def sessions_post_view(request): """ This will begin a new session given a username and password """ if request.user is not None and request.json_body.get('token') is not None: # Our request validated their token, so just get that token return {'d': dict_from_row(request.dbsession.query(Session)\ .filter(Session.token == request.json_body['token']).one())} username = request.json_body.get('username') if username is None or not isinstance(username, basestring): request.response.status = 400 return {'d': error_dict('api_errors', 'no valid username provided')} password = request.json_body.get('password') if password is None or not isinstance(password, basestring): request.response.status = 400 return {'d': error_dict('api_errors', 'no valid password provided')} user = request.dbsession.query(User).filter( User.username == username.lower()).one_or_none() if user is None: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid username provided')} salted_pass = binascii.b2a_hex(hash_password(password, user.salt)) if binascii.b2a_hex(user.password) != salted_pass: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid username provided')} if user.lockmessage is not None: request.response.status = 400 return {'d': error_dict('account_lock', user.lockmessage)} new_token = str(uuid4()) new_session = Session() new_session.user_id = user.id new_session.token = new_token request.dbsession.add(new_session) request.dbsession.flush() request.dbsession.refresh(new_session) since = datetime.now() - timedelta(weeks=2) request.dbsession.query(Session)\ .filter(Session.lastactive <= since)\ .filter(Session.user_id == user.id)\ .delete() result = dict_from_row(new_session) result['origin'] = user.origin return {'d': result}
def sessions_put_view(request): if request.user is None: request.response.status = 400 return { 'd': error_dict('api_errors', 'not authenticated for this request') } token = request.json_body.get('token') s = request.dbsession.query(Session).filter( Session.token == token, Session.user_id == request.user.id).one_or_none() if s is None: request.response.status = 400 return {'d': error_dict('api_errors', 'no valid token provided')} expiration_value = timedelta(weeks=2) if (datetime.now() - s.lastactive) > expiration_value: request.dbsession.delete(s) request.response.status = 400 return {'d': error_dict('api_errors', 'no valid token provided')} s.lastactive = datetime.now() request.dbsession.flush() result = dict_from_row(s) result['origin'] = request.user.origin return {'d': result}
def test_already_logged_in(self): """ If we try to start a session while we're already logged in, get the token we used """ self.request.user = self.datautils.create_user() oursession = self.datautils.create_session( {'user_id': self.request.user.id}) self.request.json_body = {'token': oursession.token} result = sessions_post_view(self.request)['d'] self.assertEqual(result, dict_from_row(oursession))
def test_return_token(self): """ The happy path should return the token object """ self.request.json_body = { 'username': '******', 'password': '******', 'origin': 'testorigin' } self.request.user = self.datautils.create_user(self.request.json_body) c_id = self.request.user.id result = sessions_post_view(self.request)['d'] self.session.flush() self.assertEqual(self.session.query(Session).count(), 1) s = self.session.query(Session).filter( Session.user_id == c_id).one_or_none() self.assertIsNotNone(s) s = dict_from_row(s) s['origin'] = 'testorigin' self.assertEqual(result, s)
def test_good_token(self): """ If the token is valid, return the token and we the timestamp is updated """ days_ago = datetime.now() - relativedelta(days=4) self.request.user.origin = 'testorigin' s = self.datautils.create_session({ 'lastactive': days_ago, 'started': days_ago, 'user_id': self.request.user.id }) self.assertEqual(self.session.query(Session).count(), 1) self.assertEqual(s.started, s.lastactive) self.request.json_body = {'token': s.token} result = sessions_put_view(self.request)['d'] self.session.flush() self.session.refresh(s) self.assertIsInstance(result, dict) s_dict = dict_from_row(s) s_dict['origin'] = 'testorigin' self.assertEqual(result, s_dict) self.assertNotEqual(s.started, s.lastactive) self.assertTrue(s.lastactive > datetime.now() - relativedelta(hours=1))