def handleSubmit(self, action):
"""
Here we should check couple of things:
- If the token provided is valid.
- If the signature contains the user data needed (username and hash
made of his data are valid).
If all is well and valid, we sudo login the user given.
"""
data, errors = self.extractData()
if errors:
return False
token = data.get('token', '')
user = None
username = self.request.get('auth_user', '')
if username:
user = api.user.get(username=username)
# Validating the signed request data. If invalid (likely tampered
# with or expired), generate an appropriate error message.
user_data_validation_result = validate_user_data(
request=self.request, user=user)
if not user_data_validation_result.result:
IStatusMessage(self.request).addStatusMessage(
_("Invalid data. Details: {0}".format(' '.join(
user_data_validation_result.reason))), 'error')
return
valid_token = validate_token(token, user=user)
# self.context.plone_log(valid_token)
# self.context.plone_log(token)
if valid_token:
# We should login the user here
self.context.acl_users.session._setupSession(
str(username), self.context.REQUEST.RESPONSE)
# TODO: Is there a nicer way of resolving the
# "@@google_authenticator_token_form" URL?
msg = PMF("Welcome! You are now logged in.")
IStatusMessage(self.request).addStatusMessage(msg, 'info')
request_data = extract_request_data(self.request)
context_url = self.context.absolute_url()
redirect_url = request_data.get('next_url', context_url)
self.request.response.redirect(redirect_url)
else:
msg = _("Invalid token or token expired.")
IStatusMessage(self.request).addStatusMessage(msg, 'error')
def handleSubmit(self, action):
"""
Here we should check couple of things:
- If the token provided is valid.
- If the signature contains the user data needed (username and hash made of his data are valid).
If all is well and valid, we sudo login the user given.
"""
data, errors = self.extractData()
if errors:
return False
token = data.get('token', '')
user = None
username = self.request.get('auth_user', '')
if username:
user = api.user.get(username=username)
# Validating the signed request data. If invalid (likely throttled with or expired), generate an
# appropriate error message.
user_data_validation_result = validate_user_data(request=self.request, user=user)
if not user_data_validation_result.result:
IStatusMessage(self.request).addStatusMessage(
_("Invalid data. Details: {0}".format(' '.join(user_data_validation_result.reason))), 'error'
)
return
valid_token = validate_token(token, user=user)
#self.context.plone_log(valid_token)
#self.context.plone_log(token)
if valid_token:
# We should login the user here
self.context.acl_users.session._setupSession(str(username), self.context.REQUEST.RESPONSE)
# TODO: Is there a nicer way of resolving the "@@google_authenticator_token_form" URL?
IStatusMessage(self.request).addStatusMessage(_("Great! You're logged in."), 'info')
request_data = extract_request_data(self.request)
redirect_url = request_data.get('next_url', self.context.absolute_url())
self.request.response.redirect(redirect_url)
else:
IStatusMessage(self.request).addStatusMessage(_("Invalid token or token expired."), 'error')
def updateFields(self, *args, **kwargs):
"""
Here happens the following:
- Signed user data is validated. If valid, the user is fetched.
- Token (`signature` param) is matched to the one obtained from user records. If matched, the
bar-code image is reset (security token is reset and saved in the users' profile).
"""
# Adding a proper description (with bar code image)
barcode_field = self.fields.get('qr_code')
username = self.request.get('auth_user', '')
token = self.request.get('signature', '')
user = api.user.get(username=username)
# If valid user
if user:
# Getting the users' bar-code reset token saved in his profile.
bar_code_reset_token = user.getProperty('bar_code_reset_token')
# Validate the user data
user_data_validation_result = validate_user_data(request=self.request, user=user)
# If all goes well, regenerate the token (overwrite_secret=True) and show the bar code image.
if barcode_field:
if user_data_validation_result.result and bar_code_reset_token == token:
barcode_field.field.description = _(get_token_description(user=user, overwrite_secret=False))
else:
if not user_data_validation_result.result:
IStatusMessage(self.request).addStatusMessage(
' '.join(user_data_validation_result.reason),
'error'
)
else:
IStatusMessage(self.request).addStatusMessage(
_("Invalid bar-code reset token"),
'error'
)
return super(ResetBarCodeForm, self).updateFields(*args, **kwargs)
def updateFields(self, *args, **kwargs):
"""
Here happens the following:
- Signed user data is validated. If valid, the user is fetched.
- Token (`signature` param) is matched to the one obtained from user records. If matched, the
bar-code image is reset (security token is reset and saved in the users' profile).
"""
# Adding a proper description (with bar code image)
barcode_field = self.fields.get('qr_code')
username = self.request.get('auth_user', '')
token = self.request.get('signature', '')
user = api.user.get(username=username)
# If valid user
if user:
# Getting the users' bar-code reset token saved in his profile.
bar_code_reset_token = user.getProperty('bar_code_reset_token')
# Validate the user data
user_data_validation_result = validate_user_data(
request=self.request, user=user)
# If all goes well, regenerate the token (overwrite_secret=True) and show the bar code image.
if barcode_field:
if user_data_validation_result.result and bar_code_reset_token == token:
barcode_field.field.description = _(
get_token_description(user=user,
overwrite_secret=False))
else:
if not user_data_validation_result.result:
IStatusMessage(self.request).addStatusMessage(
' '.join(user_data_validation_result.reason),
'error')
else:
IStatusMessage(self.request).addStatusMessage(
_("Invalid bar-code reset token"), 'error')
return super(ResetBarCodeForm, self).updateFields(*args, **kwargs)