def validHMACHash(clientHash, data, email, timestamp): """Returns true if the client hash matches the hash created from the data and timestamp.""" if clientHash is not None and timestamp is not None: now = datetime.datetime.strptime(getUTCTimestamp(), '%Y-%m-%d %H:%M:%S') # Check the time difference between now and the timestamp from the client. # If it exceeds five minutes then it is invalid. timeDifference = now - datetime.datetime.strptime(timestamp, '%Y-%m-%d %H:%M:%S') if timeDifference.seconds < 5 * 60: # Get the token from the database stored for the current user session and use it as key in hash. token = database_helper.getUserTokenByEmail(email) if token is not None: hmacObj = hmac.new(token.encode(), '', hashlib.sha256) for value in data: hmacObj.update(value.encode('utf-8')) hmacObj.update("×tamp=" + timestamp) serverHash = hmacObj.hexdigest() return clientHash == serverHash return False
def signOut(email): """Signs out a user.""" data = ['email=' + email] clientHash = request.headers.get('Hash-Hmac') utcTimestamp = request.headers.get('Hash-Timestamp') if validHMACHash(clientHash, data, email, utcTimestamp): token = database_helper.getUserTokenByEmail(email) if token is not None: result = database_helper.deleteSignedInUser(token) if result == True: global webSockets if webSockets.has_key(email): del webSockets[email] sendUsersCounter(); return json.dumps({'success': True, 'message': 'Successfully signed out.'}), 200 else: return json.dumps({'success': False, 'message': 'Could not delete signed in user.'}), 503 else: return json.dumps({'success': False, 'message': 'You are not signed in.'}), 405 else: return json.dumps({'success': False, 'message': 'Invalid hash.'}), 405