def sessions_post_view(request):
"""
This will begin a new session given a username and password
"""
if request.user is not None and request.json_body.get('token') is not None:
# Our request validated their token, so just get that token
return {'d': dict_from_row(request.dbsession.query(Session)\
.filter(Session.token == request.json_body['token']).one())}
username = request.json_body.get('username')
if username is None or not isinstance(username, basestring):
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid username provided')}
password = request.json_body.get('password')
if password is None or not isinstance(password, basestring):
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid password provided')}
user = request.dbsession.query(User).filter(
User.username == username.lower()).one_or_none()
if user is None:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid username provided')}
salted_pass = binascii.b2a_hex(hash_password(password, user.salt))
if binascii.b2a_hex(user.password) != salted_pass:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid username provided')}
if user.lockmessage is not None:
request.response.status = 400
return {'d': error_dict('account_lock', user.lockmessage)}
new_token = str(uuid4())
new_session = Session()
new_session.user_id = user.id
new_session.token = new_token
request.dbsession.add(new_session)
request.dbsession.flush()
request.dbsession.refresh(new_session)
since = datetime.now() - timedelta(weeks=2)
request.dbsession.query(Session)\
.filter(Session.lastactive <= since)\
.filter(Session.user_id == user.id)\
.delete()
result = dict_from_row(new_session)
result['origin'] = user.origin
return {'d': result}
def sessions_put_view(request):
if request.user is None:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
token = request.json_body.get('token')
s = request.dbsession.query(Session).filter(
Session.token == token,
Session.user_id == request.user.id).one_or_none()
if s is None:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid token provided')}
expiration_value = timedelta(weeks=2)
if (datetime.now() - s.lastactive) > expiration_value:
request.dbsession.delete(s)
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid token provided')}
s.lastactive = datetime.now()
request.dbsession.flush()
result = dict_from_row(s)
result['origin'] = request.user.origin
return {'d': result}
def test_already_logged_in(self):
"""
If we try to start a session while we're already logged in, get the token we used
"""
self.request.user = self.datautils.create_user()
oursession = self.datautils.create_session(
{'user_id': self.request.user.id})
self.request.json_body = {'token': oursession.token}
result = sessions_post_view(self.request)['d']
self.assertEqual(result, dict_from_row(oursession))
def test_return_token(self):
"""
The happy path should return the token object
"""
self.request.json_body = {
'username': '******',
'password': '******',
'origin': 'testorigin'
}
self.request.user = self.datautils.create_user(self.request.json_body)
c_id = self.request.user.id
result = sessions_post_view(self.request)['d']
self.session.flush()
self.assertEqual(self.session.query(Session).count(), 1)
s = self.session.query(Session).filter(
Session.user_id == c_id).one_or_none()
self.assertIsNotNone(s)
s = dict_from_row(s)
s['origin'] = 'testorigin'
self.assertEqual(result, s)
def test_good_token(self):
"""
If the token is valid, return the token and we the timestamp is updated
"""
days_ago = datetime.now() - relativedelta(days=4)
self.request.user.origin = 'testorigin'
s = self.datautils.create_session({
'lastactive': days_ago,
'started': days_ago,
'user_id': self.request.user.id
})
self.assertEqual(self.session.query(Session).count(), 1)
self.assertEqual(s.started, s.lastactive)
self.request.json_body = {'token': s.token}
result = sessions_put_view(self.request)['d']
self.session.flush()
self.session.refresh(s)
self.assertIsInstance(result, dict)
s_dict = dict_from_row(s)
s_dict['origin'] = 'testorigin'
self.assertEqual(result, s_dict)
self.assertNotEqual(s.started, s.lastactive)
self.assertTrue(s.lastactive > datetime.now() - relativedelta(hours=1))