def api_login(): password = request.form.get("password", None) email = request.form.get("email", None) def success(the_user): login_user(the_user) return Response( response = "Successfully logged in.", headers = {"X-CallSuccess": "True"} ) def failure(): return Response( response = "Incorrect email or password.", headers = {"X-CallSuccess": "False"} ) # If the user is trying to login by giving us an access_token they got from # signing in through google, validate the token. access_token = request.form.get("access_token", None) if access_token and oauth_enabled: # Ask google to verify that they authed the user. req = requests.post( "https://www.googleapis.com/oauth2/v1/tokeninfo", data = { "access_token": access_token } ) if req.status_code != requests.codes.ok: return failure() # Validate client id is matching to avoid confused deputy attack if req.json["audience"] != app.config["GOOGLE_APICLIENT_ID"]: raise RuntimeError("Invalid Client ID") # Grab the user from the database (here we also check to make sure that # this user actually has account on Galah). try: user = FlaskUser(User.objects.get(email = req.json["email"])) except User.DoesNotExist: return failure() return success(user) elif access_token and not oauth_enabled: raise RuntimeError("Login via OAuth2 is not configured.") # If the user is trying to authenticate through Galah... if email and password: try: user = FlaskUser(User.objects.get(email = email)) except User.DoesNotExist: return failure() if check_seal(password, deserialize_seal(str(user.seal))): return success(user) else: return failure() raise RuntimeError("Malformed Request")
def login(): form = LoginForm() # If the user's input isn't immediately incorrect (validate_on_submit() will # not check if the email and password combo is valid, only that it could be # valid) if form.validate_on_submit(): # Find the user with the given email try: user = FlaskUser(User.objects.get(email = form.email.data)) except User.DoesNotExist: user = None if oauth_enabled and user and not user.seal: flash("You must use R'Mail to login.", category = "error") logger.info( "User %s has tried to log in via internal auth but their " "account does not have a seal.", user.email ) return render_template( "login.html", form = form, oauth_enabled = oauth_enabled ) # Check if the entered password is correct if not user or \ not check_seal(form.password.data, deserialize_seal(str(user.seal))): flash("Incorrect email or password.", category = "error") logger.info( "User %s has entered an incorrect email/password pair during " "internal auth.", form.email.data ) else: login_user(user) logger.info( "User %s has succesfully logged in via internal auth.", user.email ) return redirect(form.redirect_target or url_for("browse_assignments")) elif oauth_enabled and request.args.get("type") == "rmail": # Login using Google OAuth2 # Step 1 of two-factor authentication: redirect to AUTH url auth_uri = flow.step1_get_authorize_url() return redirect(auth_uri) return render_template( "login.html", form = form, oauth_enabled = oauth_enabled, google_login_heading = app.config["GOOGLE_LOGIN_HEADING"], google_login_caption = app.config["GOOGLE_LOGIN_CAPTION"] )
def api_login(): password = request.form.get("password", None) email = request.form.get("email", None) def success(the_user): login_user(the_user) return Response(response="Successfully logged in.", headers={"X-CallSuccess": "True"}) def failure(): return Response(response="Incorrect email or password.", headers={"X-CallSuccess": "False"}) # If the user is trying to login by giving us an access_token they got from # signing in through google, validate the token. access_token = request.form.get("access_token", None) if access_token and oauth_enabled: # Ask google to verify that they authed the user. req = requests.post("https://www.googleapis.com/oauth2/v1/tokeninfo", data={"access_token": access_token}) if req.status_code != requests.codes.ok: return failure() # Validate client id is matching to avoid confused deputy attack if req.json["audience"] != app.config["GOOGLE_APICLIENT_ID"]: raise RuntimeError("Invalid Client ID") # Grab the user from the database (here we also check to make sure that # this user actually has account on Galah). try: user = FlaskUser(User.objects.get(email=req.json["email"])) except User.DoesNotExist: return failure() return success(user) elif access_token and not oauth_enabled: raise RuntimeError("Login via OAuth2 is not configured.") # If the user is trying to authenticate through Galah... if email and password: try: user = FlaskUser(User.objects.get(email=email)) except User.DoesNotExist: return failure() if check_seal(password, deserialize_seal(str(user.seal))): return success(user) else: return failure() raise RuntimeError("Malformed Request")
def api_login(): def success(the_user): login_user(the_user) return Response(response="Successfully logged in.", headers={"X-CallSuccess": "True"}) def failure(): return Response(response="Incorrect email or password.", headers={"X-CallSuccess": "False"}) # If the user is trying to login by giving us an access_token they got from # signing in through google, validate the token. access_token = request.form.get("access_token", None) if access_token and oauth_enabled: # Ask google to verify that they authed the user. req = requests.post("https://www.googleapis.com/oauth2/v1/tokeninfo", data={"access_token": access_token}) req_json = req.json() email = req_json.get("email", "unknown") if req.status_code != requests.codes.ok: logger.info("Invalid OAuth2 login by %s.", email) return failure() # Validate client id is matching to avoid confused deputy attack if req_json["audience"] != app.config["GOOGLE_APICLIENT_ID"]: logger.error("Non-matching audience field detected for user %s.", email) return failure() # Grab the user from the database (here we also check to make sure that # this user actually has account on Galah). try: user = FlaskUser(User.objects.get(email=req_json["email"])) except User.DoesNotExist: logger.info( "User %s signed in via OAuth2 but a Galah account does not " "exist for that user.", email) return failure() logger.info("User %s successfully signed in with OAuth2.", email) return success(user) elif access_token and not oauth_enabled: logger.warning( "Attempted login via OAuth2 but OAuth2 is not configured.") return failure() # If the user is trying to authenticate through Galah... password = request.form.get("password", None) email = request.form.get("email", None) if email and password: try: user = FlaskUser(User.objects.get(email=email)) except User.DoesNotExist: logger.info( "User %s tried to sign in via internal auth but a Galah " "account does not exist for that user.", email) return failure() if check_seal(password, deserialize_seal(str(user.seal))): logger.info( "User %s succesfully authenticated with internal auth.", email) return success(user) else: logger.info( "User %s tried to sign in via internal auth but an invalid " "password was given.", email) return failure() logger.warning("Malformed request.") return failure()
def api_login(): def success(the_user): login_user(the_user) return Response( response = "Successfully logged in.", headers = {"X-CallSuccess": "True"} ) def failure(): return Response( response = "Incorrect email or password.", headers = {"X-CallSuccess": "False"} ) # If the user is trying to login by giving us an access_token they got from # signing in through google, validate the token. access_token = request.form.get("access_token", None) if access_token and oauth_enabled: # Ask google to verify that they authed the user. req = requests.post( "https://www.googleapis.com/oauth2/v1/tokeninfo", data = { "access_token": access_token } ) req_json = req.json() email = req_json.get("email", "unknown") if req.status_code != requests.codes.ok: logger.info("Invalid OAuth2 login by %s.", email) return failure() # Validate client id is matching to avoid confused deputy attack if req_json["audience"] != app.config["GOOGLE_APICLIENT_ID"]: logger.error( "Non-matching audience field detected for user %s.", email ) return failure() # Grab the user from the database (here we also check to make sure that # this user actually has account on Galah). try: user = FlaskUser(User.objects.get(email = req_json["email"])) except User.DoesNotExist: logger.info( "User %s signed in via OAuth2 but a Galah account does not " "exist for that user.", email ) return failure() logger.info("User %s successfully signed in with OAuth2.", email) return success(user) elif access_token and not oauth_enabled: logger.warning("Attempted login via OAuth2 but OAuth2 is not configured.") return failure() # If the user is trying to authenticate through Galah... password = request.form.get("password", None) email = request.form.get("email", None) if email and password: try: user = FlaskUser(User.objects.get(email = email)) except User.DoesNotExist: logger.info( "User %s tried to sign in via internal auth but a Galah " "account does not exist for that user.", email ) return failure() if check_seal(password, deserialize_seal(str(user.seal))): logger.info( "User %s succesfully authenticated with internal auth.", email ) return success(user) else: logger.info( "User %s tried to sign in via internal auth but an invalid " "password was given.", email ) return failure() logger.warning("Malformed request.") return failure()
def login(): form = LoginForm() # Authentication details to be passed to the rendering engine. authentication_details = { "cas_enabled": cas_enabled, "cas_login_caption": app.config["CAS_LOGIN_CAPTION"], "cas_login_heading": app.config["CAS_LOGIN_HEADING"], "oauth_enabled": oauth_enabled, "google_login_caption": app.config["GOOGLE_LOGIN_CAPTION"], "google_login_heading": app.config["GOOGLE_LOGIN_HEADING"] } # If the user's input isn't immediately incorrect (validate_on_submit() will # not check if the email and password combo is valid, only that it could be # valid) if form.validate_on_submit(): # Find the user with the given email try: user = FlaskUser(User.objects.get(email = form.email.data)) except User.DoesNotExist: user = None if oauth_enabled and user and not user.seal: flash("You must use R'Mail to login.", category = "error") logger.info( "User %s has tried to log in via internal auth but their " "account does not have a seal.", user.email ) return render_template( "login.html", form = form, **authentication_details ) # Check if the entered password is correct if not user or \ not check_seal(form.password.data, deserialize_seal(str(user.seal))): flash("Incorrect email or password.", category = "error") logger.info( "User %s has entered an incorrect email/password pair during " "internal auth.", form.email.data ) else: login_user(user) logger.info( "User %s has succesfully logged in via internal auth.", user.email ) return redirect(form.redirect_target or url_for("browse_assignments")) elif oauth_enabled and request.args.get("type") == "google": # Login using Google OAuth2 # Step 1 of two-factor authentication: redirect to AUTH url auth_uri = flow.step1_get_authorize_url() return redirect(auth_uri) elif cas_enabled and request.args.get("type") == "cas": # Login using CAS # Step 1 of CAS dance: redirect to authentication url auth_uri = cas_server.login(cas_service) return redirect(auth_uri) elif cas_enabled and request.args.get("ticket") is not None: # Since CAS Authentication doesn't support redirect_uri arguments, # the ticket will be sent the login function so let's handle it here. cas_validate(request.args.get("ticket")) return render_template( "login.html", form = form, **authentication_details )