def auth(): if request.method == 'GET': return redirect(url_for('login')) data = request.form.to_dict() username = data["username"] password = data["password"] if username != ADMIN_USER or password != ADMIN_PASSWORD: return jsonify({'login': False}), 401 expires = datetime.timedelta(days=1) access_token = create_access_token(identity=username, expires_delta=expires) refresh_token = create_refresh_token(identity=username) resp = jsonify({ 'access_csrf': get_csrf_token(access_token), 'refresh_csrf': get_csrf_token(refresh_token), 'access_token': access_token }) set_access_cookies(resp, access_token) set_refresh_cookies(resp, refresh_token) return resp, 200
def post(self): data = _user_parser.parse_args() user = UserModel.find_by_email(data["email"]) try: if user and check_password_hash(user.password, data["password"]): expires = datetime.timedelta(days=3) access_token = create_access_token(identity=user.id, fresh=True, expires_delta=expires) refresh_token = create_refresh_token(user.id) resp = jsonify({ "csrf": get_csrf_token(access_token), "refresh_csrf": get_csrf_token(refresh_token) }) resp.status_code = 200 set_access_cookies(resp, access_token) set_refresh_cookies(resp, refresh_token) return resp except Exception as e: return {"msg": "this happened: {}".format(e)}, 500 return {"msg": "invalid credentials"}, 404
def post(self): json_data = request.get_json() try: data = login_schema.load(json_data) except ma.ValidationError as err: return {'msg': '400 Bad Request', 'errors': err.messages}, 400 email = data.get('email') password = data.get('password') user = User.get_by_email(email) if user and user.check_password(password): if not user.is_activated: return {'msg': 'Activeer je account'}, 403 access_token = jwt.create_access_token(identity=user.id) refresh_token = jwt.create_refresh_token(identity=user.id) response = jsonify({ 'success': True, 'a-csrf-token': jwt.get_csrf_token(access_token), 'r-csrf-token': jwt.get_csrf_token(refresh_token) }) jwt.set_access_cookies(response, access_token) jwt.set_refresh_cookies(response, refresh_token) return response return {'msg': 'Fout e-mailadres of wachtwoord'}, 401
def response_with_tokens(user: User) -> Response: access_token = create_access_token(identity=user.id) refresh_token = create_refresh_token(identity=user.id) response = make_response({ "access_csrf": get_csrf_token(access_token), "refresh_csrf": get_csrf_token(refresh_token), }) set_access_cookies(response, access_token) set_refresh_cookies(response, refresh_token) return response
def post(self): current_user = get_jwt_identity() access_token = create_access_token(identity=current_user, fresh=False) refresh_token = create_refresh_token(current_user) resp = jsonify({ "csrf": get_csrf_token(access_token), "refresh_csrf": get_csrf_token(refresh_token) }) resp.status_code = 200 set_access_cookies(resp, access_token) set_refresh_cookies(resp, refresh_token) return resp
def login(): SITE_ROOT = os.path.realpath(os.path.dirname(__file__)) json_url = os.path.join(SITE_ROOT, "conf/config.json") try: username = request.json.get("email", None) password = request.json.get("password", None) mongo_dbh, error_obj = get_mongodb() if error_obj != {}: return jsonify(error_obj), 200 user = mongo_dbh["c_users"].find_one({'email' : username }) error = None if user is None: error = 'Incorrect username.' else: stored_password = user['password'].encode('utf-8') submitted_password = password.encode('utf-8') if bcrypt.hashpw(submitted_password, stored_password) != stored_password: error = 'Incorrect password.' res_obj = {"status":1} if error is None: # Create the tokens we will be sending back to the user access_token = create_access_token(identity=username) refresh_token = create_refresh_token(identity=username) # Return the double submit values in the resulting JSON # instead of in additional cookies res_obj["access_csrf"] = get_csrf_token(access_token) res_obj["refresh_csrf"] = get_csrf_token(refresh_token) res_obj["username"] = username res_obj = jsonify(res_obj) # We still need to call these functions to set the # JWTs in the cookies set_access_cookies(res_obj, access_token) set_refresh_cookies(res_obj, refresh_token) else: res_obj = jsonify({"status":0, "error":error}) except Exception as e: res_obj = jsonify(log_error(traceback.format_exc())) return res_obj, 200
def refresh(): ''' Get the user's id from their refresh_token and create a new access token that will be returned in the response Returns {Object<json>} 200 success: {string} ''' # Get the user's id from refresh token cookie public_id = get_jwt_identity() # If no user id, return error if not public_id: return jsonify({'error': 'Invalid user request.'}), 400 # Create access tokens expires = timedelta(seconds=1800) access_token = create_access_token(identity=public_id, expires_delta=expires) # Get newly created csrf access token to return as header csrf_access_token = get_csrf_token(access_token) # Create json response and return access cookies and header response = make_response( jsonify({'success': 'Access token has been refreshed.'}), 200) set_access_cookies(response, access_token) response.headers['access'] = csrf_access_token return response
def test_post_protected_endpoint_users(client, example_user, example_user_data, registered_user, example_group, monkeypatch): ''' Access a restricted API endpoint using CSRF token signature 1) Find user 2) Delete user ''' import jots.webapp with client.application.app_context(): access_token = create_access_token(example_user.properties.email) csrf_code = get_csrf_token(access_token) client.set_cookie(example_user_data['service_domain'], "access_token_cookie", access_token) headers = {"Content-Type": "application/json", "X-CSRF-TOKEN": csrf_code} #1 post_data = {"email": example_user.properties.email} result = client.post("/api/v1/users/find", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert example_user.properties.email in result.json #2 post_data = {"userid": example_user.properties.userId} result = client.post("/api/v1/users/delete", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert "result" in result.json
def post(self): current_user = get_jwt_identity() logger.info(current_user) access_token = create_access_token(identity = current_user) resp = jsonify({'refresh': True, 'access_csrf': get_csrf_token(access_token)}) set_access_cookies(resp, access_token) return resp
def post(self): user = jwt.get_jwt_identity() access_token = jwt.create_access_token(identity=user) response = jsonify({ 'success': True, 'a-csrf-token': jwt.get_csrf_token(access_token), }) jwt.set_access_cookies(response, access_token) return response
def post(self): """Refresh token endpoint. Get a new access token without requiring username and password—only the 'refresh token' provided in the /login endpoint. This will generate a new access token from the refresh token, but will mark that access token as non-fresh, as we do not actually verify a password in this endpoint. Note that refreshed access tokens have a `fresh=False`, which means that the user may have not given us their username and password for potentially a long time (if the token has been refreshed many times over). --- tags: - Auth responses: 200: description: The refreshed token """ current_user = get_current_user() # Create the new access token and save it to database new_access_token = create_access_token(identity=current_user, fresh=False) add_token_to_database(new_access_token, current_app.config['JWT_IDENTITY_CLAIM']) raw_response = {'refresh': True, 'access_token': new_access_token} if not current_app.config['JWT_CSRF_IN_COOKIES']: # Return the double submit values in the resulting JSON # instead of in additional cookies raw_response.update( {'access_csrf': get_csrf_token(new_access_token)}) # Create the response object resp = jsonify(raw_response) resp.status_code = 200 # This header is used for Swagger-UI, it uses this header to authenticate the following requests. resp.headers.extend({'jwt-token': new_access_token}) resp.headers.extend({'access_csrf': get_csrf_token(new_access_token)}) # Set the JWT access cookie in the response (useful for browser apps only) # We need to call these functions to set the JWTs in the httpOnly cookies set_access_cookies(resp, new_access_token) return resp
def post(self): ''' get the user credentials from the request verify the credentials, generate the access and refresh token, set the tokens in the cookies return the response ''' data = validate_user(request.get_json()) if data['ok']: user_data = data['user_data'] user = User.query.filter_by(email=user_data['email']).first() # verify the user credentials if user is None or not user.verify_password(user_data['password']): return jsonify({"ok": False, "message": "Invalid Credentials"}), 401 if not user.active: return jsonify({"ok": False, "message": "Unverified Email"}), 401 del user_data['password'] access_token = create_access_token(identity=user_data, fresh=True) refresh_token = create_refresh_token(identity=user_data) # set the tokens in cookies response = jsonify({ "ok": True, "logged_in_as": user.email, "avatar": user.avatar(128), "message": "Login Successful", "access_csrf": get_csrf_token(access_token), "refresh_csrf": get_csrf_token(refresh_token) }) set_access_cookies(response, access_token) set_refresh_cookies(response, refresh_token) return response, 200 else: return jsonify({"ok": False, "message": "Invalid Credentials"}), 401
def post(self): current_user = get_jwt_identity() access_token = create_access_token(identity=current_user, fresh=False) response = jsonify({ "ok": True, "access_csrf": get_csrf_token(access_token) }) set_access_cookies(response, access_token) return response, 200
def login(): data = request.get_json() user_model = User() result = user_model.login_user(parameter=data.get("username"), password = data.get("password")) if result: # store session parameter = data.get("username") user = user_model.get(parameter=parameter) access_token = create_access_token(identity=user.get("username")) refresh_token = create_refresh_token(identity=user.get("username")) resp = jsonify({ 'login': True, 'access_csrf': get_csrf_token(access_token), 'refresh_csrf': get_csrf_token(refresh_token)}) set_access_cookies(resp, access_token) set_refresh_cookies(resp, refresh_token) return resp, 200 return jsonify({"message": "bad username, email or password"}), 400
def post(self): args = login_schema.dump(request.form).data usuario = UsuarioModel.autenticate(args['usuario'], args['senha']) if usuario: # cria tokens access_token = create_access_token(usuario) refresh_token = create_refresh_token(usuario) # resposta com csrf's res = jsonify({ 'access_csrf': get_csrf_token(access_token), 'refresh_csrf': get_csrf_token(refresh_token) }) # Set the JWT cookies in the response set_access_cookies(res, access_token) set_refresh_cookies(res, refresh_token) return res else: return jsonify({'login': False}), 401
def test_refresh_token(app): refresh_token = create_refresh_token(identity=_SOME_USER_ID) response = app.post( "/auth/refresh", headers={"Authorization": f"Bearer {refresh_token}"}, ) cookie = next(cookie for cookie in app.cookie_jar if cookie.name == "access_token_cookie") access_csrf = response.get_json()["access_csrf"] assert access_csrf == get_csrf_token(cookie.value)
def post(self): args = login_schema.dump(request.form) usuario = UsuarioModel.autenticate(args['usuario'], args['senha']) if usuario: access_token = create_access_token(usuario, fresh=True) res = jsonify({'access_csrf': get_csrf_token(access_token)}) set_access_cookies(res, access_token) return res else: return {'error': 'Usuário ou Senha incorreto'}, 400
def _build_login_response(user, set_cookies): access_token = create_access_token(identity=user.id_, expires_delta=False) response = marshal_data(user, USER_SCHEMA) response["csrf_token"] = get_csrf_token(access_token) if set_cookies: response = jsonify(response) set_access_cookies(response, access_token, 10000000000) response = make_response(response, 200) response.mimetype = "application/json" else: response["access_token"] = access_token return response
def setUp(self): self.client = test_app.test_client() self.connection = get_db_connection() self.cursor = self.connection.cursor() self.test_username = '******' self.test_email = '*****@*****.**' user_id = init_test_db(self.cursor, self.test_username, self.test_email) with test_app.app_context(): self.access_token = create_access_token(identity=user_id) self.refresh_token = create_refresh_token(identity=user_id) self.csrf_access = get_csrf_token(self.access_token) self.csrf_refresh = get_csrf_token(self.refresh_token) self.access_header = {'X-CSRF-TOKEN': f'{self.csrf_access}'} self.client.set_cookie('localhost', 'access_token_cookie', value=self.access_token) self.client.set_cookie('localhost', 'refresh_token_cookie', value=self.refresh_token) self.connection.commit()
def mock_login(uid=None): my_session = requests.session() access_token = None csrf_token = None my_identity = default_user_ids['Owner'] if not uid else uid with APP.app_context(): access_token = create_access_token(identity=my_identity) refresh_token = create_refresh_token(identity=my_identity) csrf_token = get_csrf_token(access_token) csrf_refresh_token = get_csrf_token(refresh_token) print('access_token: ', str(access_token)) print('csrf_token: ', str(csrf_token)) print('refresh_token: ', str(refresh_token)) print('csrf_refresh_token: ', str(csrf_refresh_token)) my_access_cookie = requests.cookies.create_cookie(name='access_token_cookie', value=access_token, domain=os.environ['TEST_HOST']) my_session.cookies.set_cookie(my_access_cookie) my_refresh_cookie = requests.cookies.create_cookie(name='refresh_token_cookie', value=refresh_token, domain=os.environ['TEST_HOST']) my_session.cookies.set_cookie(my_refresh_cookie) return { 'session': my_session, 'csrf_token': csrf_token, 'csrf_refresh_token': csrf_refresh_token }
def refresh_token(): current_user = get_jwt_identity() access_token = create_access_token(identity=current_user) response_body = { 'refresh': True, 'access_csrf_token': get_csrf_token(access_token) } response = make_response(response_body) set_access_cookies(response, access_token) return response
def login(): body = rebar.validated_body username = body['username'] password = body['password'] user = User.query.filter_by(username=username).first() if user and bcrypt.checkpw(password, user.password): access_token = create_access_token(identity=user.id) refresh_token = create_refresh_token(identity=user.id) response_body = { 'login': True, 'access_csrf_token': get_csrf_token(access_token), 'refresh_csrf_token': get_csrf_token(refresh_token) } response = make_response(response_body) set_access_cookies(response, access_token) set_refresh_cookies(response, refresh_token) return response else: return {'login': False}, 401
def test_user_registration(app): response = app.post( "/auth/register", json={ "email": _SOME_USER_NEW_EMAIL, "name": _SOME_USER_NAME, "password": _SOME_USER_PASSWORD, }, ) assert response.status_code == 201 cookie = next(cookie for cookie in app.cookie_jar if cookie.name == "access_token_cookie") access_csrf = response.get_json()["access_csrf"] assert get_csrf_token(cookie.value) == access_csrf
def test_post_protected_endpoint_apps(client, example_user, example_user_data, registered_user, example_group, monkeypatch): ''' Access a restricted API endpoint using CSRF token signature 1) Create app 2) Find app 3) Get app key ''' import jots.webapp with client.application.app_context(): access_token = create_access_token(example_user.properties.email) csrf_code = get_csrf_token(access_token) client.set_cookie(example_user_data['service_domain'], "access_token_cookie", access_token) headers = {"Content-Type": "application/json", "X-CSRF-TOKEN": csrf_code} #1 post_data = {"appname": "newappA"} result = client.post("/api/v1/apps/new", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert "newappA" in result.json new_app_id = result.json['newappA']['id'] new_app_key = result.json['newappA']['key'] new_app_secret = result.json['newappA']['secret'] #2 post_data = {"appname": "newappA"} result = client.post("/api/v1/apps/find", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert "newappA" in result.json assert result.json['newappA'] == new_app_id #3 result = client.get("/api/v1/apps/{}/key".format(new_app_id), headers=headers, follow_redirects=True) assert result.status_code == 200 assert result.data.decode('utf-8') == new_app_key
def test_success_to_logout_logged_in_user(self): with self.flask_app.test_client() as client: access_token = '' with self.flask_app.app_context(): identity = { 'id': '1', 'username': EXIST_USERNAME, } access_token = create_access_token(identity=identity) csrf_token = get_csrf_token(access_token) client.set_cookie('.example.com', 'access_token_cookie', access_token) res = client.post('/auth/logout', headers={ 'X-CSRF-TOKEN': csrf_token, }) res_json = res.get_json() self.assertEqual(res.status_code, 200) self.assertEqual(res_json['code'], 200) self.assertEqual(res_json['data']['user']['username'], EXIST_USERNAME) self.assertEqual(len(res.headers.getlist('Set-Cookie')), 4) # access_token_cookie, csrf_access_token, refresh_token_cookie, csrf_refresh_token
def login(): try: username = request.json.get('username', '') password = request.json.get('password', '') if not username: raise ValueError('Username is required.') elif not password: raise ValueError('Password is required.') except Exception as e: raise BadRequest(message=e) conn = current_app.db_engine.connect() query = select([ users.c.id, users.c.username, users.c.password, ]).where(users.c.username == username) result = conn.execute(query) row = result.fetchone() result.close() if not row or not check_password_hash(row[users.c.password], password): raise Unauthorized('Unauthorized user.') identity = { 'id': row[users.c.id], 'username': row[users.c.username], } access_token = create_access_token(identity=identity) csrf_token = get_csrf_token(access_token) resp = jsonify(code=200, data={ 'user': identity, 'access_token': access_token, 'csrf_token': csrf_token, }) set_access_cookies(resp, access_token) return resp
def post(self): """This endpoint allows a user to login with the right credentials First line is the summary All following lines until the hyphens is added to description the format of the first lines until 3 hyphens will be not yaml compliant but everything below the 3 hyphens should be. --- tags: - Auth parameters: - in: body name: body schema: type: object properties: username: type: string required: true description: The username of the user password: type: string required: true description: The password of the user responses: 201: description: User logged in successfully schema: type: object properties: message: type: string default: User logged in successfully 401: id: message description: User not logged in schema: type: object properties: message: type: string default: Wrong credentials 422: id: message description: Data sent not possible to understand schema: type: object properties: message: type: string default: Missing JSON in request """ if not request.is_json: response = jsonify({"message": "Missing JSON in request"}) response.status_code = 422 return response data = UserLogin.parser.parse_args() current_user = UserModel.find_by_username(data['username']) if current_user and UserModel.verify_hash(data['password'], current_user.password): # create_access_token supports an optional 'fresh' argument, # which marks the token as fresh or non-fresh accordingly. # As we just verified their username and password, we are # going to mark the token as fresh here. access_token = create_access_token(identity=current_user, fresh=True) refresh_token = create_refresh_token(identity=current_user) # Store the tokens in our store with a status of not currently revoked. add_token_to_database(access_token, current_app.config['JWT_IDENTITY_CLAIM']) add_token_to_database(refresh_token, current_app.config['JWT_IDENTITY_CLAIM']) raw_response = { 'message': 'Logged in as {}'.format(current_user.username), 'access_token': access_token, 'refresh_token': refresh_token, 'user_id': current_user.id, } # Processing the request coming from a web browser applications # like Swagger UI (provided in Flasgger), we setup some cookies httpOnly and headers automatically. req_headers = request.headers.get('Referer', None) if req_headers: # This header is used for Swagger-UI, it uses this header to authenticate the following requests. # response.headers.extend({'jwt-token': access_token}) if not current_app.config['JWT_CSRF_IN_COOKIES']: # Return the double submit values in the resulting JSON # instead of in additional cookies raw_response.update({ 'access_csrf': get_csrf_token(access_token), 'refresh_csrf': get_csrf_token(refresh_token) }) # Creating the response response = jsonify(raw_response) response.status_code = 200 if req_headers: # We need to call these functions to set the JWTs in the httpOnly cookies, sent through our response object set_access_cookies(response, access_token) set_refresh_cookies(response, refresh_token) else: response = jsonify({'message': 'Wrong credentials'}) response.status_code = 401 return response
def test_post_protected_endpoint_groups(client, example_user, example_user_data, registered_user, example_group, monkeypatch): ''' Access a restricted API endpoint using CSRF token signature 1) Post groupname and confirm found group matches fixtures 2) Add group member 3) Remove group member 4) Create and delete a new group ''' import jots.webapp with client.application.app_context(): access_token = create_access_token(example_user.properties.email) csrf_code = get_csrf_token(access_token) client.set_cookie(example_user_data['service_domain'], "access_token_cookie", access_token) headers = {"Content-Type": "application/json", "X-CSRF-TOKEN": csrf_code} #1 post_data = {"groupname": example_group.properties.groupName} result = client.post("/api/v1/groups/find", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert example_group.properties.groupName in result.json assert example_group.properties.groupId in result.json[example_group.properties.groupName] #2 post_data = {"email": registered_user.properties.email} result = client.post("/api/v1/groups/{}/members/add".format(example_group.properties.groupId), data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert registered_user.properties.userId in result.json #3 post_data = {"userid": registered_user.properties.userId} result = client.post("/api/v1/groups/{}/members/remove".format(example_group.properties.groupId), data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert registered_user.properties.userId not in result.json #4 post_data = {"groupname": "newgroupA"} result = client.post("/api/v1/groups/new", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert post_data['groupname'] in result.json new_group_id = result.json[post_data['groupname']] post_data = {"groupid": new_group_id} result = client.post("/api/v1/groups/delete", data=json.dumps(post_data), headers=headers, follow_redirects=True) assert result.status_code == 200 assert "result" in result.json
def post(self): parser_login.parse_args() data = request.get_json(force=True) username = data['username'].lower() password = data['password'] current_user = User.find_by_username(username) if not current_user: return make_response( jsonify({ "message": { "success": False, "field": "username", "text": 'کاربری با نام کاربری مورد نظر شما پیدا نشد' } }), 400) if current_user.login_attempts == MAX_LOGIN_ATTEMPTS: current_user.is_verified = False current_user.is_banned = True current_user.is_active = False db.session.add(current_user) db.session.commit() msg = "حساب کاربری شما موقتا به حالت تعلیق در آمد لطفا با پشتیبانی سایت تماس حاصل کنید" return make_response( jsonify({ 'message': { "success": False, "field": "banned", "text": msg } }), 401) if User.verify_hash(password, current_user.password): if current_user.is_banned: msg = "متاسفانه حساب کاربری شما در لیست سیاه قرار گرفته است" return make_response( jsonify({ 'message': { "success": False, "field": "blacklist", "text": msg } }), 401) if not current_user.is_verified: session['username'] = username msg = "حساب کاربری شما باید از طریق شماره همراه فعال سازی شود" return make_response( jsonify({ 'message': { "success": False, "field": "verification", "text": msg } }), 401) expires = timedelta(days=365) access_token = create_access_token(identity=current_user.username, expires_delta=expires, fresh=True) refresh_token = create_refresh_token( identity=current_user.username, expires_delta=expires) resp = jsonify({ 'message': 'Logged in as {}'.format(current_user.username), 'access_token': access_token, 'refresh_token': refresh_token, 'access_csrf': get_csrf_token(access_token), 'refresh_csrf': get_csrf_token(refresh_token) }) # Set the JWT cookies in the response redirect_to_auction = False auction_id = 0 if 'next' in data and "participate" in data['next']: temp = data['next'] auction_id = temp.split('/')[2] if (current_user.has_auction(int(auction_id))): redirect_to_auction = True if redirect_to_auction: resp = jsonify({ 'message': 'Logged in as {}'.format(current_user.username), 'access_token': access_token, 'refresh_token': refresh_token, 'redirect_to_auction': redirect_to_auction, 'auction_id': auction_id, 'access_csrf': get_csrf_token(access_token), 'refresh_csrf': get_csrf_token(refresh_token) }) # create orders from session on login if "orders" in session: order_schema = OrderSchema(many=True) for order in session['orders']: new_order = Order() item = Item.query.get(order[0]['item']['id']) saved_before = Order.query.filter_by( user_id=current_user.id).join(Item).filter_by( id=item.id).first() if not saved_before: #calculate price base on auction participation total = int(order[0]['total']) item_price = (item.price - item.discount) * total discount_status = OrderDiscountStatus.REGULAR discount = item.discount * total auction = current_user.auctions.join(Item).filter_by( id=item.id).first() if auction: offer = Offer.query.join(Auction).filter_by( id=auction.id).order_by( "offers.created_at DESC").first() discount_status = OrderDiscountStatus.INAUCTION if offer and offer.win: item_price = offer.total_price discount_status = OrderDiscountStatus.AUCTIONWINNER total = 1 discount = item.price - offer.total_price else: userplan = current_user.user_plans.join( Auction).filter_by(id=auction.id).first() auctionplan = AuctionPlan.query.filter_by( auction_id=auction.id).join( UserPlan).filter_by( id=userplan.id).first() item_price = item.price - auctionplan.discount total = 1 discount = auctionplan.discount new_order.item = item new_order.total_cost = item_price new_order.total = total new_order.status = OrderStatus.UNPAID new_order.discount_status = discount_status new_order.total_discount = discount new_order.user = current_user db.session.add(new_order) db.session.commit() session.pop('orders') # if 'remember_me' in data and data['remember_me']==True: # login_user(current_user,remember=True) # else: # login_user(current_user,remember=False) expire_date = timedelta(days=365) set_refresh_cookies(resp, refresh_token, expire_date) set_access_cookies(resp, access_token, expire_date) login_user(current_user, remember=True) return make_response(resp, 200) else: current_user.login_attempts += 1 db.session.add(current_user) db.session.commit() return make_response( jsonify({ 'message': { "success": False, "field": "password", "text": 'رمز عبور شما نادرست است' } }), 401)
def create_user(): """ This route adds a new user to the database, sends a confirmation link to the user's email and returns a success message aa a json object. Returns {Object<json>} 200 success: {string} Throws {Exception{Object<json>}} error: NotAuthorized 401 NoResultFound 404 SQLAlchemyError 400 """ # Get user's authorization credentials auth = request.authorization # If no authorization credentials, return error if not auth or not auth.username or not auth.password: return make_response( jsonify({'error': 'Could not verify!'}), 401, {'WWW-Authentication': 'Basic realm="Login required!"'}) # Get user data from request data = request.get_json() # If name or email is missing, return error if not data['name'] or not data['email']: return make_response(jsonify({'error': 'Missing data!'}), 400) # Create a salted password random_bytes = urandom(24) salt = b64encode(random_bytes).decode('utf-8') salted_password = auth['password'] + salt # Hash the salted password hashed_password = generate_password_hash(salted_password, method='pbkdf2:sha512:80000', salt_length=20) # Create user object user = User(name=data['name'], email=data['email'], username=auth['username'], password=hashed_password, salt=salt, created_at=datetime.utcnow()) user.generate_public_id() # Try to add user to database try: db.session.add(user) db.session.commit() # If username already in database, return error except IntegrityError: return jsonify({'error': 'User with name or email already exists'}), 400 # If some other sqlalchemy error is thrown, return error except SQLAlchemyError: return jsonify({'error': 'Some problem occurred!'}), 400 # Serialize the user object user_schema = UserSchema() output = user_schema.dump(user).data # Create the tokens to be sent to the user expires = timedelta(seconds=1800) access_token = create_access_token(identity=user.public_id, expires_delta=expires) refresh_token = create_refresh_token(identity=user.public_id) # Get the csrf tokens so they can be set as headers in response csrf_access_token = get_csrf_token(access_token) csrf_refresh_token = get_csrf_token(refresh_token) # Create json response response = make_response( jsonify({ 'user': output, 'success': 'Login successful!' }), 200) # Set JWT cookies and headers and return response set_access_cookies(response, access_token) set_refresh_cookies(response, refresh_token) response.set_cookie('public_id', user.public_id) response.headers['access'] = csrf_access_token response.headers['refresh'] = csrf_refresh_token return response