def verifyEmail(self, user, token): token = Token().load(token, user=user, level=AccessType.ADMIN, objectId=False, exc=True) delta = (token['expires'] - datetime.datetime.utcnow()).total_seconds() hasScope = Token().hasScope(token, TokenScope.EMAIL_VERIFICATION) if token.get('userId') != user['_id'] or delta <= 0 or not hasScope: raise AccessException('The token is invalid or expired.') user['emailVerified'] = True Token().remove(token) user = self._model.save(user) if self._model.canLogin(user): setCurrentUser(user) authToken = self.sendAuthTokenCookie(user) return { 'user': self._model.filter(user, user), 'authToken': { 'token': authToken['_id'], 'expires': authToken['expires'], 'scope': authToken['scope'] }, 'message': 'Email verification succeeded.' } else: return { 'user': self._model.filter(user, user), 'message': 'Email verification succeeded.' }
def createUser( self, login, password, displayName="", email="", admin=False, lastName=None, firstName=None ): # 🔥 delete lastName once fully deprecated currentUser = self.getCurrentUser() regPolicy = Setting().get(SettingKey.REGISTRATION_POLICY) if not currentUser or not currentUser['admin']: admin = False if regPolicy == 'closed': raise RestException( 'Registration on this instance is closed. Contact an ' 'administrator to create an account for you.') user = self._model.createUser( login=login, password=password, email=email, firstName=displayName if len( displayName ) else firstName if firstName is not None else "", lastName=lastName, admin=admin, currentUser=currentUser) # 🔥 delete firstName and lastName once fully deprecated if not currentUser and self._model.canLogin(user): setCurrentUser(user) token = self.sendAuthTokenCookie(user) user['authToken'] = { 'token': token['_id'], 'expires': token['expires'] } # Assign all new users to a "New Users" Group newUserGroup = GroupModel().findOne({'name': 'New Users'}) newUserGroup = newUserGroup if ( newUserGroup is not None and bool(newUserGroup) ) else GroupModel( ).createGroup( name="New Users", creator=UserModel().findOne( query={'admin': True}, sort=[('created', SortDir.ASCENDING)] ), public=False ) group = GroupModel().addUser( newUserGroup, user, level=AccessType.READ ) group['access'] = GroupModel().getFullAccessList(group) group['requests'] = list(GroupModel().getFullRequestList(group)) return(user)
def login(self): import threading from girderformindlogger.utility.mail_utils import validateEmailAddress if not Setting().get(SettingKey.ENABLE_PASSWORD_LOGIN): raise RestException('Password login is disabled on this instance.') user, token = self.getCurrentUser(returnToken=True) # Only create and send new cookie if user isn't already sending a valid # one. if not user: authHeader = cherrypy.request.headers.get('Authorization') if not authHeader: authHeader = cherrypy.request.headers.get( 'Girder-Authorization') if not authHeader or not authHeader[0:6] == 'Basic ': raise RestException('Use HTTP Basic Authentication', 401) try: credentials = base64.b64decode(authHeader[6:]).decode('utf8') if ':' not in credentials: raise TypeError except Exception: raise RestException('Invalid HTTP Authorization header', 401) login, password = credentials.split(':', 1) if validateEmailAddress(login): raise AccessException( "Please log in with a username, not an email address.") otpToken = cherrypy.request.headers.get('Girder-OTP') try: user = self._model.authenticate(login, password, otpToken) except: raise AccessException( "Incorrect password for {} if that user exists".format( login)) thread = threading.Thread( target=AppletModel().updateUserCacheAllRoles, args=(user, )) setCurrentUser(user) token = self.sendAuthTokenCookie(user) return { 'user': self._model.filter(user, user), 'authToken': { 'token': token['_id'], 'expires': token['expires'], 'scope': token['scope'] }, 'message': 'Login succeeded.' }
def _authorizeUploadStep(event): """ Called before any requests dealing with partially completed uploads. Sets the request thread user to the authorized upload token creator if the requested upload is an authorized upload. """ token = getCurrentToken() try: uploadId = ObjectId(event.info['params'].get('uploadId', '')) except InvalidId: # Take no action, 'uploadId' will be validated again by the endpoint return if token and 'authorizedUploadId' in token and token['authorizedUploadId'] == uploadId: user = User().load(token['userId'], force=True) setCurrentUser(user)
def _authorizeInitUpload(event): """ Called when initializing an upload, prior to the default handler. Checks if the user is passing an authorized upload token, and if so, sets the current request-thread user to be whoever created the token. """ token = getCurrentToken() params = event.info['params'] tokenModel = Token() parentType = params.get('parentType') parentId = params.get('parentId', '') requiredScopes = {TOKEN_SCOPE_AUTHORIZED_UPLOAD, 'authorized_upload_folder_%s' % parentId} if parentType == 'folder' and tokenModel.hasScope(token=token, scope=requiredScopes): user = User().load(token['userId'], force=True) setCurrentUser(user)
def login(self, loginAsEmail): import threading from girderformindlogger.utility.mail_utils import validateEmailAddress if not Setting().get(SettingKey.ENABLE_PASSWORD_LOGIN): raise RestException('Password login is disabled on this instance.') user, token = self.getCurrentUser(returnToken=True) deviceId = cherrypy.request.headers.get('deviceId', '') timezone = int(cherrypy.request.headers.get('timezone', 0)) # Only create and send new cookie if user isn't already sending a valid # one. if not user: authHeader = cherrypy.request.headers.get('Authorization') if not authHeader: authHeader = cherrypy.request.headers.get( 'Girder-Authorization' ) if not authHeader or not authHeader[0:6] == 'Basic ': raise RestException('Use HTTP Basic Authentication', 401) try: credentials = base64.b64decode(authHeader[6:]).decode('utf8') if ':' not in credentials: raise TypeError except Exception: raise RestException('Invalid HTTP Authorization header', 401) login, password = credentials.split(':', 1) isEmail = validateEmailAddress(login) if not loginAsEmail and isEmail: raise AccessException( "Please log in with a username, not an email address." ) if loginAsEmail and not isEmail: raise AccessException( "Please enter valid email address" ) otpToken = cherrypy.request.headers.get('Girder-OTP') try: user = self._model.authenticate(login, password, otpToken, loginAsEmail = True) except: raise AccessException( "Incorrect password for {} if that user exists".format( login ) ) if user.get('exception', None): raise AccessException( user['exception'] ) if deviceId: user['deviceId'] = deviceId user['timezone'] = timezone self._model.save(user) setCurrentUser(user) token = self.sendAuthTokenCookie(user) return { 'user': self._model.filter(user, user), 'authToken': { 'token': token['_id'], 'expires': token['expires'], 'scope': token['scope'] }, 'message': 'Login succeeded.' }