def sessions_put_view(request):
if request.user is None:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
token = request.json_body.get('token')
s = request.dbsession.query(Session).filter(
Session.token == token,
Session.user_id == request.user.id).one_or_none()
if s is None:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid token provided')}
expiration_value = timedelta(weeks=2)
if (datetime.now() - s.lastactive) > expiration_value:
request.dbsession.delete(s)
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid token provided')}
s.lastactive = datetime.now()
request.dbsession.flush()
result = dict_from_row(s)
result['origin'] = request.user.origin
return {'d': result}
def sessions_post_view(request):
"""
This will begin a new session given a username and password
"""
if request.user is not None and request.json_body.get('token') is not None:
# Our request validated their token, so just get that token
return {'d': dict_from_row(request.dbsession.query(Session)\
.filter(Session.token == request.json_body['token']).one())}
username = request.json_body.get('username')
if username is None or not isinstance(username, basestring):
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid username provided')}
password = request.json_body.get('password')
if password is None or not isinstance(password, basestring):
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid password provided')}
user = request.dbsession.query(User).filter(
User.username == username.lower()).one_or_none()
if user is None:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid username provided')}
salted_pass = binascii.b2a_hex(hash_password(password, user.salt))
if binascii.b2a_hex(user.password) != salted_pass:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid username provided')}
if user.lockmessage is not None:
request.response.status = 400
return {'d': error_dict('account_lock', user.lockmessage)}
new_token = str(uuid4())
new_session = Session()
new_session.user_id = user.id
new_session.token = new_token
request.dbsession.add(new_session)
request.dbsession.flush()
request.dbsession.refresh(new_session)
since = datetime.now() - timedelta(weeks=2)
request.dbsession.query(Session)\
.filter(Session.lastactive <= since)\
.filter(Session.user_id == user.id)\
.delete()
result = dict_from_row(new_session)
result['origin'] = user.origin
return {'d': result}
def test_no_password(self):
"""
When we don't give a password, we get an error back about not having a password
"""
self.request.json_body = {'username': '******'}
result = sessions_post_view(self.request)['d']
self.assertIsInstance(result, dict)
self.assertEqual(
result, error_dict('api_errors', 'no valid password provided'))
def test_no_user(self):
"""
If we try to get info without a login, get an error back
"""
self.request.user = None
result = sessions_put_view(self.request)['d']
self.assertEqual(
result,
error_dict('api_errors', 'not authenticated for this request'))
def sessions_delete_view(request):
if request.user is None:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
token = request.json_body.get('token')
if token is None or not isinstance(token, basestring):
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid token provided')}
s = request.dbsession.query(Session).filter(
Session.token == token).one_or_none()
if s is None:
request.response.status = 400
return {'d': error_dict('api_errors', 'no valid token provided')}
request.dbsession.delete(s)
request.dbsession.flush()
return {'d': {}}
def test_nonexistent_user(self):
"""
With a properly formed request, but with a nonexistent user, get the appropriate error
"""
self.request.json_body = {
'username': '******',
'password': '******'
}
result = sessions_post_view(self.request)['d']
self.assertEqual(
result, error_dict('api_errors', 'no valid username provided'))
def test_nonexistent_token_provided(self):
"""
If the token doesn't exist, say so
"""
self.request.json_body = {'token': 'badtoken'}
self.datautils.create_session()
self.datautils.create_session()
result = sessions_put_view(self.request)['d']
self.assertIsInstance(result, dict)
self.assertEqual(result,
error_dict('api_errors', 'no valid token provided'))
def test_bad_credentials(self):
"""
With a properly formed request, but with bad values (like an incorrect password), get the appropriate error
"""
self.request.json_body = {
'username': '******',
'password': '******'
}
self.datautils.create_user({'username': '******'})
result = sessions_post_view(self.request)['d']
self.assertIsInstance(result, dict)
self.assertEqual(
result, error_dict('api_errors', 'no valid username provided'))
def test_no_token_provided(self):
"""
If we do not provide a token, get an error
"""
self.request.json_body = {}
self.datautils.create_user({
'username': '******',
'password': '******'
})
result = sessions_delete_view(self.request)['d']
self.assertIsInstance(result, dict)
self.assertEqual(result,
error_dict('api_errors', 'no valid token provided'))
def test_locked_account(self):
"""
Get the lock message if the account is locked, but we get the credentials right, get the lock message
"""
self.request.json_body = {
'username': '******',
'password': '******'
}
self.datautils.create_user({
'username': '******',
'password': '******',
'lockmessage': 'test lock message'
})
result = sessions_post_view(self.request)['d']
self.assertEqual(result, error_dict('account_lock',
'test lock message'))
def test_expired_token_provided(self):
"""
If the token is expired, say so, and delete it
"""
weeks_ago = datetime.now() - relativedelta(weeks=6)
s = self.datautils.create_session({
'lastactive': weeks_ago,
'started': weeks_ago,
'user_id': self.request.user.id
})
self.assertEqual(self.session.query(Session).count(), 1)
self.assertEqual(s.started, s.lastactive)
self.assertEqual(s.started, weeks_ago)
self.request.json_body = {'token': s.token}
result = sessions_put_view(self.request)['d']
self.assertEqual(result,
error_dict('api_errors', 'no valid token provided'))
self.assertEqual(self.session.query(Session).count(), 0)
