def test_login_authorization_has_valid_refresh_token(self):
response = self.test_client.post('/api/auth', content_type="application/json",
data=json.dumps(dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = decode_token(key['refresh_token'])
self.assertEqual(token['type'], 'refresh')
self.assertEqual(token['identity'], self.admin_user_id)
def test_login_authorization_has_valid_access_token(self):
response = self.test_client.post('/api/auth', content_type="application/json",
data=json.dumps(dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = decode_token(key['access_token'])
self.assertEqual(token['type'], 'access')
self.assertEqual(token['identity'], self.admin_user_id)
self.assertTrue(token['fresh'])
self.assertDictEqual(token['user_claims'], {'username': '******', 'roles': [self.admin_role_id]})
def __func():
data = request.get_json()
refresh_token = data.get('refresh_token', None) if data else None
if refresh_token is None:
return Problem(BAD_REQUEST, 'Could not logout.', 'A refresh token is required to logout.')
decoded_refresh_token = decode_token(refresh_token)
refresh_token_identity = decoded_refresh_token[current_app.config['JWT_IDENTITY_CLAIM']]
user_id = get_jwt_identity()
if user_id == refresh_token_identity:
user = User.query.filter(User.id == user_id).first()
if user is not None:
user.logout()
revoke_token(decode_token(refresh_token))
return None, NO_CONTENT
else:
return Problem(
BAD_REQUEST,
'Could not logout.',
'The identity of the refresh token does not match the identity of the authentication token.')
def test_logout(self):
response = self.test_client.post('/api/auth', content_type="application/json",
data=json.dumps(dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
access_token = key['access_token']
refresh_token = key['refresh_token']
headers = {'Authorization': 'Bearer {}'.format(access_token)}
response = self.test_client.post('/api/auth/logout', headers=headers, content_type="application/json",
data=json.dumps(dict(refresh_token=refresh_token)))
refresh_token = decode_token(refresh_token)
refresh_token_jti = refresh_token['jti']
self.assertEqual(response.status_code, NO_CONTENT)
tokens = BlacklistedToken.query.filter_by(jti=refresh_token_jti).all()
self.assertEqual(len(tokens), 1)
def test_refresh_valid_token_yields_access_token(self):
response = self.test_client.post('/api/auth', content_type="application/json",
data=json.dumps(dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
headers = {'Authorization': 'Bearer {}'.format(key['refresh_token'])}
refresh = self.test_client.post('/api/auth/refresh', content_type="application/json", headers=headers)
self.assertEqual(refresh.status_code, OBJECT_CREATED)
key = json.loads(refresh.get_data(as_text=True))
self.assertSetEqual(set(key.keys()), {'access_token'})
token = decode_token(key['access_token'])
self.assertEqual(token['type'], 'access')
self.assertEqual(token['identity'], self.admin_user_id)
self.assertFalse(token['fresh'])
def login(email_or_token, password=None):
if password:
email = email_or_token
try:
u = User.objects(email=email)[0]
except:
return None
if u.check_password(password):
return u
else:
return None
else:
token = email_or_token
identity = decode_token(token)["identity"]
return User.from_identity(identity)
def test_login_authorization_has_valid_access_token(self):
response = self.test_client.post('/api/auth',
content_type="application/json",
data=json.dumps(
dict(username='******',
password='******')))
key = json.loads(response.get_data(as_text=True))
token = decode_token(key['access_token'])
self.assertEqual(token['type'], 'access')
self.assertEqual(token['identity'], self.admin_user_id)
self.assertTrue(token['fresh'])
self.assertDictEqual(token['user_claims'], {
'username': '******',
'roles': [self.admin_role_id]
})
def update_email(token):
""" update email verifying it and set status to true"""
try:
token_data = decode_token(token)
email = token_data['email']
username = token_data['username']
except Exception:
raise MyException('please click the link to verify your email', status_code=404)
user = User.query.filter(User.username == username).first()
if user is None:
raise MyException('invalid user', status_code=404)
user.email = email
db.session.commit()
user.email_status = True
return {"updated_email": email}
def info_from_jwt(token):
"""
Check and retrieve authentication information from custom bearer token.
Returned value will be passed in 'token_info' parameter of your operation function, if there is one.
'sub' or 'uid' will be set in 'user' parameter of your operation function, if there is one.
:param token Token provided by Authorization header
:type token: str
:return: Decoded token information or None if token is invalid
:rtype: dict | None
"""
if token:
return decode_token(token)
return None
def wrapper(*args, **kwds):
try:
token = decode_token(request.cookies.get('access_token_cookie'),
request.cookies.get('csrf_access_token'))
if token.get('identity') == None:
print("rediretc")
return redirect("/unauthorized"), 302
except ExpiredSignatureError as e:
pass
except Exception as e:
return redirect("/unauthorized"), 302
return route(*args, **kwds)
def _decode_token(request_type: TokenType,
token_location: TokenLocation) -> Union[dict, None]:
encoded_token = None
if token_location == TokenLocation.HEADERS:
encoded_token = _get_encoded_token(request_type, _get_header_names,
_get_header_token)
elif token_location == TokenLocation.QUERY_STRING:
encoded_token = _get_encoded_token(request_type,
_get_query_param_names,
_get_query_param_token)
decoded_token = decode_token(encoded_token)
verify_token_type(decoded_token, expected_type=request_type.value)
return decoded_token
def add_to_db(cls, encoded_token, identity_claim):
decoded_token = decode_token(encoded_token)
jti = decoded_token['jti']
token_type = decoded_token['type']
user_identity = decoded_token[identity_claim]
expires = datetime.fromtimestamp(decoded_token['exp'])
revoked = False
db_token = TokenList(jti=jti,
token_type=token_type,
user_identity=user_identity,
expires=expires,
revoked=revoked)
db.session.add(db_token)
db.session.commit()
def store_token(encoded_token):
decoded_token = decode_token(encoded_token)
token_type = {
'access': TokenType.access_token.value,
'refresh': TokenType.refresh_token.value
}.get(decoded_token['type'])
expires = datetime.datetime.utcfromtimestamp(decoded_token['exp'])
token_object = JsonWebToken(jti=decoded_token['jti'],
token_type=token_type,
user_id=int(decoded_token['identity']),
expires=expires)
db.session.add(token_object)
db.session.commit()
def test_new_token(self, db_session, test_user):
token_user, _ = test_user
test_token = jwt_create_access_token(identity=token_user.public_id, fresh=False)
decoded_test_token = decode_token(test_token)
# create token and add to database
token_values = {'encoded_token': test_token, 'user_identity': token_user.public_id}
db_session.add(models.Token(**token_values))
db_session.commit()
# test values
new_token = services.get_token_by_jti(jti=decoded_test_token['jti'])
assert new_token.jti
assert new_token.type == 'access'
assert new_token.revoked is not None
assert new_token.expires
assert new_token.user_public_id == token_user.public_id
def add_token_to_database(encoded_token, identity_claim):
"""
Adds a new token to the database. It is not revoked when it is added.
:param identity_claim:
"""
decoded_token = decode_token(encoded_token)
db_token = TokenBlacklist(
jti=decoded_token['jti'],
token_type=decoded_token['type'],
user_identity=decoded_token[identity_claim],
expires=datetime.datetime.fromtimestamp(decoded_token['exp']),
revoked=False,
)
db.session.add(db_token)
db.session.commit()
def post(self):
args = parser.parse_args()
access_token = args['access_token']
user_id = decode_token(access_token)['identity']
client = MongoClient('mongodb://localhost:27017')
db = client.pookle
collection = db.users
users = collection.find()
for user in users:
if user['id'] == user_id:
current_user = {
'id': user['id'],
}
return current_user
return {'id': ''}
def wrapper(*args, **kwargs):
from flask import redirect, session, request
from flask_jwt_extended import decode_token
from datetime import datetime
# attempt to grab the jwt from request
try:
token = session.get("access_token", None)
except:
token = None
jwt_data = decode_token(token) if token != None else None
# if the grab worked and the identity key is in the dict then proceed
if jwt_data and jwt_data.get("exp", 0) >= int(datetime.now().strftime('%s')):
return func(*args, **kwargs)
else:
return redirect(f'/login?msg=Require Login&rurl={request.path}', code=302)
def post(self):
body = request.get_json(force=True)
#print(body.get('reset_token'))
_id = decode_token(body.get('access_token'))['identity']
print(col.find_one({"_id": _id}).get('username'))
bvalue = bytes(body.get('password'), 'utf-8')
temp_hash = bcrypt.hashpw(bvalue, bcrypt.gensalt())
col.update_one({"_id": _id},
{"$set": {
'password': temp_hash.decode('utf-8')
}})
return 'Your password has been reset successfully!'
def getRate():
try:
user_id = decode_token(
request.headers.get('Authorization')).get('identity')
movie_id = db.session.query(Link).filter_by(
imdbID=request.args.get('movieId')).first().movie_id
user_rate = db.session.query(Rate).filter_by(
user_id=user_id).filter_by(movie_id=movie_id).first()
if user_rate:
return {"rate": user_rate.rate}
else:
return {"rate": 0}
except Exception as e:
print(str(e))
return {"rate": 0}
def test_no_user_claims(app, user_loader_return):
jwtM = get_jwt_manager(app)
@jwtM.user_claims_loader
def empty_user_loader_return(identity):
return user_loader_return
# Identity should not be in the actual token, but should be in the data
# returned via the decode_token call
with app.test_request_context():
token = create_access_token('username')
pure_decoded = jwt.decode(token, config.decode_key, algorithms=[config.algorithm])
assert config.user_claims not in pure_decoded
extension_decoded = decode_token(token)
assert config.user_claims in extension_decoded
def add_token_to_db(encoded_token, identity_claim):
decoded_token = decode_token(encoded_token)
jti = decoded_token['jti']
token_type = decoded_token['type']
user_id = decoded_token[identity_claim].get('id')
expires = posix_utc_to_datetime(decoded_token['exp'])
revoked = False
db_token = TokenBlacklist(jti=jti,
token_type=token_type,
user_id=user_id,
expires=expires,
revoked=revoked)
db.session.add(db_token)
db.session.commit()
def get(self):
identity = get_jwt_identity()
access_token = create_access_token(identity=identity)
access_token_details = decode_token(access_token)
response = jsonify({
"msg":
"refresh successful",
"access_token":
access_token,
"access_token_lifetime":
access_token_details['exp'] - int(time.time()),
})
# set_access_cookies(response, access_token)
return response
def test_create_new_user():
with app.app_context():
with patch(context + ".database") as mock:
mock.users.find_one.return_value = valid_doc
assert not create_new_user("user", pwd)
mock.users.find_one.return_value = None
insert_ack = MagicMock()
insert_ack.acknowledged = True
mock.users.insert_one.return_value = insert_ack
result = create_new_user("user", pwd)
assert decode_token(result)["identity"] == "user"
def user_profile():
# get the access token from the authorization header
auth_header = request.headers.get('Authorization')
access_token = auth_header.split(" ")[1]
if access_token:
decoded_token = decode_token(access_token)
email = decoded_token["identity"]
user = User.query.filter_by(email=email).first()
if user:
result = user_schema.dump(user)
return jsonify(result)
else:
return jsonify(message="Sorry, could not find your profile"), 404
else:
return jsonify(message="Could not find Access Token"), 401
def wrapper(*args, **kwargs):
log.info("Is Authenticated Decorator.")
user_data = get_jwt_identity()
log.info(user_data)
user_obj = User.query.filter_by(email=user_data['email']).one()
setattr(request, 'user', user_obj)
setattr(request, 'auth_token', request.cookies['x-access-token'])
token_extra_details = decode_token(request.cookies['x-access-token'])
token_data = {
'iat': token_extra_details['iat'],
'exp': token_extra_details['exp'],
'identity': token_extra_details['identity'],
'token': request.cookies['x-access-token']
}
setattr(request, 'token_data', token_data)
return fn(*args, **kwargs)
def test_user_login(test_client):
login_body = {
"email": "*****@*****.**",
"password": "******",
}
expected_jwt_id = 1
expected_response_status = 201
actual_response = test_client.post("/api/users/login", json=login_body)
actual_status = actual_response.status_code
actual_response_token = actual_response.get_json().get("access_token")
actual_jwt_id = decode_token(actual_response_token).get("sub")
assert expected_response_status == actual_status
assert expected_jwt_id == actual_jwt_id
def on_join():
token = request.args.get('token')
if token:
try:
decoded_token = decode_token(token)
user = User.query.filter_by(
email=decoded_token['identity']).first()
room = user.device_id
if room:
join_room(room)
print(f'User {user.name} joined {user.device_id}')
except Exception:
# on any jwt error
raise ConnectionRefusedError('unauthorized!')
else:
raise ConnectionRefusedError('unauthorized!')
def get(self):
data = request.headers.get('Authorization').split(" ")[1]
try:
email = decode_token(data)
if email["identity"]:
user = UserModel.get_user_by_email(email["identity"])
response = jsonify({
"user": user_schema.dump(user),
"success": True,
"code": 200
})
response.status_code = 200
return response
except:
abort(400)
def parse_jwt():
if request.headers.has_key("AUTH_TOKEN"):
authToken = request.headers["AUTH_TOKEN"]
try:
loginInfo = decode_token(authToken[7:])
g.email = loginInfo['identity'][0]
g.user_type = loginInfo['identity'][1]
g.logged_in = True
except Exception:
g.logged_in = False
elif "DEBUG_TOKEN" in app.config and app.config["DEBUG_TOKEN"]:
g.email = app.config["DEBUG_EMAIL"]
g.user_type = app.config["DEBUG_USER_TYPE"]
g.logged_in = app.config["DEBUG_LOGGED_IN"]
else:
g.logged_in = False
def test_user_login(
test_client: flask.testing.FlaskClient, db: flask_sqlalchemy.SQLAlchemy
) -> None:
r = test_client.post(
'/user/', data={'email': '*****@*****.**', 'password': '******'}
)
user_id = r.get_json()['id']
r = test_client.post(
'/user/login', data={'email': '*****@*****.**', 'password': '******'}
)
access_token = r.get_json()['access_token']
identity = flask_jwt_extended.decode_token(access_token)['identity']
assert identity == user_id
def on_join(data):
try:
token = decode_token(data['accessToken'])
except (exceptions.ExpiredSignatureError, exceptions.DecodeError, KeyError):
return
user = User.query.filter(User.id==token['identity'], User.status>=1).first()
if not user:
return
login_user(user)
join_room(f'{current_user.id}')
if current_user.group:
join_room(f'{current_user.group.id}')
join_room('all')
join_room('deployments')
handle_join_deployment(user, data)
emit('CONNECTED', {'code': 200})
def add_token_to_database(encoded_token, user_identity):
decoded_token = decode_token(encoded_token)
jti = decoded_token['jti']
token_type = decoded_token['type']
expires = decoded_token['exp']
revoked = False
db_token = TokenBlacklist(
jti=jti,
token_type=token_type,
user_identity=user_identity,
expires=expires,
revoked=revoked,
)
db.session.add(db_token)
db.session.commit()
def reset_password():
body = _load_body()
reset_token = body.get('reset_token')
password = body.get('password')
if not reset_token or not password:
return response_bad_request('both reset_token and password required')
# TODO: validation
user_id = decode_token(reset_token)['identity'] # *
user = crud.update_user_password(user_id, password)
send_email(
[user.email],
'[Movie-bag] Password reset successful',
'email/reset_password_done',
)
def login():
if current_user.is_authenticated:
return redirect(url_for('home_blueprint.home'))
form = LoginForm(request.form)
if request.method == 'GET':
return render_template('login.html', form=form)
else:
if not form.validate_on_submit():
return render_template('login.html', form=form)
try:
# Should be data and not json (endpoint expects form body)
data = requests.post('http://api:8080/api/v1/auth/access-token',
data={
'username': form.email.data,
'password': form.password.data
})
if data.status_code == 200:
user = User()
decoded_token = decode_token(data.json()['access_token'])
user.id = decoded_token['sub']
session['token'] = data.json()['access_token']
session['token_exp'] = decoded_token['exp']
login_user(user)
next = request.args.get('next')
if not is_safe_url(next):
return abort(400)
return redirect(next or url_for('home_blueprint.home'))
else:
return render_template('login.html',
data={
'username': form.email.data,
'password': form.password.data,
'error': data.json()['detail']
},
api_headers=data.headers,
form=form)
except Exception as e:
print(e)
return "Some very good exception handling!"
def create_refresh_token(cls, refresh_token, user_agent):
new_token = {}
token = cls._verify_refresh_token(refresh_token, user_agent)
token_data = decode_token(refresh_token)
new_access_token = create_access_token(token_data.get('sub'))
new_token['accessToken'] = new_access_token
# refresh token 의 유효 기간이 3일 미만일 경우 refresh_token 또한 재발급.
if (token_data.get('exp') - time()) < 259200:
new_refresh_token = create_refresh_token(token_data.get('sub'))
token.refresh_token = new_refresh_token
new_token['refreshToken'] = new_refresh_token
db.session.commit()
return new_token
def test_refresh_invalid_user_blacklists_token(self):
user = add_user(username='******', password='******')
db.session.commit()
response = self.test_client.post('/api/auth', content_type="application/json",
data=json.dumps(dict(username='******', password='******')))
key = json.loads(response.get_data(as_text=True))
token = key['refresh_token']
db.session.delete(user)
db.session.commit()
headers = {'Authorization': 'Bearer {}'.format(token)}
refresh = self.test_client.post('/api/auth/refresh', content_type="application/json", headers=headers)
self.assertEqual(refresh.status_code, UNAUTHORIZED_ERROR)
token = decode_token(token)
tokens = BlacklistedToken.query.filter_by(jti=token['jti']).all()
self.assertEqual(len(tokens), 1)
def test_admin_login(client, mock_admin_ad):
"""Test that admin logins are successfull."""
# Make sure the user doesn't exist before the first login
assert len(User.query.all()) == 0
# Because we are mocking AD with ldap3, we have to use the distinguished name to log in
rv = client.post('/api/v1/login', data=json.dumps({
'username': '******',
'password': '******'}))
assert rv.status_code == 200
rv_json = json.loads(rv.data.decode('utf-8'))
assert set(rv_json.keys()) == set(['token'])
# Make sure the user was created after the first login
guid = '5609c5ec-c0df-4480-a94b-b6eb0fc4c066'
assert User.query.filter_by(ad_guid=guid).first()
decoded_token = flask_jwt_extended.decode_token(rv_json['token'])
assert decoded_token['sub']['guid'] == guid
assert decoded_token['sub']['username'] == 'testuser'
assert decoded_token['user_claims']['roles'] == ['admin']
def add_token_to_database(encoded_token, identity_claim):
"""
Adds a new token to the database. It is not revoked when it is added.
:param identity_claim: configured key to get user identity
"""
decoded_token = decode_token(encoded_token)
jti = decoded_token['jti']
token_type = decoded_token['type']
user_identity = decoded_token[identity_claim]
expires = datetime.fromtimestamp(decoded_token['exp'])
revoked = False
db_token = TokenBlacklist(
jti=jti,
token_type=token_type,
user_id=user_identity,
expires=expires,
revoked=revoked,
)
db.session.add(db_token)
db.session.commit()
