async def authenticate(
self, request: Request
) -> typing.Tuple[AuthCredentials, BaseUser]:
auth = request.session.pop("auth", None)
if auth:
sun, spw = state.items.storage().split(":", 1)
aun, apw = auth.split(":", 1)
if sun and sun == aun and hasher.verify(apw, spw):
request.session.update(user=hasher.hash(auth))
messages.add(
request=request,
text="Logged in successfully",
type=messages.SUCCESS,
)
return AuthCredentials(scopes=["authenticated"]), SimpleUser("admin")
messages.add(
request=request, text="Invalid credentials", type=messages.DANGER
)
if "user" not in request.session:
return AuthCredentials(scopes=["anonymous"]), UnauthenticatedUser()
user = request.session["user"]
if hasher.identify(user):
return AuthCredentials(scopes=["authenticated"]), SimpleUser("admin")
request.session.pop("user")
return AuthCredentials(scopes=["anonymous"]), UnauthenticatedUser()
async def authenticate(self, conn: HTTPConnection):
if "Authorization" not in conn.headers:
return AuthCredentials(), None
auth_header = conn.headers["Authorization"]
try:
scheme, token = auth_header.split()
if scheme.lower() != "bearer":
return AuthCredentials(), None
except Exception as error:
raise AuthenticationError(
"Invalid authentication credentials") from error
try:
payload: JWTPayloadSchema = TokensHandler.read_code(
code=token, convert_to=JWTPayloadSchema)
user_model: UserModel = await UsersHandler(
request=conn).retrieve_user(request=conn,
query={
"_id": payload.object_id,
"is_active": True
})
except HandlerException as error:
raise AuthenticationError(str(error)) from error
# request.auth, request.user
return AuthCredentials(), user_model
async def authenticate(self, request):
from helpdesk.models.user import User
from helpdesk.models.provider import get_provider
from helpdesk.config import ENABLED_PROVIDERS, AUTH_UNSUPPORT_PROVIDERS
logger.debug('request.session: %s, user: %s', request.session,
request.session.get('user'))
for provider_type in ENABLED_PROVIDERS:
if provider_type in AUTH_UNSUPPORT_PROVIDERS:
continue
if not all([
request.session.get('user'),
request.session.get(f'{provider_type}_token'),
request.session.get(f'{provider_type}_expiry')
]):
logger.debug(f'{provider_type} auth error, unauth')
return AuthCredentials([]), UnauthenticatedUser()
# check token expiry, e.g. '2019-05-28T10:34:03.240708Z'
expiry = request.session[f'{provider_type}_expiry']
if datetime.strptime(expiry, "%Y-%m-%dT%H:%M:%S.%fZ"
) < datetime.utcnow() + timedelta(minutes=1):
logger.debug('token expiry time is in 1 minute, unauth.')
unauth(request)
return AuthCredentials([]), UnauthenticatedUser()
username = request.session['user']
providers = {
provider_type:
get_provider(provider_type,
token=request.session.get(f'{provider_type}_token'),
user=username)
for provider_type in ENABLED_PROVIDERS
}
user = User(username=username, providers=providers)
return user.auth_credentials, user
async def authenticate(self, request):
if 'user_id' in request.session:
user_id = request.session['user_id']
user = User.objects.get(user_id)
creds = ['app_auth']
if user.is_superuser:
creds.append('admin_auth')
if user.user_data and 'asUser' in user.user_data:
if request.url.path == '/auth/logout':
data = copy.copy(user.user_data)
del data['asUser']
user.user_data = data
user.save()
else:
spoof_user = User.objects.get_by_email(
user.user_data['asUser'])
return AuthCredentials(creds), spoof_user
return AuthCredentials(creds), user
if request.headers.get('authorization'):
bearer = request.headers['authorization'].split()
if bearer[0] != 'Bearer':
return
bearer = bearer[1]
token = oauth2token.OAuth2Token.objects.get_by_access_token(bearer)
if token is None or token.revoked:
return # return without authorization
if datetime.datetime.utcnow() > token.access_token_expires_at:
return # return without authorization
# passed all tests
request.scope['token'] = token
return AuthCredentials(['api_auth']), None
async def authenticate(self, conn: HTTPConnection):
user = self.get_user(conn)
if user and user.is_authenticated:
scopes = ["authenticated"] + sorted([str(s) for s in user.scopes])
return AuthCredentials(scopes), user
scopes = ["unauthenticated"]
return AuthCredentials(scopes), UnauthenticatedUser()
async def authenticate(self, request):
from models import Token, User
token = request.headers.get("Authorization")
check = await Token.check_token(token)
if check is None:
return AuthCredentials(), CustomUnauthenticatedUser()
user = await User.get(check.user_id)
return AuthCredentials(["authenticated"]), user
async def authenticate(self, request):
user = self.get_user(request)
if user and user.is_authenticated:
scopes = ["authenticated"] + sorted([str(s) for s in user.scopes])
return AuthCredentials(scopes), user
scopes = ["unauthenticated"]
return AuthCredentials(scopes), UnauthenticatedUser()
async def authenticate(
self, conn: HTTPConnection
) -> typing.Optional[typing.Tuple[AuthCredentials, BaseUser]]:
secret = conn.headers.get("secret")
if secret in _SCOPE_MAP:
scopes = _SCOPE_MAP[secret]
return AuthCredentials(scopes), SimpleUser("smith")
else:
return AuthCredentials(), UnauthenticatedUser()
async def authenticate(self, conn: HTTPConnection):
user = await self.get_user(conn)
if user and user["is_active"]:
used = await db.get_user_scopes(user["id"])
return (
AuthCredentials(["authenticated"] +
sorted([s["code"] for s in used])),
ModelUser(user),
)
return AuthCredentials(["unauthenticated"]), UnauthenticatedUser()
async def authenticate(self, request):
session_id = request.cookies.get("session_id")
if not session_id:
return AuthCredentials(["unauthenticated"]), UnauthenticatedUser()
user = User.get_by_session_id(session_id)
if not user:
return AuthCredentials(["unauthenticated"]), UnauthenticatedUser()
return AuthCredentials(["authenticated"]), user
async def authenticate(self, request: Request) -> Tuple[AuthCredentials, BaseUser]:
try:
identity = self.get_identity(request, type="access")
log.info(f"Authenticating with {identity}")
# We could check that we actually have a valid user here, but this doesn't
# seem to be what other libraries tend to do.
user = SimpleUser(identity)
return (AuthCredentials(("admin",)), user)
except AuthenticationError as err:
return (AuthCredentials(("public",)), UnauthenticatedUser())
async def authenticate(self, request):
if self.headers.lower() not in request.headers:
return AuthCredentials(), UnauthenticatedUser()
auth = request.headers[self.headers]
scheme, token = get_authorization_scheme_param(auth)
if scheme.lower() != self.auth_type:
return AuthCredentials(), UnauthenticatedUser()
return self.verify_token(token)
async def authenticate(self, request: Request):
if request['method'] == 'GET' and \
any((x.match(request.url.path) for x in self.allowed_patterns)):
return AuthCredentials(['unauthenticated']), UnauthenticatedUser()
host = request.headers.get('host')
if 'local' in host or 'internal' in host or \
'.' not in host:
return AuthCredentials(['unauthenticated']), UnauthenticatedUser()
elif self.id is None:
# local dev
username = '******'
return AuthCredentials(['authenticated'
]), SimpleUser(username=username)
elif request.url.path == '/oauth_callback/google':
# handle redirect
# print('sess', request.session)
query = request.query_params
state = query.get('state')
code = query.get('code')
gc = GoogleClient(client_id=self.id, client_secret=self.secret)
host = get_hostname(request)
if request.url.port:
host += f':{request.url.port}'
otoken, other = await gc.get_access_token(
code, redirect_uri=f'{host}/oauth_callback/google')
idt = other['id_token']
id_token = jwt.decode(idt, verify=False)
email = id_token.get('email')
if not (id_token.get('hd') == self.org == email.split('@')[1]):
return AuthenticationError('Bad user')
timestamp = time.time()
request.session['ts'] = timestamp
request.session['user'] = email
request.state.redirect_url = state
raise RedirectAuthError('need to redirect')
elif request.session and request.session.get('user'):
# make sure cookie is still valid
timestamp = request.session.get('ts')
now = time.time()
if now - timestamp > 86520:
raise StartAuthError
user = request.session.get('user')
return AuthCredentials(['authenticated'
]), SimpleUser(username=user)
else:
raise StartAuthError('Not logged in')
async def authenticate(self, r: HTTPConnection):
session_id: Optional[str] = r.cookies.get('q_c0')
if not session_id:
return AuthCredentials(), User(id=0)
credential = await credential_ctl.get_access_credential(session_id)
if not credential or credential.is_expired:
return AuthCredentials(), User(id=0)
if credential.is_stale:
await credential_ctl.refresh_access_credential(credential)
return AuthCredentials(['login']), User(id=credential.member_id,
access_token=session_id)
async def authenticate(self, request):
from helpdesk.models.user import User
logger.debug('request.session: %s, user: %s', request.session, request.session.get('user'))
userinfo = request.session.get('user')
if not userinfo:
return AuthCredentials([]), UnauthenticatedUser()
try:
user = User.from_json(userinfo)
return user.auth_credentials, user
except Exception:
return AuthCredentials([]), UnauthenticatedUser()
async def authenticate(self, conn: HTTPConnection):
unauthenticated = (None, AnonymousUser())
sid = conn.cookies.get("AURSID")
if not sid:
return unauthenticated
timeout = aurweb.config.getint("options", "login_timeout")
remembered = ("AURREMEMBER" in conn.cookies
and bool(conn.cookies.get("AURREMEMBER")))
if remembered:
timeout = aurweb.config.getint("options",
"persistent_cookie_timeout")
# If no session with sid and a LastUpdateTS now or later exists.
now_ts = time.utcnow()
record = db.query(Session).filter(Session.SessionID == sid).first()
if not record:
return unauthenticated
elif record.LastUpdateTS < (now_ts - timeout):
with db.begin():
db.delete_all([record])
return unauthenticated
# At this point, we cannot have an invalid user if the record
# exists, due to ForeignKey constraints in the schema upheld
# by mysqlclient.
with db.begin():
user = db.query(User).filter(User.ID == record.UsersID).first()
user.nonce = util.make_nonce()
user.authenticated = True
return (AuthCredentials(["authenticated"]), user)
async def authenticate(self, request: HTTPConnection):
if "discord_id" not in request.session:
request.session.pop("user", None)
return
user = request.session.get("user")
if not user:
db_user = await DBUser.get(request.session["discord_id"])
log.info("First time adding user info for %s, user: %s",
request.session["discord_id"], db_user)
if db_user is None:
log.info("User %s was not in the database, rejecting",
request.session["discord_id"])
request.session.pop("discord_id", None)
return
user = {
"discord_id": db_user.discord_id,
"is_admin": db_user.is_admin,
"username": db_user.username,
}
request.session["user"] = user
username, discord_id, is_admin = (
user["username"],
user["discord_id"],
user["is_admin"],
)
creds = ["authenticated"]
if is_admin:
creds.append("admin")
return AuthCredentials(creds), User(username, discord_id, is_admin)
async def authenticate(self, conn: HTTPConnection):
payload = getattr(conn.state, "payload", None)
if not payload:
return
username = payload.get("username")
if not username:
return
try:
session = conn.state.session
except AttributeError:
raise RuntimeError(
"Missing session: try adding SessionMiddleware.")
if self.user_cls:
user = await run_in_threadpool(self.user_cls.get_by_username,
session, username)
if not user:
logger.warning("User not found: %s", username)
return
else:
user = SimpleUser(username=username)
scopes = await self.scopes(payload)
return AuthCredentials(scopes), user
async def authenticate(
self,
conn: HTTPConnection) -> Optional[Tuple[AuthCredentials, User]]:
if 'token' in conn.cookies:
token = json.loads(conn.cookies.get('token'))
user = json.loads(conn.cookies.get('user'))
expires_at = datetime.utcfromtimestamp(token['expires_at'])
refresh_token = token['refresh_token']
now = datetime.now()
# Check token expiration
if expires_at > now:
token, user = await self._refresh_access_token(refresh_token)
self._update_auth_cookies(conn, token, user)
self._add_data_to_session(conn, token, user)
# Check user in database
user_model = await self._check_user_in_db(user)
# Store token and user in global context
conn.scope['user'] = user
conn.scope['token'] = token
return AuthCredentials(['authenticated']), user_model
return
async def authenticate(self, request):
if 'Authorization' not in request.headers:
return
auth = request.headers['Authorization']
try:
scheme, credentials = auth.split()
if scheme.lower() != 'basic':
return
decoded = base64.b64decode(credentials).decode("ascii")
except (ValueError, UnicodeDecodeError, binascii.Error):
raise AuthenticationError('Invalid basic auth credentials')
pseudo, _, password = decoded.partition(':')
db = get_session(DATABASE_URL)
user = db.query(User).filter(User.pseudo == pseudo).one_or_none()
if user is None or not user.check_password(password):
db.close()
raise AuthenticationError(f'pseudo or password incorrect')
user.is_authenticated = True
scopes = ['authenticated']
for group in user.groups:
scopes.extend([permission.name for permission in group.permissions])
db.close()
return AuthCredentials(scopes), user
async def authenticate(self, request: HTTPConnection):
if "discord_id" not in request.session:
request.session.pop("user", None)
return
user = request.session.get("user")
if not user:
uid = request.session["discord_id"]
if uid not in settings.LADS:
return
user = {
"discord_id": uid,
"username": request.session["discord_username"],
}
request.session["user"] = user
username, discord_id = (
user["username"],
user["discord_id"],
)
creds = ["authenticated"]
return AuthCredentials(creds), User(username, discord_id)
async def authenticate(
self, conn: HTTPConnection
) -> Optional[Tuple["AuthCredentials", "BaseUser"]]:
try:
payload = conn.state.payload
except AttributeError:
raise RuntimeError(
"Missing 'request.state.payload': "
"try adding 'middleware.UpstreamPayloadMiddleware'")
username = payload.get("username")
if not username:
return
if self.user_cls:
try:
session = conn.state.session
except AttributeError:
raise RuntimeError("Missing 'request.state.session': "
"try adding 'middleware.SessionMiddleware'")
user = await run_in_threadpool(self.user_cls.get_by_username,
session, username)
if not user:
logger.warning("User not found: %s", username)
return
else:
user = SimpleUser(username=username)
scopes = await self.scopes(payload)
return AuthCredentials(scopes), user
async def authenticate(
self, request: HTTPConnection
) -> tuple[AuthCredentials, SimpleUser] | None:
"""Authenticate a Starlette request with HTTP Basic auth."""
if "Authorization" not in request.headers:
return None
try:
auth = request.headers["Authorization"]
basic_auth_username = os.getenv("BASIC_AUTH_USERNAME")
basic_auth_password = os.getenv("BASIC_AUTH_PASSWORD")
if not (basic_auth_username and basic_auth_password):
raise AuthenticationError(
"Server HTTP Basic auth credentials not set")
scheme, credentials = auth.split()
decoded = base64.b64decode(credentials).decode("ascii")
username, _, password = decoded.partition(":")
correct_username = secrets.compare_digest(username,
basic_auth_username)
correct_password = secrets.compare_digest(password,
basic_auth_password)
if not (correct_username and correct_password):
raise AuthenticationError(
"HTTP Basic auth credentials not correct")
return AuthCredentials(["authenticated"]), SimpleUser(username)
except Exception:
raise
async def authenticate(self, request):
if request.url.path != "/pretix-webhook":
raise ValueError("PretixAuthBackend used outside pretix-webhook")
if "Authorization" not in request.headers:
return
auth = request.headers["Authorization"]
try:
scheme, credentials = auth.split()
if scheme.lower() != "basic":
return
decoded = base64.b64decode(credentials).decode("ascii")
except (ValueError, UnicodeDecodeError, binascii.Error) as exc:
raise AuthenticationError(
"Invalid basic auth credentials") from exc
username, _, password = decoded.partition(":")
if username != "pretix":
raise AuthenticationError("Invalid auth")
if password != str(PRETIX_WEBHOOK_SECRET):
raise AuthenticationError("Invalid auth")
return AuthCredentials(["authenticated",
"pretix"]), SimpleUser("pretix")
async def authenticate(
self, request: HTTPConnection
) -> typing.Optional[typing.Tuple[AuthCredentials, BaseUser]]:
resource_protector = OurResourceProtector(
[BearerTokenValidator(self.now, request.app.state.jwt_config)])
try:
token_wrap = resource_protector.validate_request(
HttpRequest(request))
user = await async_(
session.query(User).join(
Client, User.pool_id == Client.pool_id).filter(
Client.oauth2_client_id == token_wrap.get_client_id(),
User.key == token_wrap.get_subject(),
).one)()
return (
AuthCredentials(list(set(token_wrap.get_scope().split(None)))),
StarletteUserWrapper(user),
)
except (
ExpiredTokenError,
InvalidTokenError,
MissingAuthorizationError,
UnsupportedTokenTypeError,
orm_exc.NoResultFound,
) as e:
logger.debug(str(e), exc_info=True)
return None
async def authenticate(self, request):
if "Authorization" not in request.headers:
return None
authorization = request.headers["Authorization"]
token = self.get_token_from_header(authorization=authorization,
prefix=self.prefix)
try:
jwt_payload = jwt.decode(token,
key=str(self.secret_key),
algorithms=self.algorithm)
except jwt.InvalidTokenError:
if DEBUG:
sprint_f(f"Invalid JWT token", "red")
raise AuthenticationError("Invalid JWT token")
except jwt.ExpiredSignatureError:
if DEBUG:
sprint_f(f"Expired JWT token", "red")
raise AuthenticationError("Expired JWT token")
if DEBUG:
sprint_f(f"Decoded JWT payload: {jwt_payload}",
"green") # debug part, do not forget to remove it
return (
AuthCredentials(["authenticated"]),
JWTUser(username=jwt_payload["username"],
user_id=jwt_payload["user_id"],
email=jwt_payload["email"],
token=token),
)
async def authenticate(
self, request: HTTPConnection
) -> Optional[Tuple[AuthCredentials, BaseUser]]:
"""Authenticate the user."""
if "Authorization" not in request.headers:
return
authorization_header = request.headers["Authorization"]
if not authorization_header.startswith("Bearer "):
logger.info(msg=f"Invalid Authorization header sent by user")
raise AuthenticationError(
"Invalid Authorization header value. The header "
"value must have the format Bearer <token>.")
user_token = request.headers["Authorization"][
7:] # length of "Bearer " is 7
try:
payload = parse_token(user_token)
except Exception:
logger.exception(msg=f"Invalid or expired authentication token.")
raise AuthenticationError(
"Invalid or expired authentication token.")
user = await user_repository.find_user_by_id(int(payload.user_id))
if not user:
logger.error(msg=f"No user found for id {payload.user_id}.")
raise AuthenticationError("No user found for user id.")
return AuthCredentials(["authenticated"]), AuthenticatedUser(user)
async def authenticate(self, request):
"""
Hàm dùng cho việc xác thực Http Request từ client
:param request: HTTP request từ client
:return: authenticated và JWTUser
"""
if 'Authorization' not in request.headers:
return None
auth = request.headers['Authorization']
token = self.get_token_from_header(authorization=auth,
prefix=self.prefix)
try:
payload = self.decode_token(token)
except jwt.InvalidTokenError:
raise AuthenticationError('error: Token không hợp lệ!')
else:
# Kiểm tra xem Token có nằm trong danh sách blacklist Token hay không
# ** blacklist Token là file chứa danh sách các token đã logout hoặc đã bị vô hiệu hóa
with open('security.txt', 'r') as reader:
modify_token_for_check = token + '\n'
if modify_token_for_check in reader.readlines():
raise AuthenticationError(
'error: Token đã bị vô hiệu hoá!')
else:
return AuthCredentials(
['authenticated']), JWTUser(user_id=payload['userId'])
async def authenticate(
self, conn: HTTPConnection
) -> Tuple[AuthCredentials, BaseUser]:
""" Perform authentication using a shared token or oauth """
roles: List[str] = []
# See if there is a logged in user and what roles they have
await validate_refresh_token(conn)
roles.extend(parse_scopes(conn))
username = conn.session.get("user", {}).get("username")
# See if the correct token has been passed as a query param
if (
self.token is None
or conn.query_params.get("token") == self.token.get_secret_value()
):
if not username:
username = "******"
roles.append("backend")
credentials = AuthCredentials(roles)
if username:
return credentials, SimpleUser(username)
return credentials, UnauthenticatedUser()
async def authenticate(
self, request: Request) -> Tuple[AuthCredentials, SimpleUser]:
if 'Authorization' not in request.headers:
raise AuthenticationError('Please, authenticate')
auth = request.headers['Authorization']
try:
scheme, credentials = auth.split()
except ValueError:
raise AuthenticationError('Invalid basic auth credentials')
if scheme.lower() != 'basic':
raise AuthenticationError('Please, use basic authentication')
try:
decoded = base64.b64decode(credentials).decode('ascii')
except (binascii.Error, UnicodeDecodeError, ValueError):
raise AuthenticationError('Invalid basic auth credentials')
username, _, token = decoded.partition(':')
if username != '__token__':
raise AuthenticationError(
'Incorrect username. Only token are allowed. Please, set username to __token__'
)
token_response: AccessSecretVersionResponse = await sync_to_async(
self.client.access_secret_version)(request={
'name': TOKEN_NAME
})
token_response_data: str = token_response.payload.data.decode()
auth_tokens: Set[str] = set(token_response_data.split())
if token not in auth_tokens:
raise AuthenticationError('Incorrect token')
return AuthCredentials(['authenticated']), SimpleUser(username)
