def post(self):
"""
@api {post} /v1/login 登录
@apiName login
@apiGroup login
@apiDescription 进行操作之前需要登录
@apiVersion 1.0.0
@apiParamExample {json} Request-Example:
{
"username":"******",
"password":"******"
}
@apiErrorExample {json} Error-Response:
HTTP/1.1 500 ERROR
{
"msg": "File not found"
}
"""
data = request.get_json()
username = data.get(app.config.get('JWT_AUTH_USERNAME_KEY'), None)
password = data.get(app.config.get('JWT_AUTH_PASSWORD_KEY'), None)
criterion = [username, password, len(data) == 2]
if not all(criterion):
raise JWTError('Bad Request', 'Invalid credentials')
identity = jwt.authentication_callback(
User, username, util.md5(password))
if identity:
access_token = jwt.jwt_encode_callback(identity)
return jwt.auth_response_callback(access_token, identity)
else:
raise JWTError('Bad Request', 'Invalid credentials')
def jwt_required_handler(*args, **kwargs):
"""Does the actual work of verifying the JWT data in the current request.
This is done automatically for you by `jwt_required()` but you could call it manually.
Doing so would be useful in the context of optional JWT access in your APIs.
:param realm: an optional realm
"""
if 0 < len(args):
realm = args[0]
elif 'realm' in kwargs:
realm = kwargs['realm']
else:
realm = app.config['JWT_DEFAULT_REALM']
if 1 < len(args):
roles = args[1]
elif 'roles' in kwargs:
roles = kwargs['roles']
else:
roles = None
if 2 < len(args):
soft = args[1]
elif 'soft' in kwargs:
soft = kwargs['soft']
else:
soft = False
token = jwt.request_callback()
if token is None:
if soft:
jwt.current_identity = None
_request_ctx_stack.top.current_identity = identity = None
return
else:
raise JWTError('Authorization Required', 'Request does not contain an access token',
headers={'WWW-Authenticate': 'JWT realm="{}"'.format(realm)})
try:
payload = jwt.jwt_decode_callback(token)
except pyjwt.InvalidTokenError as e:
raise JWTError('Invalid token', str(e))
if roles and 'role' in payload:
role = payload['role']
identity_role = _force_iterable(role)
roles = _force_iterable(roles)
if not identity_role or not set(roles).intersection(identity_role):
raise JWTError('Bad Request', 'Permission Denied')
jwt.current_identity = jwt.identity_callback(payload)
_request_ctx_stack.top.current_identity = identity = jwt.current_identity
if identity is None:
raise JWTError('Invalid JWT', 'User does not exist')
def authenticate(username, password):
data = json.loads(request.data)
user = User.get(username=username)
if not (user and safe_str_cmp(user.password.encode('utf-8'),
User.cypher(password).encode('utf-8'))):
return
if 'group' in data and data['group'] != user.group:
raise JWTError('Bad Request', 'Invalid group')
if not user.enable:
raise JWTError('Bad Request', 'Removed user')
user.ref_id = str(user.ref_id)
return user
def authenticate(phonenum, password):
print(phonenum)
print(password)
userInfo = User.get(User, phonenum)
if (userInfo is None):
raise JWTError('Bad credentials',
'User not found!',
status_code=404)
else:
if safe_str_cmp(userInfo.password.encode('utf-8'), password.encode('utf-8')):
return userInfo
else:
raise JWTError('Bad credentials',
'Incorrect password!',
status_code=404)
def auth_request_handle():
data = request.get_json()
username = data.get(current_app.config.get('JWT_AUTH_USERNAME_KEY'), None)
password = data.get(current_app.config.get('JWT_AUTH_PASSWORD_KEY'), None)
user_type = data.get('user_type', None)
criterion = [username, password, user_type, len(data) == 3]
if not all(criterion):
raise JWTError('Bad Request', 'Invalid credentials')
identity = _jwt.authentication_callback(username, password, user_type)
if identity:
access_token = _jwt.jwt_encode_callback(identity)
return _jwt.auth_response_callback(access_token, identity)
else:
raise JWTError('Bad Request', 'Invalid credentials')
def wrapped_function(*args, **kwargs):
resource_id = request.path.split('/')[-1]
resource = model.query.filter_by(id=resource_id).first()
if current_identity.id != resource.user.id and current_identity.nivel != 'Admin':
raise JWTError(
'Acceso no permitido',
'No tiene suficientes privilegios para acceder al recurso')
return fn(*args, **kwargs)
def costum_header_name():
auth_header_value = request.headers.get('JWTAuthorization', None)
auth_header_prefix = app.config['JWT_AUTH_HEADER_PREFIX']
if not auth_header_value:
return
parts = auth_header_value.split()
if parts[0].lower() != auth_header_prefix.lower():
raise JWTError('Invalid JWT header', 'Unsupported authorization type')
elif len(parts) == 1:
raise JWTError('Invalid JWT header', 'Token missing')
elif len(parts) > 2:
raise JWTError('Invalid JWT header', 'Token contains spaces')
return parts[1]
def jwt_auth_request_handler():
data = request.get_json()
username = data.get(app.config.get('JWT_AUTH_USERNAME_KEY'), None)
password = data.get(app.config.get('JWT_AUTH_PASSWORD_KEY'), None)
id_token = data.get('id_token', None)
if username and password:
identity = authenticate_username(username, password)
elif id_token:
identity = authenticate_id_token(id_token)
else:
raise JWTError('Bad Request', 'Invalid credentials')
if identity:
access_token = jwt.jwt_encode_callback(identity)
return jwt.auth_response_callback(access_token, identity)
else:
raise JWTError('Bad Request', 'Invalid credentials')
def login():
data = request.get_json()
username = data.get(app.config.get('JWT_AUTH_USERNAME_KEY'), None)
password = data.get(app.config.get('JWT_AUTH_PASSWORD_KEY'), None)
identity = jwt.authentication_callback(username, password)
if identity:
token = jwt.jwt_encode_callback(identity)
return jwt.auth_response_callback(token, identity)
raise JWTError('Bad Request', 'Invalid credentials')
def decorator(*args, **kwargs):
try:
_jwt_required(realm or current_app.config['JWT_DEFAULT_REALM'])
print(current_identity)
if admin == 1 and current_identity.is_admin!=1:
abort(401)
except Exception as e:
raise JWTError('Bad Request', 'Invalid credentials')
return fn(*args, **kwargs)
def load_token():
try:
token = request.headers.get('Authorization', None)
if not token:
raise Exception("Unauthorized")
return token
except Exception as e:
raise JWTError(description='Error', error=e)
def wrapper(*args, **kwargs):
if not flask_user.access.is_authenticated():
raise JWTError('Authorization Required',
'Request does not contain an access token',
headers={
'WWW-Authenticate':
'JWT realm="%s"' %
app.config['JWT_DEFAULT_REALM']
})
return f(*args, **kwargs)
def authenticate(**kwargs):
try:
account = kwargs.get('username', None)
password = kwargs.get('password', None)
if account is None:
raise JWTError('Bad Request', '请输入用户名')
user = dao.UserDao.get(query={'account': account})
if not user:
raise JWTError('Bad Request', '未找到此用户')
password_hash = user['password']
if not check_password_hash(password_hash, password):
raise JWTError('Bad Request', '用户名或密码错误')
return dict(user)
except (OperationalError, IntegrityError) as e:
raise JWTError('Bad Request', str(e))
def decorator(*args, **kwargs):
authorities = current_identity['user_client_authorities']
print(authority)
if authority in authorities:
print(authorities)
else:
raise JWTError('Invalid user authority',
"User doesn't have the required authority")
return fn(*args, **kwargs)
def do_login():
username = request.form.get("email")
password = request.form.get("password")
identity = jwt.authentication_callback(username, password)
if identity:
access_token = jwt.jwt_encode_callback(identity)
return jwt.auth_response_callback(access_token, identity)
else:
raise JWTError('Bad Request', 'Invalid credentials')
def auth_request():
data = request.get_json()
_jwt = LocalProxy(lambda: current_app.extensions['jwt'])
identity_data = _jwt.authentication_callback(**data)
if identity_data:
access_token = _jwt.jwt_encode_callback(identity_data)
return _jwt.auth_response_callback(access_token, identity_data)
else:
raise JWTError('Bad Request', '用户或密码错误')
def login():
if current_identity:
return utils.json_abort({'message': 'User has already logged in'}, 400)
data = request.get_json(force=True)
if isinstance(data, str):
data = json.loads(data)
username = data.get('username', None)
password = data.get('password', None)
if not username or not password:
raise JWTError('Bad Request', 'Invalid credentials')
identity = authenticate(username, password)
jwt = utils.get_jwt()
if identity:
access_token = jwt.jwt_encode_callback(identity)
return jwt.auth_response_callback(access_token, identity)
else:
raise JWTError('Bad Request', 'Invalid credentials')
def authenticate(username: str, password: str) -> typing.Optional[User]:
user = UserCRUD.get_by_login(db.session, username)
if user and user.check_password(password):
if not user.internal_auth or not UserCRUD.is_global_active(
db.session, user.id):
raise JWTError("Forbidden",
"Internal authentication not accepted",
status_code=403)
return user
def post(self):
"""Authenticates and generates a token."""
args = parser.parse_args()
data = request.get_json(force=True)
username = args.get('email')
password = args.get('password')
criterion = [username, password, len(data) == 2]
if not all(criterion):
raise JWTError('Bad Request', 'Invalid credentials')
identity = _jwt.authentication_callback(username, password)
if identity is not None:
user = User.objects.get(id=identity.id)
if identity and user and user.active:
access_token = _jwt.jwt_encode_callback(identity)
token = {"token": access_token}
return token
else:
raise JWTError('Bad Request', 'Invalid credentials')
def auth_request_handler():
data = request.get_json()
username = data.get('username', None)
password = data.get('password', None)
identity = jwt.authentication_callback(username, password)
if identity:
access_token = jwt.jwt_encode_callback(identity)
return jwt.auth_response_callback(access_token, identity)
else:
raise JWTError('Bad Request', 'Invalid credentials')
def decode_auth_token(token):
try:
# decode the token by the secrete key
decoded = pyjwt.decode(token,
ConfigClass.SECRET_KEY,
algorithms=['HS256'])
return decoded
except Exception as e:
raise JWTError(description='Error', error=e)
# currently just username
return token
def decorator(*args, **kwargs):
token = _jwt.request_callback()
if token is None:
raise JWTError('Authorization Required', 'Request does not contain an access token',
headers={'WWW-Authenticate': 'JWT realm="%s"' % realm})
try:
payload = _jwt.jwt_decode_callback(token)
except jwt.InvalidTokenError as e:
raise JWTError('Invalid token', str(e))
identity = _jwt.identity_callback(payload)
if user_type == 'student' and isinstance(identity, Student):
return fn(*args, **kwargs)
elif user_type == 'teacher' and isinstance(identity, Teacher):
return fn(*args, **kwargs)
# NOTE - By default JWTError throws 401. We needed 404. Hence status_code=404
raise JWTError('Unauthorized',
'You are unauthorized to request the api or access the resource',
status_code=404)
def authenticate(username, password):
user = student_users.find_one({"username": username})
user_type = "student"
if user is None:
user = instructor_users.find_one({"username": username})
user_type = "instructor"
elif teams.find_one({"liason": username}):
user_type = "liason"
if user:
user['type'] = user_type
passMatch = bcrypt.hashpw(
password.encode('utf-8'), user['password'].encode(
'utf-8')) == user['password'].encode('utf-8')
if passMatch:
return user
else:
raise JWTError('Bad credentials',
'Incorrect password!',
status_code=404)
else:
raise JWTError('Bad credentials', 'User not found!', status_code=404)
def decorator(*args, **kwargs):
_jwt_required(realm or current_app.config['JWT_DEFAULT_REALM'])
if current_identity.admin:
return fn(*args, **kwargs)
raise JWTError(
'Authorization Required',
'You are not admin',
headers={
'WWW-Authenticate': 'JWT realm="%s"' %current_app.config['JWT_DEFAULT_REALM']
}
)
def jwt_request_handler():
auth_header_value = request.headers.get('Authorization', None)
auth_header_prefix = current_app.config['JWT_AUTH_HEADER_PREFIX']
# If no header, try extracting token from the 'token' parameter
if not auth_header_value:
token = request.args.get('token')
if token: auth_header_value = '{} {}'.format(auth_header_prefix, token)
if not auth_header_value:
return
parts = auth_header_value.split()
if parts[0].lower() != auth_header_prefix.lower():
raise JWTError('Invalid JWT header', 'Unsupported authorization type')
elif len(parts) == 1:
raise JWTError('Invalid JWT header', 'Token missing')
elif len(parts) > 2:
raise JWTError('Invalid JWT header', 'Token contains spaces')
return parts[1]
def identity(payload: dict) -> typing.Optional[User]:
user_id = payload["identity"]
user = User.query.get(user_id)
if not user.internal_auth or not UserCRUD.is_global_active(
db.session, user.id):
raise JWTError(
"Forbidden",
"Internal identity and authorization not accepted",
status_code=403,
)
return user
def request_handler():
auth_header_value = request.headers.get('Authorization', None)
auth_header_prefix = current_app.config['JWT_AUTH_HEADER_PREFIX']
if auth_header_value is None and request.args.get('token',
None) is not None:
logging.info(request.args.get('token', ''))
auth_header_value = auth_header_prefix + ' ' + request.args.get(
'token', '')
if auth_header_value is None:
return None
parts = auth_header_value.split()
if parts[0].lower() != auth_header_prefix.lower():
raise JWTError('Invalid JWT header', 'Unsupported authorization type')
elif len(parts) == 1:
raise JWTError('Invalid JWT header', 'Token missing')
elif len(parts) > 2:
raise JWTError('Invalid JWT header', 'Token contains spaces')
return parts[1]
def jwt_auth():
assertion = request.values.get('assertion')
segments = assertion.split('.')
payload = json.loads(_urlsafe_b64decode(segments[1]).decode('utf-8'))
service_account = JwtUser.get(payload['iss'])
if not service_account:
raise JWTError('Bad Request', 'Invalid service account')
jwt.decode(assertion,
service_account.public_key,
algorithms=['RS256'],
options=dict(verify_aud=False))
identity = User.get_by_id(payload['sub'])
access_token = flask_jwt.jwt_encode_callback(identity)
return flask_jwt.auth_response_callback(access_token, identity)
def check_authorization(self):
# get view class
try:
_class = self.get_class()
except NotImplementedError:
return False
# get user data
if current_identity:
user = current_identity.get_dict()
organization = current_identity.organization
else:
return False
# form policy key
policy = '{}:{}'.format(_class.__name__.lower(), self.action)
# get policies and update them with organization level overrides
policies = current_app.config.get('DEFAULT_POLICIES', {})
if hasattr(organization, 'policy') and organization.policy:
policies.update(organization.policy)
try:
policy_value = policies[policy]
except KeyError:
current_app.logger.error('Unknown policy {}'.format(policy))
return False
# evaluate user permissions
# if there are multiple objects, filter out those which current user
# doesn't have access to
if isinstance(self.obj, list):
allowed = []
for obj in self.obj:
if is_authorized(user, policy_value, resource=obj):
allowed.append(obj)
self.obj = allowed
# if there is single object raise if user doesn't have access to it
else:
if not is_authorized(user, policy_value, resource=self.obj):
raise JWTError(
'Insufficient permissions',
'Your user account is lacking the necessary '
'permissions to perform this operation')
def check_authorization(self):
# get user data
if current_identity:
user = current_identity.get_dict()
else:
return False
policy_value = self.get_policy_value()
if not policy_value:
return False
if isinstance(self.obj, list):
allowed = []
for obj in self.obj:
if is_authorized(user, policy_value, resource=obj):
allowed.append(obj)
self.obj = allowed
# if there is single object raise if user doesn't have access to it
else:
if not is_authorized(user, policy_value, resource=self.obj):
raise JWTError('Insufficient permissions',
'Your user account is lacking the necessary '
'permissions to perform this operation')