native=False):
"""
Verify a BrowserID login attempt. If the BrowserID assertion is
good, but no account exists, create one.
"""
url = settings.BROWSERID_VERIFICATION_URL
extra_params = None
if is_native:
# When persona is running native on B2G then we need to
# verify assertions with the right service.
# We also need to force the appropriate issuer
# for potentially unverified emails.
url = settings.NATIVE_BROWSERID_VERIFICATION_URL
extra_params = {'issuer': settings.UNVERIFIED_ISSUER,
'allowUnverified': 'true'}
audience = get_audience(request)
log.debug('Verifying Persona at %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify(assertion, audience,
url=url, extra_params=extra_params)
if not result:
return None, _('Persona authentication failure.')
if 'unverified-email' in result:
email = result['unverified-email']
verified = False
else:
email = result['email']
verified = True
try:
profile = UserProfile.objects.filter(email=email)[0]
except IndexError:
profile = None
if profile:
if profile.is_verified and not verified:
# An attempt to log in to a verified address with an unverified
# assertion is a very bad thing. However, the same email address
# can legitimately be used on the site on desktop and be verified
# whilst be used on b2g and be unverified. We are forcing the
# issuer, so this shouldn't be an issue.
#
# Blame kumar. Or cvan. Or deal with it.
log.debug('Verified user %s attempted to log in with an '
'unverified assertion!' % profile)
else:
profile.is_verified = verified
profile.save()
backend = 'django_browserid.auth.BrowserIDBackend'
if getattr(profile.user, 'backend', None) != backend:
profile.user.backend = backend
profile.user.save()
return profile, None
username = autocreate_username(email.partition('@')[0])
source = (amo.LOGIN_SOURCE_MMO_BROWSERID if settings.MARKETPLACE else
amo.LOGIN_SOURCE_AMO_BROWSERID)
profile = UserProfile.objects.create(username=username, email=email,
source=source, display_name=username,
is_verified=verified)
profile.create_django_user(
backend='django_browserid.auth.BrowserIDBackend')
log_cef('New Account', 5, request, username=username,
signature='AUTHNOTICE',
msg='User created a new account (from Persona)')
return profile, None