def _issue_token(self, username, ip):
"""
Creates a token in the mongo token db with the fields: [username, ip, salt, token, timestamp] and returns it.
:param username: The user for which a token should be created
:type username: str
:param ip: The ip address of the user request
:type ip: str
:return: The created token
:rtype: bytes
"""
# first remove old tokens of this user and this ip
self._mongo.db['tokens'].delete_many({'username': username, 'ip': ip})
salt = urandom(16)
kdf = create_kdf(salt)
token = generate_secret()
self._mongo.db['tokens'].insert_one({
'username':
username,
'ip':
ip,
'salt':
salt,
'token':
kdf.derive(token.encode('utf-8')),
'timestamp':
time()
})
return token
def create_user(self, username, password, is_admin):
salt = urandom(16)
kdf = create_kdf(salt)
user = {
'username': username,
'password': kdf.derive(password.encode('utf-8')),
'salt': salt,
'is_admin': is_admin
}
self._mongo.db['users'].update_one({'username': username},
{'$set': user},
upsert=True)
def _verify_user_by_credentials(db_password, request_password, salt):
"""
Checks if the given user/password combination is authorized
:param db_password: The user password as stored in the db
:type db_password: str
:param request_password: The password string of the user given by the authorization data of the user request
:param salt: The salt value of the user from the db
:return:
"""
if request_password is None:
return False
kdf = create_kdf(salt)
try:
kdf.verify(request_password.encode('utf-8'), db_password)
except InvalidKey:
return False
return True
def _verify_user_by_cookie(self, username, cookie_token, ip):
"""
Returns whether the given user is authorized by the token, given by the received cookies.
:param username: The username to check for
:type username: str
:param cookie_token: The authorization token of the cookie given by the user request
:type cookie_token: str
:param ip: The ip address of the user request
:type ip: str
:return: True, if the given user could be authorized by an authorization cookie
:rtype: bool
"""
# delete old tokens
self._mongo.db['tokens'].delete_many(
{'timestamp': {
'$lt': time() - self.tokens_valid_for_seconds
}})
# get authorization cookie
if cookie_token is None:
return False
cursor = self._mongo.db['tokens'].find({
'username': username,
'ip': ip
}, {
'token': 1,
'salt': 1
})
for c in cursor:
kdf = create_kdf(c['salt'])
try:
kdf.verify(cookie_token.encode('utf-8'), c['token'])
return True
except InvalidKey: # if token does not fit, try the next
pass
return False