コード例 #1
0
ファイル: backends.py プロジェクト: aakash-cr7/zulip
    def process_do_auth(self, user_profile, *args, **kwargs):
        # type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
        # This function needs to be imported from here due to the cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url)
        from zerver.views.registration import redirect_and_log_into_subdomain

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')

        if inactive_user or inactive_realm:
            return None

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)

        subdomain = strategy.session_get('subdomain')

        if not subdomain:
            return login_or_register_remote_user(request, email_address,
                                                 user_profile, full_name,
                                                 bool(invalid_subdomain))
        try:
            realm = Realm.objects.get(string_id=subdomain)
        except Realm.DoesNotExist:
            return redirect_to_subdomain_login_url()

        return redirect_and_log_into_subdomain(realm, full_name, email_address)
コード例 #2
0
ファイル: backends.py プロジェクト: yashagrawal3/zulip
    def process_do_auth(self, user_profile, *args, **kwargs):
        # type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
        # This function needs to be imported from here due to the cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url)
        from zerver.views.registration import redirect_and_log_into_subdomain

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')

        if inactive_user or inactive_realm:
            return None

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)

        subdomain = strategy.session_get('subdomain')

        if not subdomain:
            return login_or_register_remote_user(request, email_address,
                                                 user_profile, full_name,
                                                 bool(invalid_subdomain))
        try:
            realm = Realm.objects.get(string_id=subdomain)
        except Realm.DoesNotExist:
            return redirect_to_subdomain_login_url()

        return redirect_and_log_into_subdomain(realm, full_name, email_address)
コード例 #3
0
    def process_do_auth(self, user_profile: UserProfile, *args: Any,
                        **kwargs: Any) -> Optional[HttpResponse]:
        # These functions need to be imported here to avoid cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url,
                                       redirect_and_log_into_subdomain)

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')
        invalid_email = return_data.get('invalid_email')

        if inactive_user or inactive_realm:
            # Redirect to login page. We can't send to registration
            # workflow with these errors. We will redirect to login page.
            return None

        if invalid_email:
            # In case of invalid email, we will end up on registration page.
            # This seems better than redirecting to login page.
            logging.warning("{} got invalid email argument.".format(
                self.auth_backend_name))
            return None

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)
        is_signup = strategy.session_get('is_signup') == '1'

        mobile_flow_otp = strategy.session_get('mobile_flow_otp')
        subdomain = strategy.session_get('subdomain')
        if not subdomain:
            # At least in our tests, this can be None; and it's not
            # clear what the exact semantics of `session_get` are or
            # what values it might return.  Historically we treated
            # any falsy value here as the root domain, so defensively
            # continue that behavior.
            subdomain = Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
        if (subdomain == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
                or mobile_flow_otp is not None):
            return login_or_register_remote_user(
                request,
                email_address,
                user_profile,
                full_name,
                invalid_subdomain=bool(invalid_subdomain),
                mobile_flow_otp=mobile_flow_otp,
                is_signup=is_signup)
        realm = get_realm(subdomain)
        if realm is None:
            return redirect_to_subdomain_login_url()
        return redirect_and_log_into_subdomain(realm,
                                               full_name,
                                               email_address,
                                               is_signup=is_signup)
コード例 #4
0
ファイル: backends.py プロジェクト: gnprice/zulip
    def process_do_auth(self, user_profile: UserProfile, *args: Any,
                        **kwargs: Any) -> Optional[HttpResponse]:
        # These functions need to be imported here to avoid cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url,
                                       redirect_and_log_into_subdomain)

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')
        invalid_email = return_data.get('invalid_email')

        if inactive_user or inactive_realm:
            # Redirect to login page. We can't send to registration
            # workflow with these errors. We will redirect to login page.
            return None

        if invalid_email:
            # In case of invalid email, we will end up on registration page.
            # This seems better than redirecting to login page.
            logging.warning(
                "{} got invalid email argument.".format(self.auth_backend_name)
            )
            return None

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)
        is_signup = strategy.session_get('is_signup') == '1'

        mobile_flow_otp = strategy.session_get('mobile_flow_otp')
        subdomain = strategy.session_get('subdomain')
        if not subdomain:
            # At least in our tests, this can be None; and it's not
            # clear what the exact semantics of `session_get` are or
            # what values it might return.  Historically we treated
            # any falsy value here as the root domain, so defensively
            # continue that behavior.
            subdomain = Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
        if (subdomain == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
                or mobile_flow_otp is not None):
            return login_or_register_remote_user(request, email_address,
                                                 user_profile, full_name,
                                                 invalid_subdomain=bool(invalid_subdomain),
                                                 mobile_flow_otp=mobile_flow_otp,
                                                 is_signup=is_signup)
        realm = get_realm(subdomain)
        if realm is None:
            return redirect_to_subdomain_login_url()
        return redirect_and_log_into_subdomain(realm, full_name, email_address,
                                               is_signup=is_signup)
コード例 #5
0
ファイル: backends.py プロジェクト: xyzyx233/zulip
    def process_do_auth(self, user_profile: UserProfile, *args: Any,
                        **kwargs: Any) -> Optional[HttpResponse]:
        # These functions need to be imported here to avoid cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url,
                                       redirect_and_log_into_subdomain)

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')
        invalid_email = return_data.get('invalid_email')

        if inactive_user or inactive_realm:
            # Redirect to login page. We can't send to registration
            # workflow with these errors. We will redirect to login page.
            return None

        if invalid_email:
            # In case of invalid email, we will end up on registration page.
            # This seems better than redirecting to login page.
            logging.warning("{} got invalid email argument.".format(
                self.auth_backend_name))
            return None

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)
        is_signup = strategy.session_get('is_signup') == '1'
        redirect_to = strategy.session_get('next')

        mobile_flow_otp = strategy.session_get('mobile_flow_otp')
        subdomain = strategy.session_get('subdomain')
        assert subdomain is not None
        if mobile_flow_otp is not None:
            return login_or_register_remote_user(
                request,
                email_address,
                user_profile,
                full_name,
                invalid_subdomain=bool(invalid_subdomain),
                mobile_flow_otp=mobile_flow_otp,
                is_signup=is_signup,
                redirect_to=redirect_to)
        realm = get_realm(subdomain)
        if realm is None:
            return redirect_to_subdomain_login_url()
        return redirect_and_log_into_subdomain(realm,
                                               full_name,
                                               email_address,
                                               is_signup=is_signup,
                                               redirect_to=redirect_to)
コード例 #6
0
ファイル: backends.py プロジェクト: christi3k/zulip
    def process_do_auth(self, user_profile, *args, **kwargs):
        # type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
        # These functions need to be imported here to avoid cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url)
        from zerver.views.registration import redirect_and_log_into_subdomain

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')
        invalid_email = return_data.get('invalid_email')

        if inactive_user or inactive_realm:
            # Redirect to login page. We can't send to registration
            # workflow with these errors. We will redirect to login page.
            return None

        if invalid_email:
            # In case of invalid email, we will end up on registration page.
            # This seems better than redirecting to login page.
            logging.warning(
                "{} got invalid email argument.".format(self.auth_backend_name)
            )

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)
        is_signup = strategy.session_get('is_signup') == '1'

        subdomain = strategy.session_get('subdomain')
        if not subdomain:
            return login_or_register_remote_user(request, email_address,
                                                 user_profile, full_name,
                                                 invalid_subdomain=bool(invalid_subdomain),
                                                 is_signup=is_signup)
        try:
            realm = Realm.objects.get(string_id=subdomain)
        except Realm.DoesNotExist:
            return redirect_to_subdomain_login_url()

        return redirect_and_log_into_subdomain(realm, full_name, email_address,
                                               is_signup=is_signup)
コード例 #7
0
    def process_do_auth(self, user_profile, *args, **kwargs):
        # type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
        # These functions need to be imported here to avoid cyclic
        # dependency.
        from zerver.views.auth import (login_or_register_remote_user,
                                       redirect_to_subdomain_login_url)
        from zerver.views.registration import redirect_and_log_into_subdomain

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')
        invalid_email = return_data.get('invalid_email')

        if inactive_user or inactive_realm:
            # Redirect to login page. We can't send to registration
            # workflow with these errors. We will redirect to login page.
            return None

        if invalid_email:
            # In case of invalid email, we will end up on registration page.
            # This seems better than redirecting to login page.
            logging.warning("{} got invalid email argument.".format(
                self.auth_backend_name))

        strategy = self.strategy  # type: ignore # This comes from Python Social Auth.
        request = strategy.request
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)

        subdomain = strategy.session_get('subdomain')

        if not subdomain:
            return login_or_register_remote_user(request, email_address,
                                                 user_profile, full_name,
                                                 bool(invalid_subdomain))
        try:
            realm = Realm.objects.get(string_id=subdomain)
        except Realm.DoesNotExist:
            return redirect_to_subdomain_login_url()

        return redirect_and_log_into_subdomain(realm, full_name, email_address)
コード例 #8
0
ファイル: backends.py プロジェクト: galexrt/zulip
    def process_do_auth(self, user_profile, *args, **kwargs):
        # type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
        # This function needs to be imported from here due to the cyclic
        # dependency.
        from zerver.views.auth import login_or_register_remote_user

        return_data = kwargs.get("return_data", {})

        inactive_user = return_data.get("inactive_user")
        inactive_realm = return_data.get("inactive_realm")
        invalid_subdomain = return_data.get("invalid_subdomain")

        if inactive_user or inactive_realm:
            return None

        request = self.strategy.request  # type: ignore # This comes from Python Social Auth.
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)

        return login_or_register_remote_user(request, email_address, user_profile, full_name, bool(invalid_subdomain))
コード例 #9
0
    def process_do_auth(self, user_profile, *args, **kwargs):
        # type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
        # This function needs to be imported from here due to the cyclic
        # dependency.
        from zerver.views.auth import login_or_register_remote_user

        return_data = kwargs.get('return_data', {})

        inactive_user = return_data.get('inactive_user')
        inactive_realm = return_data.get('inactive_realm')
        invalid_subdomain = return_data.get('invalid_subdomain')

        if inactive_user or inactive_realm:
            return None

        request = self.strategy.request  # type: ignore # This comes from Python Social Auth.
        email_address = self.get_email_address(*args, **kwargs)
        full_name = self.get_full_name(*args, **kwargs)

        return login_or_register_remote_user(request, email_address,
                                             user_profile, full_name,
                                             bool(invalid_subdomain))
コード例 #10
0
ファイル: backends.py プロジェクト: sumepr/zulip
def social_auth_finish(backend: Any,
                       details: Dict[str, Any],
                       response: HttpResponse,
                       *args: Any,
                       **kwargs: Any) -> Optional[UserProfile]:
    """Given the determination in social_auth_associate_user for whether
    the user should be authenticated, this takes care of actually
    logging in the user (if appropriate) and redirecting the browser
    to the appropriate next page depending on the situation.  Read the
    comments below as well as login_or_register_remote_user in
    `zerver/views/auth.py` for the details on how that dispatch works.
    """
    from zerver.views.auth import (login_or_register_remote_user,
                                   redirect_and_log_into_subdomain)

    user_profile = kwargs['user_profile']
    return_data = kwargs['return_data']

    no_verified_email = return_data.get("email_not_verified")
    auth_backend_disabled = return_data.get('auth_backend_disabled')
    inactive_user = return_data.get('inactive_user')
    inactive_realm = return_data.get('inactive_realm')
    invalid_realm = return_data.get('invalid_realm')
    invalid_email = return_data.get('invalid_email')
    auth_failed_reason = return_data.get("social_auth_failed_reason")
    email_not_associated = return_data.get("email_not_associated")

    if invalid_realm:
        from zerver.views.auth import redirect_to_subdomain_login_url
        return redirect_to_subdomain_login_url()

    if inactive_user:
        return redirect_deactivated_user_to_login()

    if auth_backend_disabled or inactive_realm or no_verified_email or email_not_associated:
        # Redirect to login page. We can't send to registration
        # workflow with these errors. We will redirect to login page.
        return None

    if invalid_email:
        # In case of invalid email, we will end up on registration page.
        # This seems better than redirecting to login page.
        logging.warning(
            "{} got invalid email argument.".format(backend.auth_backend_name)
        )
        return None

    if auth_failed_reason:
        logging.info(auth_failed_reason)
        return None

    # Structurally, all the cases where we don't have an authenticated
    # email for the user should be handled above; this assertion helps
    # prevent any violations of that contract from resulting in a user
    # being incorrectly authenticated.
    assert return_data.get('valid_attestation') is True

    strategy = backend.strategy
    email_address = return_data['validated_email']
    full_name = return_data['full_name']
    is_signup = strategy.session_get('is_signup') == '1'
    redirect_to = strategy.session_get('next')
    realm = Realm.objects.get(id=return_data["realm_id"])
    multiuse_object_key = strategy.session_get('multiuse_object_key', '')
    mobile_flow_otp = strategy.session_get('mobile_flow_otp')

    # At this point, we have now confirmed that the user has
    # demonstrated control over the target email address.
    #
    # The next step is to call login_or_register_remote_user, but
    # there are two code paths here because of an optimization to save
    # a redirect on mobile.

    if mobile_flow_otp is not None:
        # For mobile app authentication, login_or_register_remote_user
        # will redirect to a special zulip:// URL that is handled by
        # the app after a successful authentication; so we can
        # redirect directly from here, saving a round trip over what
        # we need to do to create session cookies on the right domain
        # in the web login flow (below).
        return login_or_register_remote_user(strategy.request, email_address,
                                             user_profile, full_name,
                                             mobile_flow_otp=mobile_flow_otp,
                                             is_signup=is_signup,
                                             redirect_to=redirect_to)

    # If this authentication code were executing on
    # subdomain.zulip.example.com, we would just call
    # login_or_register_remote_user as in the mobile code path.
    # However, because third-party SSO providers generally don't allow
    # wildcard addresses in their redirect URLs, for multi-realm
    # servers, we will have just completed authentication on e.g.
    # auth.zulip.example.com (depending on
    # settings.SOCIAL_AUTH_SUBDOMAIN), which cannot store cookies on
    # the subdomain.zulip.example.com domain.  So instead we serve a
    # redirect (encoding the authentication result data in a
    # cryptographically signed token) to a route on
    # subdomain.zulip.example.com that will verify the signature and
    # then call login_or_register_remote_user.
    return redirect_and_log_into_subdomain(realm, full_name, email_address,
                                           is_signup=is_signup,
                                           redirect_to=redirect_to,
                                           multiuse_object_key=multiuse_object_key)
コード例 #11
0
ファイル: backends.py プロジェクト: teamnsrg/zulip
def social_auth_finish(backend: Any, details: Dict[str, Any],
                       response: HttpResponse, *args: Any,
                       **kwargs: Any) -> Optional[UserProfile]:
    from zerver.views.auth import (login_or_register_remote_user,
                                   redirect_and_log_into_subdomain)

    user_profile = kwargs['user_profile']
    return_data = kwargs['return_data']

    no_verified_email = return_data.get("email_not_verified")
    auth_backend_disabled = return_data.get('auth_backend_disabled')
    inactive_user = return_data.get('inactive_user')
    inactive_realm = return_data.get('inactive_realm')
    invalid_realm = return_data.get('invalid_realm')
    invalid_subdomain = return_data.get('invalid_subdomain')
    invalid_email = return_data.get('invalid_email')
    auth_failed_reason = return_data.get("social_auth_failed_reason")

    if invalid_realm:
        from zerver.views.auth import redirect_to_subdomain_login_url
        return redirect_to_subdomain_login_url()
    if auth_backend_disabled or inactive_user or inactive_realm or no_verified_email:
        # Redirect to login page. We can't send to registration
        # workflow with these errors. We will redirect to login page.
        return None

    if invalid_email:
        # In case of invalid email, we will end up on registration page.
        # This seems better than redirecting to login page.
        logging.warning("{} got invalid email argument.".format(
            backend.auth_backend_name))
        return None

    if auth_failed_reason:
        logging.info(auth_failed_reason)
        return None

    # Structurally, all the cases where we don't have an authenticated
    # email for the user should be handled above; this assertion helps
    # prevent any violations of that contract from resulting in a user
    # being incorrectly authenticated.
    assert return_data.get('valid_attestation') is True

    strategy = backend.strategy  # type: ignore # This comes from Python Social Auth.
    email_address = return_data['validated_email']
    full_name = return_data['full_name']
    is_signup = strategy.session_get('is_signup') == '1'
    redirect_to = strategy.session_get('next')
    realm = Realm.objects.get(id=return_data["realm_id"])

    mobile_flow_otp = strategy.session_get('mobile_flow_otp')
    if mobile_flow_otp is not None:
        return login_or_register_remote_user(
            strategy.request,
            email_address,
            user_profile,
            full_name,
            invalid_subdomain=bool(invalid_subdomain),
            mobile_flow_otp=mobile_flow_otp,
            is_signup=is_signup,
            redirect_to=redirect_to)
    return redirect_and_log_into_subdomain(realm,
                                           full_name,
                                           email_address,
                                           is_signup=is_signup,
                                           redirect_to=redirect_to)
コード例 #12
0
ファイル: backends.py プロジェクト: deltay/zulip
def social_auth_finish(backend: Any,
                       details: Dict[str, Any],
                       response: HttpResponse,
                       *args: Any,
                       **kwargs: Any) -> Optional[UserProfile]:
    """Given the determination in social_auth_associate_user for whether
    the user should be authenticated, this takes care of actually
    logging in the user (if appropriate) and redirecting the browser
    to the appropriate next page depending on the situation.  Read the
    comments below as well as login_or_register_remote_user in
    `zerver/views/auth.py` for the details on how that dispatch works.
    """
    from zerver.views.auth import (login_or_register_remote_user,
                                   redirect_and_log_into_subdomain)

    user_profile = kwargs['user_profile']
    return_data = kwargs['return_data']

    no_verified_email = return_data.get("email_not_verified")
    auth_backend_disabled = return_data.get('auth_backend_disabled')
    inactive_user = return_data.get('inactive_user')
    inactive_realm = return_data.get('inactive_realm')
    invalid_realm = return_data.get('invalid_realm')
    invalid_subdomain = return_data.get('invalid_subdomain')
    invalid_email = return_data.get('invalid_email')
    auth_failed_reason = return_data.get("social_auth_failed_reason")

    if invalid_realm:
        from zerver.views.auth import redirect_to_subdomain_login_url
        return redirect_to_subdomain_login_url()
    if auth_backend_disabled or inactive_user or inactive_realm or no_verified_email:
        # Redirect to login page. We can't send to registration
        # workflow with these errors. We will redirect to login page.
        return None

    if invalid_email:
        # In case of invalid email, we will end up on registration page.
        # This seems better than redirecting to login page.
        logging.warning(
            "{} got invalid email argument.".format(backend.auth_backend_name)
        )
        return None

    if auth_failed_reason:
        logging.info(auth_failed_reason)
        return None

    # Structurally, all the cases where we don't have an authenticated
    # email for the user should be handled above; this assertion helps
    # prevent any violations of that contract from resulting in a user
    # being incorrectly authenticated.
    assert return_data.get('valid_attestation') is True

    strategy = backend.strategy  # type: ignore # This comes from Python Social Auth.
    email_address = return_data['validated_email']
    full_name = return_data['full_name']
    is_signup = strategy.session_get('is_signup') == '1'
    redirect_to = strategy.session_get('next')
    realm = Realm.objects.get(id=return_data["realm_id"])
    multiuse_object_key = strategy.session_get('multiuse_object_key', '')
    mobile_flow_otp = strategy.session_get('mobile_flow_otp')

    # At this point, we have now confirmed that the user has
    # demonstrated control over the target email address.
    #
    # The next step is to call login_or_register_remote_user, but
    # there are two code paths here because of an optimization to save
    # a redirect on mobile.

    if mobile_flow_otp is not None:
        # For mobile app authentication, login_or_register_remote_user
        # will redirect to a special zulip:// URL that is handled by
        # the app after a successful authentication; so we can
        # redirect directly from here, saving a round trip over what
        # we need to do to create session cookies on the right domain
        # in the web login flow (below).
        return login_or_register_remote_user(strategy.request, email_address,
                                             user_profile, full_name,
                                             invalid_subdomain=bool(invalid_subdomain),
                                             mobile_flow_otp=mobile_flow_otp,
                                             is_signup=is_signup,
                                             redirect_to=redirect_to)

    # If this authentication code were executing on
    # subdomain.zulip.example.com, we would just call
    # login_or_register_remote_user as in the mobile code path.
    # However, because third-party SSO providers generally don't allow
    # wildcard addresses in their redirect URLs, for multi-realm
    # servers, we will have just completed authentication on e.g.
    # auth.zulip.example.com (depending on
    # settings.SOCIAL_AUTH_SUBDOMAIN), which cannot store cookies on
    # the subdomain.zulip.example.com domain.  So instead we serve a
    # redirect (encoding the authentication result data in a
    # cryptographically signed token) to a route on
    # subdomain.zulip.example.com that will verify the signature and
    # then call login_or_register_remote_user.
    return redirect_and_log_into_subdomain(realm, full_name, email_address,
                                           is_signup=is_signup,
                                           redirect_to=redirect_to,
                                           multiuse_object_key=multiuse_object_key)
コード例 #13
0
ファイル: backends.py プロジェクト: phansen01/zulip
def social_auth_finish(backend: Any,
                       details: Dict[str, Any],
                       response: HttpResponse,
                       *args: Any,
                       **kwargs: Any) -> Optional[UserProfile]:
    from zerver.views.auth import (login_or_register_remote_user,
                                   redirect_and_log_into_subdomain)

    user_profile = kwargs['user_profile']
    return_data = kwargs['return_data']

    auth_backend_disabled = return_data.get('auth_backend_disabled')
    inactive_user = return_data.get('inactive_user')
    inactive_realm = return_data.get('inactive_realm')
    invalid_realm = return_data.get('invalid_realm')
    invalid_subdomain = return_data.get('invalid_subdomain')
    invalid_email = return_data.get('invalid_email')
    auth_failed_reason = return_data.get("social_auth_failed_reason")

    if invalid_realm:
        from zerver.views.auth import redirect_to_subdomain_login_url
        return redirect_to_subdomain_login_url()
    if auth_backend_disabled or inactive_user or inactive_realm:
        # Redirect to login page. We can't send to registration
        # workflow with these errors. We will redirect to login page.
        return None

    if invalid_email:
        # In case of invalid email, we will end up on registration page.
        # This seems better than redirecting to login page.
        logging.warning(
            "{} got invalid email argument.".format(backend.auth_backend_name)
        )
        return None

    if auth_failed_reason:
        logging.info(auth_failed_reason)
        return None

    # Structurally, all the cases where we don't have an authenticated
    # email for the user should be handled above; this assertion helps
    # prevent any violations of that contract from resulting in a user
    # being incorrectly authenticated.
    assert return_data.get('valid_attestation') is True

    strategy = backend.strategy  # type: ignore # This comes from Python Social Auth.
    email_address = return_data['validated_email']
    full_name = return_data['full_name']
    is_signup = strategy.session_get('is_signup') == '1'
    redirect_to = strategy.session_get('next')
    realm = return_data["realm"]

    mobile_flow_otp = strategy.session_get('mobile_flow_otp')
    if mobile_flow_otp is not None:
        return login_or_register_remote_user(strategy.request, email_address,
                                             user_profile, full_name,
                                             invalid_subdomain=bool(invalid_subdomain),
                                             mobile_flow_otp=mobile_flow_otp,
                                             is_signup=is_signup,
                                             redirect_to=redirect_to)
    return redirect_and_log_into_subdomain(realm, full_name, email_address,
                                           is_signup=is_signup,
                                           redirect_to=redirect_to)