def post(self): # Get the token token = flask.g.login.generate_auth_token() # Update the session session = Session.query.filter_by(login_id=flask.g.login.id).first() if not session: session = Session(token=token, login_id=flask.g.login.id) db.session.add(session) else: session.clear(token) db.session.commit() return { 'status': 200, 'message': 'OK', 'token': token }
def decorated(*args, **kwargs): if request.method == 'POST': form = request.form auth = request.authorization if 'username' in form and 'password' in form: username = str(form['username']) password = str(form['password']) elif auth: username = str(auth.username) password = str(auth.password) else: return self.auth_error_callback() else: return self.auth_error_callback() # Get the user from data storage user = Login.query.filter_by(id=uuid.uuid5(uuid.NAMESPACE_OID, username)).first() if not user or not user.active: # -- OWASP: Use a cryptographically strong credential-specific salt # Make time-based attacks on a population intractable timeout = current_app.config['UNKNOWN_USER_TIMEOUT'] # Add timeout +/- 10 percent time.sleep(timeout + random.uniform(-0.1, 0.1) * timeout) return self.auth_error_callback() elif not user.verify_password(password): # Either the user was not found, the password was incorrect or the user is inactive return self.auth_error_callback() # Success! g.login = user # Generate a token token = g.login.generate_auth_token() # Update or start the session session = Session.query.filter_by(login_id=g.login.id).first() if not session: session = Session(token=token, login_id=g.login.id) db.session.add(session) else: session.clear(token) g.session = session # Everything is now ready to be processed return f(*args, **kwargs)