def post(self):
# Get the token
token = flask.g.login.generate_auth_token()
# Update the session
session = Session.query.filter_by(login_id=flask.g.login.id).first()
if not session:
session = Session(token=token, login_id=flask.g.login.id)
db.session.add(session)
else:
session.clear(token)
db.session.commit()
return {
'status': 200,
'message': 'OK',
'token': token
}
def decorated(*args, **kwargs):
if request.method == 'POST':
form = request.form
auth = request.authorization
if 'username' in form and 'password' in form:
username = str(form['username'])
password = str(form['password'])
elif auth:
username = str(auth.username)
password = str(auth.password)
else:
return self.auth_error_callback()
else:
return self.auth_error_callback()
# Get the user from data storage
user = Login.query.filter_by(id=uuid.uuid5(uuid.NAMESPACE_OID, username)).first()
if not user or not user.active:
# -- OWASP: Use a cryptographically strong credential-specific salt
# Make time-based attacks on a population intractable
timeout = current_app.config['UNKNOWN_USER_TIMEOUT']
# Add timeout +/- 10 percent
time.sleep(timeout + random.uniform(-0.1, 0.1) * timeout)
return self.auth_error_callback()
elif not user.verify_password(password):
# Either the user was not found, the password was incorrect or the user is inactive
return self.auth_error_callback()
# Success!
g.login = user
# Generate a token
token = g.login.generate_auth_token()
# Update or start the session
session = Session.query.filter_by(login_id=g.login.id).first()
if not session:
session = Session(token=token, login_id=g.login.id)
db.session.add(session)
else:
session.clear(token)
g.session = session
# Everything is now ready to be processed
return f(*args, **kwargs)
