def verifyEmail(self, user, token):
token = Token().load(token,
user=user,
level=AccessType.ADMIN,
objectId=False,
exc=True)
delta = (token['expires'] - datetime.datetime.utcnow()).total_seconds()
hasScope = Token().hasScope(token, TokenScope.EMAIL_VERIFICATION)
if token.get('userId') != user['_id'] or delta <= 0 or not hasScope:
raise AccessException('The token is invalid or expired.')
user['emailVerified'] = True
Token().remove(token)
user = self._model.save(user)
if self._model.canLogin(user):
setCurrentUser(user)
authToken = self.sendAuthTokenCookie(user)
return {
'user': self._model.filter(user, user),
'authToken': {
'token': authToken['_id'],
'expires': authToken['expires'],
'scope': authToken['scope']
},
'message': 'Email verification succeeded.'
}
else:
return {
'user': self._model.filter(user, user),
'message': 'Email verification succeeded.'
}
def createUser(
self,
login,
password,
displayName="",
email="",
admin=False,
lastName=None,
firstName=None
): # 🔥 delete lastName once fully deprecated
currentUser = self.getCurrentUser()
regPolicy = Setting().get(SettingKey.REGISTRATION_POLICY)
if not currentUser or not currentUser['admin']:
admin = False
if regPolicy == 'closed':
raise RestException(
'Registration on this instance is closed. Contact an '
'administrator to create an account for you.')
user = self._model.createUser(
login=login, password=password, email=email,
firstName=displayName if len(
displayName
) else firstName if firstName is not None else "",
lastName=lastName, admin=admin, currentUser=currentUser) # 🔥 delete firstName and lastName once fully deprecated
if not currentUser and self._model.canLogin(user):
setCurrentUser(user)
token = self.sendAuthTokenCookie(user)
user['authToken'] = {
'token': token['_id'],
'expires': token['expires']
}
# Assign all new users to a "New Users" Group
newUserGroup = GroupModel().findOne({'name': 'New Users'})
newUserGroup = newUserGroup if (
newUserGroup is not None and bool(newUserGroup)
) else GroupModel(
).createGroup(
name="New Users",
creator=UserModel().findOne(
query={'admin': True},
sort=[('created', SortDir.ASCENDING)]
),
public=False
)
group = GroupModel().addUser(
newUserGroup,
user,
level=AccessType.READ
)
group['access'] = GroupModel().getFullAccessList(group)
group['requests'] = list(GroupModel().getFullRequestList(group))
return(user)
def login(self):
import threading
from girderformindlogger.utility.mail_utils import validateEmailAddress
if not Setting().get(SettingKey.ENABLE_PASSWORD_LOGIN):
raise RestException('Password login is disabled on this instance.')
user, token = self.getCurrentUser(returnToken=True)
# Only create and send new cookie if user isn't already sending a valid
# one.
if not user:
authHeader = cherrypy.request.headers.get('Authorization')
if not authHeader:
authHeader = cherrypy.request.headers.get(
'Girder-Authorization')
if not authHeader or not authHeader[0:6] == 'Basic ':
raise RestException('Use HTTP Basic Authentication', 401)
try:
credentials = base64.b64decode(authHeader[6:]).decode('utf8')
if ':' not in credentials:
raise TypeError
except Exception:
raise RestException('Invalid HTTP Authorization header', 401)
login, password = credentials.split(':', 1)
if validateEmailAddress(login):
raise AccessException(
"Please log in with a username, not an email address.")
otpToken = cherrypy.request.headers.get('Girder-OTP')
try:
user = self._model.authenticate(login, password, otpToken)
except:
raise AccessException(
"Incorrect password for {} if that user exists".format(
login))
thread = threading.Thread(
target=AppletModel().updateUserCacheAllRoles, args=(user, ))
setCurrentUser(user)
token = self.sendAuthTokenCookie(user)
return {
'user': self._model.filter(user, user),
'authToken': {
'token': token['_id'],
'expires': token['expires'],
'scope': token['scope']
},
'message': 'Login succeeded.'
}
def _authorizeUploadStep(event):
"""
Called before any requests dealing with partially completed uploads. Sets the
request thread user to the authorized upload token creator if the requested
upload is an authorized upload.
"""
token = getCurrentToken()
try:
uploadId = ObjectId(event.info['params'].get('uploadId', ''))
except InvalidId:
# Take no action, 'uploadId' will be validated again by the endpoint
return
if token and 'authorizedUploadId' in token and token['authorizedUploadId'] == uploadId:
user = User().load(token['userId'], force=True)
setCurrentUser(user)
def _authorizeInitUpload(event):
"""
Called when initializing an upload, prior to the default handler. Checks if
the user is passing an authorized upload token, and if so, sets the current
request-thread user to be whoever created the token.
"""
token = getCurrentToken()
params = event.info['params']
tokenModel = Token()
parentType = params.get('parentType')
parentId = params.get('parentId', '')
requiredScopes = {TOKEN_SCOPE_AUTHORIZED_UPLOAD, 'authorized_upload_folder_%s' % parentId}
if parentType == 'folder' and tokenModel.hasScope(token=token, scope=requiredScopes):
user = User().load(token['userId'], force=True)
setCurrentUser(user)
def login(self, loginAsEmail):
import threading
from girderformindlogger.utility.mail_utils import validateEmailAddress
if not Setting().get(SettingKey.ENABLE_PASSWORD_LOGIN):
raise RestException('Password login is disabled on this instance.')
user, token = self.getCurrentUser(returnToken=True)
deviceId = cherrypy.request.headers.get('deviceId', '')
timezone = int(cherrypy.request.headers.get('timezone', 0))
# Only create and send new cookie if user isn't already sending a valid
# one.
if not user:
authHeader = cherrypy.request.headers.get('Authorization')
if not authHeader:
authHeader = cherrypy.request.headers.get(
'Girder-Authorization'
)
if not authHeader or not authHeader[0:6] == 'Basic ':
raise RestException('Use HTTP Basic Authentication', 401)
try:
credentials = base64.b64decode(authHeader[6:]).decode('utf8')
if ':' not in credentials:
raise TypeError
except Exception:
raise RestException('Invalid HTTP Authorization header', 401)
login, password = credentials.split(':', 1)
isEmail = validateEmailAddress(login)
if not loginAsEmail and isEmail:
raise AccessException(
"Please log in with a username, not an email address."
)
if loginAsEmail and not isEmail:
raise AccessException(
"Please enter valid email address"
)
otpToken = cherrypy.request.headers.get('Girder-OTP')
try:
user = self._model.authenticate(login, password, otpToken, loginAsEmail = True)
except:
raise AccessException(
"Incorrect password for {} if that user exists".format(
login
)
)
if user.get('exception', None):
raise AccessException(
user['exception']
)
if deviceId:
user['deviceId'] = deviceId
user['timezone'] = timezone
self._model.save(user)
setCurrentUser(user)
token = self.sendAuthTokenCookie(user)
return {
'user': self._model.filter(user, user),
'authToken': {
'token': token['_id'],
'expires': token['expires'],
'scope': token['scope']
},
'message': 'Login succeeded.'
}
