def unauthenticated_userid(self, request): http_creds = extract_http_basic_credentials(request) if http_creds is None: self.debug and self._log( 'No HTTP Credentials received, so no auth. Will return None', 'authenticated_userid', request, ) return # username == userid, and password is the token for the actual credentials cred = get_valid_credentials(http_creds.username, http_creds.password, registry=request.registry) if cred is None: self.debug and self._log( "Credentials weren't valid, will return None", 'authenticated_userid', request, ) return else: self.debug and self._log( 'Valid credentials and user found, will return userid "%s" ' % cred.userid, 'authenticated_userid', request, ) return cred.userid
def _get_auth_client(cls, request): """Get a matching auth client if the credentials are valid.""" credentials = extract_http_basic_credentials(request) if not credentials: return None # It is important not to include the secret as part of the SQL query # because the resulting code may be subject to a timing attack. try: auth_client = request.db.query(AuthClient).get( credentials.username) except StatementError: # The auth client id is malformed return None if ( # The client must exist auth_client is None # Have a secret to compare with or auth_client.secret is None # And be the correct type or auth_client.grant_type != GrantType.client_credentials): return None # We fetch the auth_client by its ID and then do a constant-time # comparison of the secret with that provided in the request. if not hmac.compare_digest(auth_client.secret, credentials.password): return None return auth_client
def _get_credentials(self, request): # Pyramid < 1.8 policy = base_auth.BasicAuthAuthenticationPolicy if hasattr(policy, '_get_credentials'): # pragma: no cover return policy._get_credentials(self, request) # Pyramid > 1.8 return base_auth.extract_http_basic_credentials(request) # pragma: no cover
def test_compat_with_pyramid(self): obj = self._cut('1', token="123") request = testing.DummyRequest() request.headers['Authorization'] = obj.header() results = extract_http_basic_credentials(request) expected = HTTPBasicCredentials(username='******', password='******') self.assertIsInstance(results, HTTPBasicCredentials) self.assertEqual(results, expected)
def identity(self, request: PyramidRequest): credentials = extract_http_basic_credentials(request) if credentials: user_name = get_authenticated_user_name( credentials.username, credentials.password, request, ) return user_name
def identity(self, request: PyramidRequest): credentials = extract_http_basic_credentials(request) if credentials: user_id = check_credentials( credentials.username, credentials.password, request, ) return user_id
def get_current_user(self, request: TracimRequest) -> typing.Optional[User]: # check if user is correct credentials = extract_http_basic_credentials(request) if not credentials: return None user = self._authenticate_user( request=request, login=credentials.username, password=credentials.password ) if not user: return None return user
def authenticated_userid(self, request): # check if user is correct credentials = extract_http_basic_credentials(request) if not credentials: return None user = self._authenticate_user(request=request, email=credentials.username, password=credentials.password) if not user: return None return user.user_id
def unauthenticated_userid(self, request): settings = request.registry.settings credentials = base_auth.extract_http_basic_credentials(request) if credentials: username, password = credentials if not username: return hmac_secret = settings['userid_hmac_secret'] credentials = '{}:{}'.format(*credentials) userid = utils.hmac_digest(hmac_secret, credentials) return userid
def userid_for_login_request(self, request): """Check the basic auth for email and password""" credentials = extract_http_basic_credentials(request) if credentials is not None: site = request.site user = site["users"].get_user_by_email(credentials.username) if (user and user.check_password(credentials.password) and user.workflow_state == "active"): return user.user_email logging.warning( f"Unable to authenticate with password authentication: {credentials.username}" ) return None
def unauthenticated_userid(self, request): settings = request.registry.settings credentials = base_auth.extract_http_basic_credentials(request) if credentials: username, password = credentials if not username: return hmac_secret = settings["userid_hmac_secret"] credentials = f"{credentials[0]}:{credentials[1]}" userid = utils.hmac_digest(hmac_secret, credentials) return userid
def unauthenticated_userid(self, request): settings = request.registry.settings credentials = base_auth.extract_http_basic_credentials(request) if credentials: username, password = credentials if not username: return hmac_secret = settings["userid_hmac_secret"] credentials = "{}:{}".format(*credentials) userid = utils.hmac_digest(hmac_secret, credentials) return userid
def crear_token(peticion): credenciales = extract_http_basic_credentials(peticion) if credenciales: usuario, password = credenciales resultado = autenticar_en_samba(usuario, password) if resultado and usuario in USUARIOS_ADMIN: try: direccion = peticion.json_body['direccion'] rol = peticion.json_body['rol'] except: return exceptions.HTTPBadRequest() return {'token': peticion.create_token(direccion, rol)} return exceptions.HTTPForbidden()
def authenticated_userid(self, request): # check if user is correct credentials = extract_http_basic_credentials(request) if not credentials: return None user = self._authenticate_user( request=request, email=credentials.username, password=credentials.password, ) if not user: return None return user.user_id
def identity(self, request): # If we're calling into this API on a request, then we want to register # a callback which will ensure that the response varies based on the # Authorization header. request.add_response_callback(add_vary_callback("Authorization")) request.authentication_method = AuthenticationMethod.BASIC_AUTH credentials = extract_http_basic_credentials(request) if credentials is None: return None username, password = credentials if not _basic_auth_check(username, password, request): return None # Like sessions; basic auth can only authenticate users. login_service = request.find_service(IUserService, context=None) return login_service.get_user_by_username(username)
def obtain_token_alt(self): """ this alt version pre-calculates the client_credentials. 1. 'grant_type' in request.POST, grant_type=='client_credentials' 2. HTTP Basic Authorization contains username: client_id password: client_secret """ if DEBUG_ROUTE: print("authority:oauth2:flow_b:obtain_token_alt", get_csrf_token(self.request)) if LOG_ROUTE: log.debug( "authority:oauth2:flow_b:obtain_token_alt %s", get_csrf_token(self.request), ) try: # turn this into a username/password # HTTPBasicCredentials(username=u'OAUTH2APPKEYOAUTH2APPKEYOAUTH2APPKEYOAUTH2APPKEY', password=u'OAUTH2__APP_SECRET') credentials = extract_http_basic_credentials(self.request) credentials = ({ "username": credentials.username, "password": credentials.password } if credentials else {}) # logging.basicConfig() # _loggingOld = logging.getLogger().getEffectiveLevel() # logging.getLogger().setLevel(logging.DEBUG) oauth2Provider = new_oauth2Provider(self.request) rval = oauth2Provider.endopoint__token(credentials=credentials) return rval except HTTPException: raise except Exception as exc: # raise custom errors in production raise exc
def _get_client_creds_from_request(self, request): """ Return client credentials based on the current request. According to the rfc6749, client MAY use the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password. The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password. See `Section 2.3.1`_. .. _`Section 2.3.1`: https://tools.ietf.org/html/rfc6749#section-2.3.1 IMPORTANT: When dealing with an AUTHORIZATION header: - flask-oauthlib precomputes this via Werkzeug into a dict - pyramid's integration does not precompute right now """ if request.client_id is not None: return request.client_id, request.client_secret auth = request.headers.get("Authorization") if auth: # flask-oauthlib precomputes this via Werkzeug into a dict if isinstance(auth, dict): return auth["username"], auth["password"] # fallback on a full extraction _auth = extract_http_basic_credentials(request) if isinstance(_auth, HTTPBasicCredentials): return _auth.username, _auth.password return None, None
def identity(self, request: PyramidRequest): credentials = extract_http_basic_credentials(request) if credentials: return credentials.username
def forget(self, request): http_creds = extract_http_basic_credentials(request) if http_creds is not None: remove_credentials(http_creds.username, http_creds.password, registry=request.registry)