def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
'''
if request.method == 'POST':
account = Account()
if request.form:
# local variables
username = request.form.getlist('user[login]')[0]
password = request.form.getlist('user[password]')[0]
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# set session: uid corresponds to primary key, from the
# user database table, and a unique integer
# representing the username.
session['uid'] = uid
# return user status
if session['uid']:
return json.dumps({'status': 0})
else:
return json.dumps({'status': 4})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
'''
if request.method == 'POST':
account = Account()
if request.form:
# local variables
username = request.form.getlist('user[login]')[0]
password = request.form.getlist('user[password]')[0]
# validate: check username exists
if (account.check_username(username)['result']
and account.get_uid(username)['result']):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# set session: uid corresponds to primary key, from the
# user database table, and a unique integer
# representing the username.
session['uid'] = uid
# return user status
if session['uid']:
return json.dumps({'status': 0})
else:
return json.dumps({'status': 4})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Note: token authentication is stateless, since it doesn't require anything
to be queried from the server, to verify the user. The token is setup,
in such a way, where it is known, if the token is valid or not, and if
the token has been tampered with.
Note: more information on basic flask-jwt token authentication:
http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html
'''
if request.method == 'POST':
account = Account()
# programmatic-interface: implement flask-jwt token
if request.get_json():
results = request.get_json()
username = results['user[login]']
password = results['user[password]']
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# create and serialize uid token
access_token = create_access_token(identity=uid)
# return status
return json.dumps({'status': 0, 'access_token': access_token})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
def login():
'''
This router function attempts to fulfill a login request. During its
attempt, it returns a json string, with two values:
- username, user attempting to login
- integer, codified indicator of login attempt:
- 0, successful login
- 1, username does not exist
- 2, username does not have a password
- 3, supplied password does not match stored password
- 4, generic login failure:
- https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Note: token authentication is stateless, since it doesn't require anything
to be queried from the server, to verify the user. The token is setup,
in such a way, where it is known, if the token is valid or not, and if
the token has been tampered with.
Note: more information on basic flask-jwt token authentication:
http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html
'''
if request.method == 'POST':
account = Account()
# programmatic-interface: implement flask-jwt token
if request.get_json():
results = request.get_json()
username = results['user[login]']
password = results['user[password]']
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# create and serialize uid token
access_token = create_access_token(identity=uid)
# return status
return json.dumps({'status': 0, 'access_token': access_token})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})
# web-interface: store user session in redis
elif request.form:
# local variables
username = request.form.getlist('user[login]')[0]
password = request.form.getlist('user[password]')[0]
# validate: check username exists
if (
account.check_username(username)['result'] and
account.get_uid(username)['result']
):
# database query: get hashed password, and userid
hashed_password = account.get_password(username)['result']
uid = account.get_uid(username)['result']
# notification: verify hashed password exists
if hashed_password:
# notification: verify password
if verify_pass(str(password), hashed_password):
# set session: uid corresponds to primary key, from the
# user database table, and a unique integer
# representing the username.
session['uid'] = uid
# return user status
if session['uid']:
return json.dumps({'status': 0})
else:
return json.dumps({'status': 4})
# notification: incorrect password
else:
return json.dumps({'status': 4})
# notification: user does not have a password
else:
return json.dumps({'status': 4})
# notification: username does not exist
else:
return json.dumps({'status': 4})