def newhandler(request, *args, **kwargs):
key = request.COOKIES.get(SESSION_KEY_NAME)
redir = "/auth/login?redir=%s" % request.path
if not key:
return framework.HttpResponseRedirect(redir)
dbsession = models.SessionMaker()
try:
session = dbsession.query(models.Session).filter_by(session_key=key).one()
except models.NoResultFound:
resp = framework.HttpResponseRedirect(redir)
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
if session.is_expired():
dbsession.delete(session)
dbsession.commit()
dbsession.close()
resp = framework.HttpResponseRedirect(redir)
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
# A check to thwart cross site request forgery
referer = request.environ.get("HTTP_REFERER")
if referer is None:
request.log_error("No referer in authenticated request.\n")
resp = framework.HttpResponseRedirect("/")
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
if HOSTNAME not in referer:
request.log_error("Our host not in referer.\n")
resp = framework.HttpResponseRedirect("/")
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
request.session = session
return handler(request, *args, **kwargs)
def handle_async_authentication(request):
name = request.POST[b"username"]
cram = request.POST[b"password"]
key = request.POST[b"key"]
redir = request.POST[b"redir"]
dbsession = models.SessionMaker()
try:
user = dbsession.query(models.User).filter_by(username=name).one()
except models.NoResultFound:
return framework.JSONResponse((401, b"No such user."))
try:
good = Authenticator(user).authenticate(cram, unquote(key))
except AuthenticationError as err:
request.log_error("Did NOT authenticate by async: %r\n" % (name, ))
return framework.JSONResponse((401, str(err)))
if good:
request.log_error("Authenticated by async: %s\n" % (name, ))
user.set_last_login()
resp = framework.JSONResponse((200, redir))
session = _set_session(resp, user, request.get_host(), "/",
request.config.get("LOGIN_TIME", 24))
dbsession.add(session)
dbsession.commit()
dbsession.close()
return resp
else:
request.log_error("Invalid async authentication for %r\n" % (name, ))
return framework.JSONResponse((401, "Failed to authenticate."))
def handle_async_authentication(request):
name = request.POST[b"username"]
cram = request.POST[b"password"]
key = request.POST[b"key"]
redir = request.POST[b"redir"]
dbsession = models.SessionMaker()
try:
user = dbsession.query(models.User).filter_by(username=name).one()
except models.NoResultFound:
return framework.JSONResponse((401, b"No such user."))
try:
good = Authenticator(user).authenticate(cram, unquote(key))
except AuthenticationError, err:
request.log_error("Did NOT authenticate by async: %r\n" % (name, ))
return framework.JSONResponse((401, str(err)))
def get(self, request):
key = request.COOKIES.get(SESSION_KEY_NAME)
if key is not None:
dbsession = models.SessionMaker()
try:
sess = dbsession.query(models.Session).filter_by(session_key=key).one()
except models.NoResultFound:
pass
else:
dbsession.delete(sess)
dbsession.commit()
dbsession.close()
request.session = None
resp = framework.HttpResponseRedirect("/")
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
def newhandler(request, *args, **kwargs):
key = request.COOKIES.get(SESSION_KEY_NAME)
if not key:
return framework.HttpResponseNotAuthenticated()
dbsession = models.SessionMaker()
try:
session = dbsession.query(models.Session).filter_by(session_key=key).one()
except models.NoResultFound:
resp = framework.HttpResponseNotAuthenticated()
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
if session.is_expired():
dbsession.delete(session)
dbsession.commit()
dbsession.close()
resp = framework.HttpResponseNotAuthenticated()
resp.delete_cookie(SESSION_KEY_NAME, domain=request.get_host())
return resp
request.session = session
return handler(request, *args, **kwargs)
