def before_request(): # TODO: Fix circular import from framework.auth.core import get_user from framework.auth import cas from website.util import time as util_time # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt to authenticate wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: user = get_user(email=request.authorization.username, password=request.authorization.password) # Create an empty session # TODO: Shoudn't need to create a session for Basic Auth user_session = Session() set_session(user_session) if user: user_addon = user.get_addon('twofactor') if user_addon and user_addon.is_confirmed: otp = request.headers.get('X-OSF-OTP') if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code. user_session.data['auth_error_code'] = http.UNAUTHORIZED return user_session.data['auth_user_username'] = user.username user_session.data['auth_user_id'] = user._primary_key user_session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database user_session.data['auth_error_code'] = http.UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer( settings.SECRET_KEY).unsign(cookie) user_session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if not util_time.throttle_period_expired(user_session.date_created, settings.OSF_SESSION_TIMEOUT): if user_session.data.get( 'auth_user_id') and 'api' not in request.url: database['user'].update( {'_id': user_session.data.get('auth_user_id')}, {'$set': { 'date_last_login': datetime.utcnow() }}, w=0) set_session(user_session) else: remove_session(user_session)
def before_request(): # TODO: Fix circular import from framework.auth.core import get_user from framework.auth import cas from website.util import time as util_time # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get("ticket") if ticket: service_url = furl.furl(request.url) service_url.args.pop("ticket") # Attempt to authenticate wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: user = get_user(email=request.authorization.username, password=request.authorization.password) # Create an empty session # TODO: Shoudn't need to create a session for Basic Auth user_session = Session() set_session(user_session) if user: user_addon = user.get_addon("twofactor") if user_addon and user_addon.is_confirmed: otp = request.headers.get("X-OSF-OTP") if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code. user_session.data["auth_error_code"] = http.UNAUTHORIZED return user_session.data["auth_user_username"] = user.username user_session.data["auth_user_id"] = user._primary_key user_session.data["auth_user_fullname"] = user.fullname else: # Invalid key: Not found in database user_session.data["auth_error_code"] = http.UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) user_session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if not util_time.throttle_period_expired(user_session.date_created, settings.OSF_SESSION_TIMEOUT): if user_session.data.get("auth_user_id") and "api" not in request.url: database["user"].update( {"_id": user_session.data.get("auth_user_id")}, {"$set": {"date_last_login": datetime.utcnow()}}, w=0, ) set_session(user_session) else: remove_session(user_session)
def from_cookie(cls, cookie, secret=None): """Attempt to load a user from their signed cookie :returns: None if a user cannot be loaded else User """ if not cookie: return None secret = secret or settings.SECRET_KEY try: token = itsdangerous.Signer(secret).unsign(cookie) except itsdangerous.BadSignature: return None user_session = Session.load(token) if user_session is None: return None return cls.load(user_session.data.get('auth_user_id'))
def get_session_from_cookie(cookie_val): """Given a cookie value, return the `Session` object or `None`.""" session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie_val) return Session.load(session_id)