def user_settings():
"""
User settings page where users manage their information as well as
delete their account.
"""
password_form = PasswordResetForm()
delete_account_form = DeleteAccountForm()
# Verifys that the password was correct and changes it to a new one.
if password_form.submit_password.data and password_form.validate():
if verify_password(password_form.old_password.data,
current_user.password):
current_user.password = hash_password(
password_form.new_password.data)
db.session.commit()
return redirect(url_for('store_page'))
# Verifies that the password was correct and then deletes the account.
if delete_account_form.submit_delete_account.data and delete_account_form.validate(
):
if verify_password(delete_account_form.password.data,
current_user.password):
db.session.delete(current_user)
db.session.commit()
return redirect(url_for('store_page'))
return render_template('user_settings.html',
password_form=password_form,
delete_account_form=delete_account_form)
def set_new_password():
form = ChangePasswordForm(request.form)
user = app.security.datastore.get_user(session["_user_id"])
old_password = user.password
_status = "empty"
if form.validate_on_submit():
if form.old_password.data:
app.artemis_logger.debug(
"verify: {}".format(
verify_password(form.old_password.data, old_password)
)
)
if verify_password(form.old_password.data, old_password):
app.artemis_logger.debug("password_match")
user = User.query.filter_by(username=user.username).first()
user.password = hash_password(form.password.data)
db.session.commit()
_status = "success"
else:
_status = "wrong_old_password"
return render_template(
"security/new_password.htm", password_change=form, status=_status
)
def test_user_may_change_their_password(self, testapi, user, authHeader):
oldPassword = '******'
newPassword = '******'
resp = testapi.post_json(url_for('v1.AuthView:change_password'), dict(new=newPassword, old=oldPassword),
headers=authHeader)
resp.status_code.should.equal(200)
verify_password(newPassword, user.password).should.be.true
def test_changes_password_command(session):
UserFactory.create(username='******',
password=hash_password('old_pass'))
changes_password('test_change_pass', 'new_pass')
user = User.query.filter_by(username='******').first()
assert not verify_password('old_pass', user.password)
assert verify_password('new_pass', user.password)
def test_verify_password_argon2(app, sqlalchemy_datastore):
init_app_with_options(app, sqlalchemy_datastore,
**{"SECURITY_PASSWORD_HASH": "argon2"})
with app.app_context():
hashed_pwd = hash_password("pass")
assert verify_password("pass", hashed_pwd)
assert "t=10" in hashed_pwd
# Verify double hash
assert verify_password("pass", argon2.hash(get_hmac("pass")))
def test_verify_password_backward_compatibility(app, sqlalchemy_datastore):
init_app_with_options(
app, sqlalchemy_datastore, **{
'SECURITY_PASSWORD_HASH': 'bcrypt',
'SECURITY_PASSWORD_SINGLE_HASH': False,
'SECURITY_PASSWORD_SCHEMES': ['bcrypt', 'plaintext']
})
with app.app_context():
# double hash
assert verify_password('pass', encrypt_password('pass'))
# single hash
assert verify_password('pass', plaintext.hash('pass'))
def test_verify_password_backward_compatibility(app, sqlalchemy_datastore):
init_app_with_options(
app, sqlalchemy_datastore, **{
"SECURITY_PASSWORD_HASH": "bcrypt",
"SECURITY_PASSWORD_SINGLE_HASH": False,
"SECURITY_PASSWORD_SCHEMES": ["bcrypt", "plaintext"],
})
with app.app_context():
# double hash
assert verify_password("pass", hash_password("pass"))
# single hash
assert verify_password("pass", plaintext.hash("pass"))
def test_user_teams(self):
# create stub
m = Mox()
m.StubOutWithMock(utils, "encrypt_password")
m.StubOutWithMock(utils, "verify_password")
m.StubOutWithMock(base64, "b64encode")
m.StubOutWithMock(os, "urandom")
# start recording
utils.encrypt_password("test")
utils.verify_password("test", None).AndReturn(True)
utils.verify_password("asdfasdf", None).AndReturn(False)
# mock the urandom return for the salt, and make sure that gets base-64 encoded into something different
os.urandom(128).AndReturn("she sells sea shells by the sea shore")
base64.b64encode("she sells sea shells by the sea shore").AndReturn("Salt-n-Pepa")
m.ReplayAll()
# Create user and teams
user1 = self.user_access.create_user(self.__get_user_dict())
team1 = self.user_access.create_team(self.__get_team_dict())
team2 = self.user_access.create_team(self.__get_team_dict())
# Add user to teams
team_ids = [team1["id"], team2["id"]]
self.user_access.update_user(user1["id"], {"team_ids": team_ids})
user_teams = self.user_access.find_user_teams({"user_id": user1["id"]})
team_id_list = [user_team["team_id"] for user_team in user_teams]
self.assertEqual(team_id_list, team_ids)
# Making team generalist should make all members generalists
self.assertEqual(self.user_access.get_user(user1["id"])["is_generalist"], False)
self.assertEqual(self.user_access.get_team(team1["id"])["is_generalist"], False)
self.user_access.update_team(team1["id"], {"is_generalist": True})
self.assertEqual(self.user_access.get_user(user1["id"])["is_generalist"], True)
self.assertEqual(self.user_access.get_team(team1["id"])["is_generalist"], True)
# Making team not generalist should not affect members in another generalist team
self.user_access.update_team(team2["id"], {"is_generalist": True})
self.user_access.update_team(team1["id"], {"is_generalist": False})
self.assertEqual(self.user_access.get_user(user1["id"])["is_generalist"], True)
self.assertEqual(self.user_access.get_team(team1["id"])["is_generalist"], False)
self.assertEqual(self.user_access.get_team(team2["id"])["is_generalist"], True)
# Making team not generalist should update all affected users
self.user_access.update_team(team2["id"], {"is_generalist": False})
self.assertEqual(self.user_access.get_user(user1["id"])["is_generalist"], False)
self.assertEqual(self.user_access.get_team(team2["id"])["is_generalist"], False)
def login():
"""
Logs in user and returns access token
:return:
"""
request_json = request.get_json()
email = request_json.get('email')
password = request_json.get('password')
if not all([email, password]):
return responses.missing_params()
user = User.query.filter_by(email=email).first()
if user is None:
return responses.user_not_found()
if not verify_password(password, user.password):
return responses.invalid_password()
jwt_token = create_access_token(identity=user.id)
refresh_token = create_refresh_token(identity=user.id)
return responses.user_logged_in(jwt_token, refresh_token, user.id)
def patch(self, user):
"""Update a user's properties."""
content_type = request.headers.get('Content-Type')
loader = self.loaders.get(content_type)
if loader is None:
abort(406)
data = loader(user=user)
if data.get('password'):
try:
old_password = data['old_password']
except KeyError:
raise MissingOldPasswordError()
updated_password = data['password']
if verify_password(data['old_password'], user.password):
user.password = encrypt_password(updated_password)
db.session.commit()
_datastore.put(user)
password_changed.send(current_app._get_current_object(),
user=user)
del data['password']
del data['old_password']
user = User(id=user.id, **data)
user = db.session.merge(user)
db.session.commit()
return self.make_response(user, 200)
def logInUser():
requestJSON = request.get_json()
print('requestJSON = ', requestJSON)
email = requestJSON['email']
password = requestJSON['password']
print('email = ', email)
print('password = '******'User not activated')
return jsonify(userLoggedIn=False)
if not verify_password(password, user.password):
print('Incorrect password')
return jsonify(userLoggedIn=False)
#return json.dumps({'success':True}), 205, {'ContentType':'application/json'}
print('Logging user in')
login_user(user)
#return json.dumps({'success':True}), 200, {'ContentType':'application/json'}
return jsonify(userLoggedIn=True)
def login():
form = LoginForm(request.form)
if request.method == 'POST' and form.validate():
email = form.email.data.lower()
# check if user exists
user = User.query.filter_by(email=email).first()
if user:
# check if password is correct
if verify_password(form.password.data, user.password):
if user.active:
# login user
login_user(user, remember=form.remember_me.data)
return redirect(url_for('.dashboard'))
else:
if not user.has_verified_account:
flash('Please verify your account to proceed', 'error')
return redirect(url_for('.verify'))
else:
flash(
'Your account is inactive. Please contact an administrator',
'error')
else:
flash('Email address and password do not match', 'error')
else:
flash('Your email address could not be found', 'error')
return render_template('frontend/login.html', form=form)
def login():
form = LoginFormView(request.form)
if request.method == 'POST':
if form.validate_on_submit():
session['email'] = request.form['email']
takeEmail = session['email'] = request.form['email']
try:
takeRoles = User.query.filter_by(email=takeEmail).first()
takeRoles = takeRoles.roles
# takeRoles = ''.join(takeRoles)
print('testing', takeRoles)
user = User.query.filter_by(email=form.email.data).first()
if verify_password(user.password, form.password.data):
user.authenticated = True
db.session.add(user)
db.session.commit()
login_user(user)
login_user(user, remember=form.remember.data)
if takeRoles == ['user']:
return redirect(url_for('operator'))
elif takeRoles == []:
return redirect(url_for('society'))
else:
pass
else:
return '<h1>Invalid username or password</h1>'
except:
return 'Sepertinya user yang Anda masukan belum terdaftar, mohon diperiksa lagi'
return render_template('login.html', form=form)
def get_user(email, password, *args, **kwargs):
user = User.query.filter_by(email=email).first()
# password가 맞고 confirmed_at이 null이 아님
if (user and verify_password(password, user.password)
and user.confirmed_at is not None):
return user
return None
def post(self):
args = self.parser.parse_args()
asset_id = args.get("id")
pay_password = args.get("pay_password")
user_id = args.get("userId")
user = self.models.Users.get_or_none(self.models.Users.user_id == user_id)
asset = self.models.Assets.get_or_none(self.models.Assets.id == asset_id)
if not asset or asset.lock == True:
return self.utils.make_api_response(message="Illegal operation,please submit order again")
if not pay_password:
api_abort(400, message="The password of pay is required")
if len(pay_password) != 6 or not verify_password(pay_password,user.pay_password):
return self.utils.make_api_response(message="password of pay is error")
with db.database.atomic():
self.models.Assets.update(lock=True,visible=0).where(
self.models.Assets.id == asset_id,
self.models.Assets.cate == user.id).execute()
self.models.Commodity.create(
price = 1, # 暂定
price_unit = 'tnc', # 暂定
status = 1,
platform = 2, # 暂挂c2c
commodity_type = 1,
asset = asset_id,
seller = user.id
)
self.data = {
"result": "success"
}
return self.utils.make_api_response(data=self.data)
def stop_sell():
try:
data = request_data_to_dict()
page = data.get("page")
asset_id = int(data.get("asste_id"))
pay_pwd = data.get('pay_pwd')
query = Commodity.select().where(Commodity.id == asset_id)
asset = int([q.asset.id for q in query][0])
except Exception as e:
raise
else:
# 验证密码
if len(pay_pwd) == 6 and verify_password(pay_pwd,
current_user.pay_password):
with db.database.atomic():
Commodity.update(status=0).where(
Commodity.id == asset_id).execute()
Assets.update(lock=False,
visible=1).where(Assets.id == asset).execute()
messages = mi['stop-sell-success'] if session.get(
'lang', 'en') == 'en' else mi['stop-sell-success-zh']
flash(messages, 'order-success')
return redirect(url_for('user_sales', page=page))
messages = mi['pay-pwd-err'] if session.get(
'lang', 'en') == 'en' else mi['pay-pwd-err-zh']
flash(messages, 'order-error')
return redirect(url_for('user_sales', page=page))
def validate_form(self, form):
user = self.get_one(request.args["id"])
if "active" in form and user.id == current_user.id and not form.active.data:
flash(gettext("You can not deactivate your own account."))
return False
if not form["old_password"].data:
return super().validate_form(form)
if not user:
flash(gettext("User does not exist."), category="error")
return False
o, n, c = [
form[f].data
for f in ("old_password", "new_password", "new_password_confirm")
]
if not verify_password(o, user.password):
flash(gettext("The password you have entered is incorrect."),
category="error")
return False
elif o and not any([n, c]):
flash(gettext("A new password was not provided."),
category="warning")
return False
elif n != c:
flash(gettext("Passwords do not match."), category="error")
return False
return True
def test_invenio_aes_encrypted_email(app):
"""Test legacy encryption."""
with app.app_context():
ctx = flask.current_app.extensions['security'].pwd_context
user = create_legacy_user()
assert verify_password(user.password_plaintext, user.password)
assert ctx.needs_update(user.password)
def test_invenio_aes_encrypted_email(app):
"""Test legacy encryption."""
with app.app_context():
ctx = flask.current_app.extensions['security'].pwd_context
user = create_legacy_user()
assert verify_password(user.password_plaintext, user.password)
assert ctx.needs_update(user.password)
def validate(self):
if not self.email.data or self.email.data.strip() == '':
self.email.errors.append(get_message('EMAIL_NOT_PROVIDED')[0])
return False
if not self.password.data:
self.add_error_to_wtf_field(self.password,
get_message('PASSWORD_NOT_SET')[0])
return False
user = self.login_verification.get_user_from_email(self.email.data)
self.user = user
if self.user is not None:
if not self.user.is_active:
self.add_error_to_wtf_field(self.email,
get_message('DISABLED_ACCOUNT')[0])
return False
if self.user.password is not None and utils.verify_password(
self.password.data, self.user.password):
return True
elif self.user.password is None and self.login_verification.is_success_pwd(
self.user.email, self.password.data):
return True
else:
self.add_error_to_wtf_field(self.email,
get_message('INVALID_PASSWORD')[0])
return False
else:
self.add_error_to_wtf_field(self.email,
get_message('USER_DOES_NOT_EXIST')[0])
return False
def jwt_auth():
user = None
# if user is not logged in check parameters
if not current_user.is_authenticated:
data = request.get_json()
if not data:
resp = jsonify({"error": "wrong credentials"})
return resp, 401
username = data["username"]
password = data["password"]
app.artemis_logger.info(username)
# if user and pass does not correspond to user return unauthorized
user = data_store.find_user(username=username)
if not user or not verify_password(password, user.password):
resp = jsonify({"error": "wrong credentials"})
return resp, 401
else:
user = current_user
# Create the tokens we will be sending back to the user
access_token = create_access_token(identity=user)
# Set the JWT cookies in the response
resp = jsonify({"access_token": access_token})
return resp, 200
def oAuthConvert(provider):
oAuthID = request.form['oAuthID']
oAuthUserName = request.form['oAuthUsername']
password = request.form['password']
existingUserID = request.form['existingUserID']
userQuery = Sec.User.query.filter_by(id=int(existingUserID),
username=oAuthUserName.replace(
" ", "_"),
authType=0).first()
if userQuery is not None:
passwordMatch = verify_password(password, userQuery.password)
if passwordMatch is True:
userQuery.authType = 1
userQuery.oAuthProvider = provider
userQuery.oAuthID = oAuthID
userQuery.password = None
db.session.commit()
flash(
"Conversion Successful. Please log in again with your Provider",
"success")
return redirect('/login')
else:
flash("Invalid Password or Information. Please try again.",
"error")
return redirect('/login')
flash("Invalid User!", "error")
return redirect('/login')
def close_account():
form = CloseAccountForm()
if form.validate_on_submit():
if verify_password(form.password.data, current_user.password):
Chatmessage.query.filter_by(author=current_user.id).delete()
ChatmessageIngame.query.filter_by(author=current_user.id).delete()
Privatemessage.query.filter_by(sender=current_user.id).delete()
Privatemessage.query.filter_by(receiver=current_user.id).delete()
current_user.alternative_id = current_user.id + 100000000
current_user.username = f'DeletedUser{current_user.id}'
current_user.email = None
current_user.password = None
current_user.active = False
current_user.avatar = None
db.session.commit()
return redirect(url_for('generic.index'))
else:
form.password.errors.append(lazy_gettext('Wrong password'))
return render_template('profile/close_account.html',
form=form,
title=lazy_gettext('Close account'))
def post(self):
data = parser.parse_args()
current_user = user_datastore.get_user(data['email'])
if not current_user:
return {
'message': 'Incorrect Email or password',
"loggedIn": False
}, 401
if verify_password(data['password'], current_user.password):
access_token = create_access_token(identity=data['email'])
refresh_token = create_refresh_token(identity=data['email'])
user = user_datastore.get_user(data['email'])
return {
'message':
'Successfully logged in as {}'.format(current_user.email),
"tokens": {
"access_token":
access_token,
"refresh_token":
refresh_token,
"expires_at":
(datetime.utcnow() + timedelta(minutes=15)).isoformat()
},
"loggedIn":
True,
"user":
user.serialize()
}
else:
return {
'message': 'Incorrect Email or password',
"loggedIn": False
}, 401
def login():
"""Creates a session for the current user"""
data = request.get_json()
response = dict()
try:
email = data['email']
password = data['password']
except Exception:
response['status'] = 'failure'
response['message'] = 'Invalid request input'
response['code'] = 401
pp(response)
return jsonify(response)
user = User.query.filter_by(email=email).first()
if user is not None and verify_password(password, user.password):
user.token = hash_password(binascii.b2a_hex(os.urandom(16)))
db.session.commit()
response['email'] = user.email
response['name'] = user.name
response['token'] = user.token
response['status'] = 'success'
response['message'] = f'{user.name} successfully logged in.'
response['code'] = 202
else:
response['status'] = 'failure'
response['message'] = 'Invalid email or password given.'
response['code'] = 401
pp(response)
return jsonify(response)
def run(self, identifier, email, password, fn, ln, add_roles,
remove_roles):
user = flask.current_app.datastore.get_user(identifier)
print("Modifying user", user.identifier)
if password is not None:
verified = verify_password(password, encrypt_password(password))
if verified:
user.password = encrypt_password(password)
else:
"User password not verified."
roles = set(user.roles)
if add_roles is not None:
for r in add_roles.split(','):
role = flask.current_app.datastore.find_or_create_role(name=r)
roles.add(role)
if remove_roles is not None:
for r in remove_roles.split(','):
role = flask.current_app.datastore.find_or_create_role(name=r)
roles.remove(role)
user.roles = list(roles)
if email is not None:
user.email = email
if fn is not None:
user.givenName = fn
if ln is not None:
user.familyName = ln
flask.current_app.datastore.commit()
print("Updated user: %s" % (user, ))
def _get_user():
if request.authorization is None:
return abort(401, 'Unauthorized')
username = request.authorization.get('username')
password = request.authorization.get('password')
if username is None or password is None:
return jsonify(success=False,
code=1,
message='no login information provided')
user = manager.user_datastore.find_user(email=username)
if user is None:
return jsonify(success=False,
code=2,
message=f'user does not exist: {username}')
verified = verify_password(password, user.password)
if not verified:
return jsonify(success=False,
code=3,
message=f'bad password for {username}')
return user
def login():
"""View function for login view."""
logger.info('Logged in user')
params = request.get_json()
username = params.get('username', None)
password = params.get('password', None)
user = Session.query(User).filter_by(username=username).first()
print(user)
if not username:
return jsonify({"msg":
"Missing username parameter"}), Status.HTTP_BAD_REQUEST
if not password:
return jsonify({"msg":
"Missing password parameter"}), Status.HTTP_BAD_REQUEST
if not user:
return jsonify({"msg":
"Bad password or username"}), Status.HTTP_BAD_REQUEST
# TODO Check from DB
if username != user.username or not verify_password(
password, user.password):
return jsonify({"msg": "Bad username or password"
}), Status.HTTP_BAD_UNAUTHORIZED
# Identity can be any data that is json serializable
ret = {
'jwt': create_jwt(identity=user.email),
'exp': datetime.utcnow() + current_app.config['JWT_EXPIRES']
}
return jsonify(ret), 200
def test_verify_password_bcrypt(app, sqlalchemy_datastore):
init_app_with_options(app, sqlalchemy_datastore, **{
'SECURITY_PASSWORD_HASH': 'bcrypt',
'SECURITY_PASSWORD_SALT': 'salty'
})
with app.app_context():
assert verify_password('pass', encrypt_password('pass'))
def test_verify_password_bcrypt(app, sqlalchemy_datastore):
init_app_with_options(app, sqlalchemy_datastore, **{
'SECURITY_PASSWORD_HASH': 'bcrypt',
'SECURITY_PASSWORD_SALT': 'salty'
})
with app.app_context():
assert verify_password('pass', encrypt_password('pass'))
def get_token():
# 数据头需为json格式
if request.headers['Content-Type'] == 'application/json':
args = request.json
current_app.logger.debug('get_token args: {}'.format(args))
else:
raise InvalidMessage('only support json data', 404)
username = args.get('username', '')
password = args.get('password', '')
if username:
# 获取用户对象
try:
user = user_datastore.find_user(username=username)
except Exception as e:
current_app.logger.error(
"[user][get] fail expection: {}".format(e))
raise InvalidMessage(str(e), 500)
if user:
# 验证密码
isok = verify_password(password, user.password)
if not isok:
raise InvalidMessage("password is invalid")
else:
raise InvalidMessage("username is not found")
# 获取token
try:
token = user.get_auth_token()
except Exception as e:
current_app.logger.error(
"[user][get_auth_token] fail expection: {}".format(e))
raise InvalidMessage(str(e), 500)
data = user_helper.make_user_reponse_body(user)
data['token'] = token
return return_data(data, 200)
def practitioners_login(*args, **kwargs):
if request.method == 'POST':
data = json.loads(request.data)
user = User.by_email(data['email'])
if not user or not user.activated:
data.pop('password')
response = jsonify(
request=data,
response={'error': 'Invalid Practitioner'})
response.status_code = 404
return response
if not verify_password(data['password'], user.password):
data.pop('password')
response = jsonify(
request=data,
response={'error': 'Authentication Failed'})
response.status_code = 401
return response
else:
data.pop('password')
response = jsonify(
request=data,
response={'secret': user.secret})
response.status_code = 200
return response
else:
response = jsonify(
request=request.json,
response={'error': 'This request type not supported'})
response.status_code = 400
return response
def post(self):
"""Logs a user in
@:param: email, password in form data
@:return: {token: token} authorization token
"""
from .models import User
parser = reqparse.RequestParser()
parser.add_argument('email', type=str, help='Email of user')
parser.add_argument('password', type=str, help='Password of user')
args = parser.parse_args()
user = User.query.filter_by(email=args['email']).first()
try:
if verify_password(password=args['password'], password_hash=user.password):
# we can even send remember me cookies and session id, but let's not do it for rest
# login_user(user, remember=True)
is_admin = len([role for role in user.roles if role.name == 'admin']) == 1
return {'token': user.get_auth_token(), 'success': True, 'is_admin': is_admin}, 200
else:
return {'token': None, 'success': False}, 401
except AttributeError:
return {'token': None, 'success': False}, 401
def login():
""" Creates a session for the current user """
if request.method == 'GET':
return render_template('auth/login.html', form=LoginForm())
form = LoginForm(request.form)
if not form.validate():
flash('error Invalid Email or Password.')
return redirect(url_for('auth.login'))
email = form.email.data
password = form.password.data
user = user_datastore.find_user(email=email)
# user does not exist
if user is None:
flash('error Please Make Sure You Have Created an Account.')
return redirect(url_for('auth.signup'))
# user provided invalid password
if not verify_password(password, user.password):
flash('error Invalid Email or Password.')
return redirect(url_for('auth.login'))
# user has not authenticated their account
if not user.is_authenticated():
flash('error Please Authenticate Your Account.')
return redirect(url_for('auth.login'))
login_user(user)
flash('success Logged in Successfully, {}'.format(user.name))
return redirect(request.args.get('next') or url_for('meetings.home'))
def delete_user():
form = LoginForm(request.form)
if not form.validate():
flash('error Could Not Delete User')
return redirect(url_for('auth.login'))
email = form.email.data
password = form.password.data
try:
user = User.objects.get(email=email)
except Exception as e:
return jsonify({'error': 'user not found'})
if not verify_password(password, user.password):
return jsonify({'error': 'invalid password'})
meetings = user.meetings
for meeting in meetings:
meeting.members.remove(user)
groups = user.groups
for group in groups:
group.members.remove(user)
group.admins.remove(user)
user.delete()
return jsonify({'success': True})
def user(id):
user = models.User.get(id) if id else None
roles = models.Role.query.filter(models.Role.id >= current_user.roles[0].id).all()
class UserForm(barrel.forms.Form):
email = wtforms.StringField("email", [
wtforms.validators.Required()
])
role = wtforms.SelectField(choices=[(r.id, r.name) for r in roles],
default=user.roles[0].id if user else 0)
active = wtforms.BooleanField(default=True)
new_password = wtforms.PasswordField()
confirm_password = wtforms.PasswordField(None, [
wtforms.validators.EqualTo('new_password',
message='Passwords must match')
])
if current_user.has_role('admin'):
if user:
UserForm.group_id = SelectField(models.Group, label='group', default=user.group_id)
else:
UserForm.group_id = SelectField(models.Group, label='group')
elif id:
UserForm.password = wtforms.PasswordField('Huidig wachtwoord',
[wtforms.validators.Required()])
if request.method == 'POST':
form = request.form
if user and not current_user.has_role('admin'):
if not security.verify_password(form.get('current_password'), user.password):
app.logger.flash("Password incorrect", 'error')
kwargs = {kw: form.get(kw) for kw in 'email active'.split()}
if form.get('new_password'):
kwargs['password'] = form.get('new_password')
if form.get('role'):
kwargs['roles'] = [models.Role.get(int(form.get('role')))]
if form.get('group_id'):
kwargs['group_id'] = int(form.get('group_id'))
else:
kwargs['group_id'] = current_user.group_id
if user:
user.update(**kwargs)
else:
user = models.User.create(**kwargs)
return redirect(url_for('user', id=user.id))
else:
columns = 'email role active'
users = models.User.query
if current_user.has_role('admin'):
columns += ' group'
else:
users = users.filter_by(group_id=current_user.group_id)
return app.forms.render_page(
id,
models.User,
template='lists/base.jinja2',
columns=columns,
form_class=UserForm,
rows=users)
def test_user_basic_crud(self):
# create stub
m = Mox()
m.StubOutWithMock(utils, "encrypt_password")
m.StubOutWithMock(utils, "verify_password")
m.StubOutWithMock(base64, "b64encode")
m.StubOutWithMock(os, "urandom")
# start recording
utils.encrypt_password("test")
utils.verify_password("test", None).AndReturn(True)
utils.verify_password("asdfasdf", None).AndReturn(False)
# mock the urandom return for the salt, and make sure that gets base-64 encoded into something different
os.urandom(128).AndReturn("she sells sea shells by the sea shore")
base64.b64encode("she sells sea shells by the sea shore").AndReturn("Salt-n-Pepa")
m.ReplayAll()
user_dict = self.__get_user_dict()
user = self.user_access.create_user(user_dict)
self.assertIn("id", user)
self.assertEqual(user_dict["email"], user["email"])
self.assertEqual(user_dict["is_generalist"], user["is_generalist"])
self.assertEqual(user_dict["active"], user["active"])
self.assertEqual(len(user["roles"]), 1)
self.assertTrue(self.user_access.verify_user_password(user["id"], user_dict["password"]))
self.assertFalse(self.user_access.verify_user_password(user["id"], "asdfasdf"))
self.assertEqual("Salt-n-Pepa", user["salt"])
user2 = self.user_access.update_user(user["id"], {"email": "*****@*****.**"})
self.assertEqual(user2["email"], "*****@*****.**")
self.assertEqual(user2["id"], user["id"])
user3 = self.user_access.get_user(user2["id"])
self.assertEqual(user2, user3)
result = self.user_access.delete_user(user3["id"])
self.assertEqual(result, True)
no_user = self.user_access.get_user(user2["id"])
self.assertEqual(no_user, None)
def authenticate(username, password):
try:
user = user_datastore.find_user(email=username)
except KeyError:
return None
if username == user.email and verify_password(password, user.password):
return user
return None
def authenticate(username, password):
try:
user = User.objects.get(email=username)
except User.DoesNotExist:
return None
result = OneLove.Result(id=str(user.id), email=user.email, first_name=user.first_name, last_name=user.last_name)
if verify_password(password, user.password):
return result
def test_verify_password_independent_of_salt(webapp):
app = webapp.app
password = '******'
with app.app_context():
encrypted = encrypt_password(password)
assert encrypted != password
app.config['SECURITY_PASSWORD_SALT'] = 'some other salt here'
with app.app_context():
assert verify_password(password, encrypted)
def test_context(app):
"""Test passlib password context."""
with app.app_context():
ctx = flask.current_app.extensions['security'].pwd_context
hashval = hash_password("test")
assert hashval != "test"
assert verify_password("test", hashval)
assert not ctx.needs_update(hashval)
assert ctx.hash("test") != ctx.hash("test")
def test_add_admin(self):
email = '*****@*****.**'
password = '******'
add_admin(email, password)
user = User.query.filter_by(email=email).first()
admin_role = Role.query.filter_by(name='admin').first()
self.assertEqual(user.email, email)
self.assertTrue(user.active)
self.assertIn(admin_role, user.roles)
self.assertTrue(verify_password('password', user.password))
self.assertTrue(verify_and_update_password(password, user))
def test_team_industries(self):
# create stub
m = Mox()
m.StubOutWithMock(utils, "encrypt_password")
m.StubOutWithMock(utils, "verify_password")
m.StubOutWithMock(base64, "b64encode")
m.StubOutWithMock(os, "urandom")
# start recording
utils.encrypt_password("test")
utils.verify_password("test", None).AndReturn(True)
utils.verify_password("asdfasdf", None).AndReturn(False)
# mock the urandom return for the salt, and make sure that gets base-64 encoded into something different
os.urandom(128).AndReturn("she sells sea shells by the sea shore")
base64.b64encode("she sells sea shells by the sea shore").AndReturn("Salt-n-Pepa")
m.ReplayAll()
# Create user and teams
user1 = self.user_access.create_user(self.__get_user_dict())
team1 = self.user_access.create_team(self.__get_team_dict())
team2 = self.user_access.create_team(self.__get_team_dict())
industry_id1 = self.__get_industry_id()
industry_id2 = self.__get_industry_id()
# Add user to teams
team_ids = [team1["id"], team2["id"]]
self.user_access.update_user(user1["id"], {"team_ids": team_ids})
industry_ids = [industry_id1, industry_id2]
self.user_access.update_team(team1["id"], {"industry_ids": industry_ids})
team_industries = self.user_access.find_team_industries({"team_id": team1["id"]})
industry_id_list = [team_industry["industry_id"] for team_industry in team_industries]
self.assertEqual(industry_id_list, industry_ids)
user_industry_list = self.user_access.get_user_industries(user1["id"])
self.assertEqual(user_industry_list, industry_ids)
def get_user(email, password, *args, **kwargs):
"""Get user for grant type password.
Needed for grant type 'password'. Note, grant type password is by default
disabled.
:param email: User email.
:param password: Password.
:returns: The user instance or ``None``.
"""
user = datastore.find_user(email=email)
if user and verify_password(password, user.password):
return user
def change_password():
if request.method == 'POST':
user = User.query.get(session.get('user_id'))
oldpass = request.form.get("oldpass")
if not verify_password(oldpass, user.password):
flash('Wrong password entered.')
else:
password = request.form.get('password')
if password != '':
user.password = hash_password(password)
user.save()
flash ('Password changed successfully. ')
return render_template('change-password.html')
def change_password(self):
schema = RELS['v1.AuthView:change'][request.method]
args = change_password_options.parse_args()
try:
validate(args, schema, format_checker=FormatChecker())
except ValidationError as e:
return dict(status=400, message=e.message), 400
if not verify_password(args.get('old'), current_user.password):
return dict(status=409, message='Invalid credentials'), 409
change_user_password(current_user, password=args.get('new'))
return {'status': 200, 'message': 'Password updated', 'user': generate_response_dict(user=current_user)}
def validate(self):
if not super(UpdatePasswordForm, self).validate():
return False
if self.currentPassword.data.strip() == '':
return False
if self.newPassword.data.strip() == '':
return False
if self.newPasswordConfirm.data.strip() == '':
return False
self.user = users.first(email=self.email.data)
if self.user is None:
return False
if not verify_password(self.currentPassword.data, self.user.password):
return False
return True
def validate_login(self):
user = self.get_user()
if user is None:
return False
if not user.is_authenticated():
return False
if not user.is_active():
return False
if not verify_password(self.password.data, user.password):
return False
return True
def login():
body = request.get_json()
email = body['email']
password = body['password']
user = User.query.filter_by(email=email).one_or_none()
if user and verify_password(password, user.password):
login_user(user)
return jsonify({
'data': {
'email': user.email,
'roles': [role.name for role in user.roles]
}
})
return jsonify({
'message': 'Email or password is incorrect'
}), 422
def change_password():
""" Renders the change password page and stores the new password """
form = forms.ChangePassword(request.form)
if form.validate_on_submit():
# Check if password is valid, then hash and store new password
if utils.verify_password(form.old_password.data, current_user.password):
current_user.password = utils.encrypt_password(form.new_password.data)
current_user.store()
flash(u'Passordet ble endret')
return redirect(url_for('user'))
form.old_password.errors.append(u'Feil passord')
return render_template(
'user/change_password.html',
title=u'Endre passord',
form=form,
action=url_for('change_password')
)
def change_email():
""" Renders the change email page and stores the new email """
form = forms.ChangeEmail(request.form)
if form.validate_on_submit():
# Check if password is valid, then store new password
if utils.verify_password(form.password.data, current_user.password):
current_user.email = form.new_email.data
current_user.store()
flash(u'E-post adressen ble oppdatert')
return redirect(url_for('user')) # Redirect to user settings page
form.password.errors.append(u'Feil passord')
return render_template(
'user/change_email.html',
title=u'Endre e-post',
form=form,
action=url_for('change_email')
)
def rest_login():
username = request.form['username']
password = request.form['password']
user = user_datastore.find_user(username=username)
if user is not None and utils.verify_password(password,user.password):
session['current_active_user'] = user
session['rest_user'] = {'user':user,'authorization':None}
serializer = Serializer(secret_key=app.config['SECRET_KEY'],salt=config.SECURITY_PASSWORD_SALT)
authorization_code = "%s-%s" % (user.username,user.email)
authorization_code = serializer.dumps(authorization_code)
found_sites = UserSite.objects(user=user)
sites = []
for found in found_sites:
site = {'name':found.name,'url':found.url,'username':found.username,'password':found.password,'folder':found.folder
,'settings':{'favourite':found.settings['favourite'],'autologin':found.settings['autologin'],'autofill':found.settings['autofill']},
'id':str(found.id)}
if found.fields is not None and len(found.fields) > 0:
site['fields'] = []
for field in found.fields:
site['fields'].append({
'name':field['name'],
'value':field['value'],
'type':str(field['type']).lower()
})
else:
site['fields'] = []
site['fields'].append({'name':'username','type':'text','value':site['username']})
site['fields'].append({'name':'password','type':'text','value':site['password']})
sites.append(site)
digester = hashlib.md5()
digester.update(authorization_code)
authorization = digester.hexdigest()
account = {'name':user.name,'email':user.email,'username':user.username,'authorization':authorization}
response = Response(dumps({'success':True,'sites':sites,'account':account,'authorization':authorization}),status=200,mimetype='application/json')
response.headers['Authorization'] = digester.hexdigest()
session['rest_user']['authorization'] = digester.hexdigest()
response.set_cookie('authorization',value=digester.hexdigest(),expires=False)
return response
else:
return flask.jsonify({'success':False})
def change_password():
if not current_user.is_authenticated():
return redirect('/')
if request.method == 'POST':
user_id = current_user.get_id()
user = account.get_user_by_id(user_id)
if not verify_password(request.form['current_password'],user.password):
return redirect('pass_error')
new_h = hmac.new(app.config['SECURITY_PASSWORD_SALT'], request.form['new_password1'], hashlib.sha512)
new_hash = base64.b64encode(new_h.digest())
new_password = sha512_crypt.encrypt(new_hash)
account.update_user(user_id, password=new_password)
return redirect('/profile')
return redirect('/profile')
def login():
try:
data = loginSchema.validate(request.json)
except SchemaError as e:
error = {"code": "auth.login.invalid", "message": "Invalid data for login", "details": str(e)}
return jsonify(error=error), 403
no_match_error = {"code": "auth.login.no_match", "message": "The supplied email and password is invalid"}
user = User.query.filter_by(email=data["email"])
if user.count() != 1:
return jsonify(error=no_match_error), 401
user = user.one()
if not verify_password(data["password"], user.password):
return jsonify(error=no_match_error), 401
login_user(user, True)
auth_token = user.get_auth_token()
return jsonify(user=user.as_personal_json(), auth_token=auth_token), 200
def validate(self):
if not super(LoginForm, self).validate():
self.errors[0] = 'login.failed'
return False
if self.loginEmail.data.strip() == '':
return False
if self.loginPassword.data.strip() == '':
return False
self.user = users.first(email=self.loginEmail.data)
if self.user is None:
self.errors[0] = 'login.userNotFound'
return False
if not verify_password(self.loginPassword.data, self.user.password):
self.errors[0] = 'login.passwordIncorrect'
return False
if not self.user.is_active():
self.errors[0] = 'login.userDisabled'
return False
self.errors[0] = 'login.welcome'
return True
def test_admin_user_no_users(client, with_clean_install, request, db_context): # pylint: disable=unused-argument
admin_email = 'admin{}@somedomain.com'.format(uuid4())
admin_password = '******'
with db_context():
models.User.query.filter_by(email=admin_email).delete()
models.db.session.commit()
if with_clean_install:
perform_clean_install(pytest_request=request, db_context=db_context)
else:
with db_context():
some_user = models.User.query.first()
user_datastore.add_role_to_user(some_user, 'admin')
models.db.session.commit()
assert models.User.query.filter(
models.User.roles.any(models.Role.name == 'admin')).count()
def func():
client.api.call.setup(config={
'admin_user_email': admin_email,
'admin_user_password': admin_password,
})
if with_clean_install:
func()
else:
with pytest.raises(requests.HTTPError) as caught:
func()
assert caught.value.response.status_code == requests.codes.conflict
with db_context():
query = models.User.query.filter_by(email=admin_email)
if with_clean_install:
user = query.one()
assert user is not None
assert verify_password(admin_password, user.password)
assert user.password != admin_password
else:
assert not query.count()
def post(self):
"""Authenticates and generates a token"""
schema = TokenSchema()
data, errors = schema.load(current_app.api.payload)
if errors:
return errors, 400
try:
user = User.get(email=data.email)
except User.DoesNotExist:
abort(403, 'No such user, or wrong password')
if not user or not user.active:
abort(403, 'No such user, or wrong password')
if not verify_password(data.password, user.password):
abort(403, 'No such user, or wrong password')
access_token = create_access_token(identity=user.email)
refresh_token = create_refresh_token(identity=user.email)
access_expire = current_app.config['JWT_ACCESS_TOKEN_EXPIRES']
refresh_expire = current_app.config['JWT_REFRESH_TOKEN_EXPIRES']
resp = jsonify(
{
'access': access_token,
'refresh': refresh_token,
'accessExpire': int(access_expire.total_seconds()),
'refreshExpire': int(refresh_expire.total_seconds()),
}
)
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
refresh_path = current_app.config['JWT_REFRESH_COOKIE_PATH']
refresh_secure = current_app.config['JWT_COOKIE_SECURE']
refresh_expire_date = datetime.now() + refresh_expire
resp.set_cookie(
'refresh_expire',
value=str(refresh_expire_date),
expires=refresh_expire_date,
path=refresh_path,
httponly=True,
secure=refresh_secure,
)
return resp
def login():
"""Login local user."""
login_form_data = request.get_json()
username = login_form_data.get('username')
password = login_form_data.get('password')
# Fetch user from db
user = _datastore.get_user(username)
if user and verify_password(password, user.password):
try:
login_user(user)
return current_user.email
except Exception:
return jsonify({
"error":
"Something went wrong with the login. Please try again"
}), 400
else:
return jsonify({
"error":
"The credentials you enter are not correct. Please try again"
}), 403
def _login_with_credentials(credentials):
config = get_runtime_config_private_dict()
username = credentials.get('username')
password = credentials.get('password')
email = _fix_email(username, config)
user = User.query.filter_by(email=email).first()
if current_app.config['TESTING']:
if user is None:
user = get_or_create_user({'email': email})
if not login_user(user):
_logger.error('Could not login user {}', email)
error_abort('Login failed', code=requests.codes.unauthorized)
return _make_success_login_response(user)
if user is not None and user.password:
if verify_password(password, user.password):
login_user(user)
return _make_success_login_response(user)
_logger.debug('Could not login user locally (no user or password mismatch)')
return _login_with_ldap(email, password, config)
def _http_auth(self, user, username, password):
"""Perform basic user authentication
- Check that the password that was passed in the request can be
verified against the password stored in the DB
:param user: The DB user object
:param username: The username from the request
:param password: The password from the request
:return: The DB user object
"""
self.logger.debug('Running basic HTTP authentication')
if not user:
raise_unauthorized_user_error(
'Authentication failed for '
'<User username=`{0}`>'.format(username)
)
if not verify_password(password, user.password):
self._increment_failed_logins_counter(user)
raise_unauthorized_user_error(
'Authentication failed for {0}.'
' Bad credentials or locked account'.format(user)
)
return user
