def test_url_insecuring_on_appspot_url(self):
self.stub_server_name("non-default.khan-academy.appspot.com")
# relative url
self.assertEqual("http://non-default.khan-academy.appspot.com/foo",
util.insecure_url("/foo"))
# Absolute url
self.assertEqual("http://non-default.khan-academy.appspot.com/foo",
util.insecure_url("https://non-default.khan-academy.appspot.com/foo"))
self.restore_server_name()
def test_url_insecuring_on_normal_url(self):
self.stub_server_name('www.khanacademy.org')
# relative URL
self.assertEqual("http://www.khanacademy.org/postlogin",
util.insecure_url("/postlogin"))
# absolute URL
self.assertEqual("http://www.khanacademy.org/postlogin",
util.insecure_url("https://www.khanacademy.org/postlogin"))
self.restore_server_name()
def to_insecure_url(url):
""" Returns the appropriate http server URL for a url
somewhere on Khan Academy. Note - this is not intended for links to
external sites.
"""
return util.insecure_url(url)
def to_insecure_url(url):
""" Returns the appropriate http server URL for a url
somewhere on Khan Academy. Note - this is not intended for links to
external sites.
"""
return util.insecure_url(url)
def post(self):
(user_data, is_password_reset) = self.resolve_user_info()
if not user_data:
self.response.write("Oops. Something went wrong. Please try again.")
return
if not is_password_reset:
existing = self.request_string("existing")
if not user_data.validate_password(existing):
# TODO(benkomalo): throttle incorrect password attempts
self.render_form(message="Incorrect password",
user_data=user_data)
return
password1 = self.request_string("password1")
password2 = self.request_string("password2")
if (not password1 or
not password2 or
password1 != password2):
self.render_form(message="Passwords don't match",
user_data=user_data)
elif not auth.passwords.is_sufficient_password(password1,
user_data.nickname,
user_data.username):
self.render_form(message="Password too weak",
user_data=user_data)
else:
# We're good!
user_data.set_password(password1)
if is_password_reset:
# Password resets are done when the user is not even logged in,
# so redirect the host page to the login page (done via
# client side JS)
self.render_form(message="Password reset. Redirecting...",
success=True,
user_data=user_data)
else:
# Need to create a new auth token as the existing cookie will
# expire. Use /postlogin to set the cookie. This requires
# some redirects (/postlogin on http, then back to this
# pwchange form in https).
auth_token = AuthToken.for_user(user_data)
self.redirect("%s?%s" % (
util.insecure_url("/postlogin"),
util.build_params({
'auth': auth_token.value,
'continue': self.secure_url_with_token(
"/pwchange?success=1", user_data),
})))
def post(self):
(user_data, is_password_reset) = self.resolve_user_info()
if not user_data:
self.response.write(
"Oops. Something went wrong. Please try again.")
return
if not is_password_reset:
existing = self.request_string("existing")
if not user_data.validate_password(existing):
# TODO(benkomalo): throttle incorrect password attempts
self.render_form(message="Incorrect password",
user_data=user_data)
return
password1 = self.request_string("password1")
password2 = self.request_string("password2")
if (not password1 or not password2 or password1 != password2):
self.render_form(message="Passwords don't match",
user_data=user_data)
elif not auth.passwords.is_sufficient_password(
password1, user_data.nickname, user_data.username):
self.render_form(message="Password too weak", user_data=user_data)
else:
# We're good!
user_data.set_password(password1)
if is_password_reset:
# Password resets are done when the user is not even logged in,
# so redirect the host page to the login page (done via
# client side JS)
self.render_form(message="Password reset. Redirecting...",
success=True,
user_data=user_data)
else:
# Need to create a new auth token as the existing cookie will
# expire. Use /postlogin to set the cookie. This requires
# some redirects (/postlogin on http, then back to this
# pwchange form in https).
auth_token = AuthToken.for_user(user_data)
self.redirect("%s?%s" %
(util.insecure_url("/postlogin"),
util.build_params({
'auth':
auth_token.value,
'continue':
self.secure_url_with_token(
"/pwchange?success=1", user_data),
})))
def authorize_token_redirect(oauth_map, force_http=False):
if not oauth_map:
raise OAuthError("Missing oauth_map while returning authorize_token_redirect")
if not oauth_map.callback_url:
raise OAuthError("Missing callback URL during authorize_token_redirect")
params = {
"oauth_token": oauth_map.request_token,
"oauth_token_secret": oauth_map.request_token_secret,
"oauth_callback": oauth_map.callback_url_with_request_token_params(),
}
url = "/api/auth/authorize"
if force_http:
import util
url = util.insecure_url(url)
return redirect(append_url_params(url, params))
def authorize_token_redirect(oauth_map, force_http=False):
if not oauth_map:
raise OAuthError(
"Missing oauth_map while returning authorize_token_redirect")
if not oauth_map.callback_url:
raise OAuthError(
"Missing callback URL during authorize_token_redirect")
params = {
"oauth_token": oauth_map.request_token,
"oauth_token_secret": oauth_map.request_token_secret,
"oauth_callback": oauth_map.callback_url_with_request_token_params(),
}
url = "/api/auth/authorize"
if force_http:
import util
url = util.insecure_url(url)
return redirect(append_url_params(url, params))