def authorize(): """ Authorize a user with username and password When success, return json object with access and refresh token """ # get username and password from request header if "application/x-www-form-urlencoded" in request.content_type: username = request.form.get("username") password = request.form.get("password") else: username = request.headers.get("username") password = request.headers.get("password") if username is None or password is None: raise BadRequest() # check user exists user = Users().find_one({"username": username}) if user is None: raise Unauthorized("Username incorrect") # check password is valid password_hash = user.pop("password_hash") is_valid = check_password_hash(password_hash, password) if not is_valid: raise Unauthorized("Password incorrect") # check that user is active if not user.get("active", False): raise Unauthorized("Account is disabled.") # generate token access_token = AccessToken.encode(user) refresh_token = uuid4() # store refresh token in database RefreshTokens().insert_one({ "token": refresh_token, "user_id": user["_id"], "expire_time": datetime.now() + timedelta(days=30), }) # send response response_json = { "access_token": access_token, "refresh_token": refresh_token } response = jsonify(response_json) response.headers["Cache-Control"] = "no-store" response.headers["Pragma"] = "no-cache" return response
def authorize(): """ Authorize a user with username and password When success, return json object with access and refresh token """ # get username and password from request header if 'application/x-www-form-urlencoded' in request.content_type: username = request.form.get('username') password = request.form.get('password') else: username = request.headers.get('username') password = request.headers.get('password') if username is None or password is None: raise BadRequest() # check user exists user = Users().find_one({'username': username}) if user is None: raise Unauthorized() # check password is valid password_hash = user.pop('password_hash') is_valid = check_password_hash(password_hash, password) if not is_valid: raise Unauthorized() # generate token access_token = AccessToken.encode(user) refresh_token = uuid4() # store refresh token in database RefreshTokens().insert_one({ 'token': refresh_token, 'user_id': user['_id'], 'expire_time': datetime.now() + timedelta(days=30) }) # send response response_json = { 'access_token': access_token, 'refresh_token': refresh_token } response = jsonify(response_json) response.headers['Cache-Control'] = 'no-store' response.headers['Pragma'] = 'no-cache' return response