def get_users_me(user):
database_user = database.find_one(constants.DATABASE_USERS_NAME,
{"_id": ObjectId(user)})
if database_user is None:
raise errors.InvalidAuthError
user = User().from_dict(database_user)
return jsonify(user.as_public_dict())
def login_via_token(user_token):
"""
Generates a session via a token
:param user_token: The token from the user.
:return: The newly created session
"""
# TODO In the future, we need to require users to MFA authenticate when redeeming token.
user = token.get_user_for_token(user_token)
print(user)
if user is None:
raise errors.InvalidAuthError
user = database.find_one(const.DATABASE_USERS_NAME,
{"_id": ObjectId(user)})
new_session = session.generate_session()
user = User.from_dict(user)
new_session.mfa_authenticated = True
new_session.logged_in = True
new_session.user_id = user.mongodb_id
return new_session
def login(username, password):
"""
Login a user.
:param username: Username to log user in with
:param password: Password to verify
:return: The newly created session for the user.
:raises: cure.types.exception.UsernameNotFoundError, cure.types.exception.InvalidPasswordError
"""
username = username.lower()
result = database.find_one(const.DATABASE_USERS_NAME,
{"username": username})
if result is None:
raise errors.UsernameNotFoundError()
password_verified = sha256_crypt.verify(password,
result.get("password_hash"))
if not password_verified:
raise errors.InvalidPasswordError()
new_session = session.generate_session()
user = User.from_dict(result)
if user.has_mfa:
new_session.mfa_authenticated = False
new_session.logged_in = False
else:
new_session.logged_in = True
new_session.user_id = user.mongodb_id
return new_session
def mfa_authenticate(user_session, code):
"""
Used for any session where the user_id isn't null.
:param user_session: the user's session.
:param code: the mfa code as a str that they used
:return: bool of whether user authenticated successfully
"""
if user_session.user_id is None:
raise errors.InvalidAuthError()
if user_session.mfa_authenticated:
raise errors.AlreadyAuthenticatedError()
db_user = database.find_one(const.DATABASE_USERS_NAME,
{"_id": user_session.mongodb_id})
if db_user is None:
print(
"[Authentication] [ERROR] User has somehow managed to manipulate a server-side session. If you see "
"this message, a bug could have been caused (user deleted account but session wasn't deleted). Report"
" this as a bug unless your database has been modified while this program is running."
)
raise errors.UsernameNotFoundError()
user = User.from_dict(db_user)
totp = pyotp.TOTP(user.mfa_key)
if not totp.verify(code):
raise errors.InvalidMfaCodeError()
user_session.mfa_authenticated = True
return user_session.mfa_authenticated
def create_tracker(name, invite_only, public, owner=User()):
"""
Creates a tracker
---
name - the name to use for the tracker
invite_only - bool to determine board privacy
public - is the board public?
owner - a User of the person creating it.
returns a tracker id
"""
(acknowledged, tracker_id) = database.insert_one(const.DATABASE_TRACKER_NAME, {
"name": name,
"invite_only": invite_only,
"public": public
})
if not acknowledged:
return None
member = TrackerMember(str(owner.mongodb_id), str(tracker_id))
member.is_owner = True
member.permissions = 0x88888888
database.insert_one(const.DATABASE_TRACKER_MEMBER_NAME, TrackerMember.as_database_object(member))
tracker = Tracker.from_dict(database.find_one(const.DATABASE_TRACKER_NAME, {"_id": tracker_id}))
return tracker
def register(username, password):
"""
Register a user
:param username: Requested username.
:param password: Password
:return: A User object on success. Otherwise, it will raise an exception.
"""
if not re.match(const.USERNAME_REGEX, username):
raise errors.InvalidUsernameError
user = User()
if database.find(const.DATABASE_USERS_NAME, {
"username": username
}).count() != 0 or len(username) <= 1:
raise errors.UsernameTakenError(username)
user.username = username
user.password_hash = sha256_crypt.hash(password)
# add user to database
database_object = database.cure_database.get_collection(
const.DATABASE_USERS_NAME).insert_one(user.as_dict())
user.mongodb_id = database_object.inserted_id
return user
def add_global_role(data, user):
# check to see if user is admin
db_user = database.find_one(constants.DATABASE_USERS_NAME,
{"_id": ObjectId(user)})
user = User.from_dict(db_user)
if not user.is_global_admin:
raise errors.InvalidPermissionError
name = data.get("name", "unnamed role")
permissions = data.get("permissions", 0x00000000)
position = data.get("position", 0)
database.insert_one(
constants.DATABASE_ROLES_NAME, {
"role_name": name,
"role_permissions": permissions,
"role_position": position
})
return jsonify({"updated_user": user.as_public_dict()})
def get_user_by_id(user_id):
return User.from_dict(database.find_one(constants.DATABASE_USERS_NAME, {
"_id": user_id
}))