def login(username, password): try: session = web.ctx.session except Exception as e: raise StandardError(e) try: the_user = Users.objects.get(username=username) except Exception as e: raise StandardError("User Not Found") if not auth.is_password_match(password, the_user['hashed_pwd'], the_user['salt']): raise StandardError("Password do not match") try: #Generate a random token that will be compared from session data against user token created_token = auth.create_token(the_user['userid']) #set this token in session session.token = created_token #Set other session values session.userid = the_user['userid'] session.authenticated = True session.priv_lev = the_user['priv_lev'] #Update user tokens #MongoDb/MongoEngine Using Atomic Updates #mongodb.users.update( { 'username': dbUser['username'] }, #{ '$set': { 'tokens':dbUser['tokens'] } } #) #Update Query in MongoEngine #https://github.com/hmarr/mongoengine/blob/master/docs/guide/querying.rst Users.objects(username=the_user['username']).update_one( push__tokens = created_token #set__tokens__S = created_token ) #Remove expired tokens from curent user for token in the_user['tokens']: if auth.is_token_expired(token, token_lifetime): token_exp.append(token) Users.objects(username=the_user['username']).update_one( pull__tokens = token ) #Get Our user object. user_obj = Users.objects.get(username=the_user['username']) ret_obj = {} ret_obj['userid'] = serializers.SerializeObject(user_obj['userid']) ret_obj['name'] = serializers.SerializeObject(user_obj['name']) ret_obj['username'] = serializers.SerializeObject(user_obj['username']) ret_obj['priv_lev'] = serializers.SerializeObject(user_obj['priv_lev']) r_dict = dict(r='ok',data=ret_obj) #returns true return r_dict except Exception as e: raise StandardError(e) #Hacking attempt raise StandardError("Not Allowed")
def authenticate(): try: the_user = getUserFromToken() session_data = getTokenData() if auth.is_token_expired(session_data['token'], token_lifetime): raise StandardError("Token Expired") #Compare token session_data/user_data #if token matches authentication is Okay for token in the_user['tokens']: #user token is still valid with session token if token == session_data['token']: #Return authenticated user with public fields r_dict = dict(r='ok') r_dict['data'] = exclude_fields(the_user) #returns true return r_dict except Exception as e: raise StandardError("Unable to authenticate user with session") #This may be an attempt of cookie stealing and/or session hijacking #http://en.wikipedia.org/wiki/Session_hijacking #EXCEPTION #8, Login hacking attempt raise StandardError("Not Allowed")