Exemplo n.º 1
0
    def createApiKey(self, user, name, scope=None, days=None, active=True):
        """
        Create a new API key for a user.

        :param user: The user who owns the API key.
        :type user: dict
        :param name: A human readable name for the API key
        :param days: The lifespan of the session in days. If not passed, uses
            the database setting for cookie lifetime. Note that this is a
            maximum duration; clients may request tokens with a shorter lifetime
            than this value.
        :type days: float or int
        :param scope: Scope or list of scopes this API key grants. By default,
            will grant tokens provided full access on behalf of the user.
        :type scope: str, list of str, or set of str
        :param active: Whether this key is active.
        :returns: The API key document that was created.
        """
        apiKey = {
            'created': datetime.datetime.utcnow(),
            'lastUse': None,
            'tokenDuration': days,
            'name': name,
            'scope': scope,
            'userId': user['_id'],
            'key': genToken(40),
            'active': active
        }

        return self.setUserAccess(apiKey,
                                  user,
                                  level=AccessType.ADMIN,
                                  save=True)
Exemplo n.º 2
0
    def createToken(self, user=None, days=None, scope=None, apiKey=None):
        """
        Creates a new token. You can create an anonymous token
        (such as for CSRF mitigation) by passing "None" for the user argument.

        :param user: The user to create the session for.
        :type user: dict
        :param days: The lifespan of the session in days. If not passed, uses
            the database setting for cookie lifetime.
        :type days: float or int
        :param scope: Scope or list of scopes this token applies to. By default,
            will create a user authentication token.
        :type scope: str or list of str
        :param apiKey: If this token is being created via an API key, pass it
           so that we can record the provenance for cleanup and auditing.
        :type apiKey: dict
        :returns: The token document that was created.
        """
        from .setting import Setting

        now = datetime.datetime.utcnow()
        days = days or Setting().get(SettingKey.COOKIE_LIFETIME)

        if scope is None:
            scope = (TokenScope.USER_AUTH, )
        elif isinstance(scope, six.string_types):
            scope = (scope, )

        token = {
            '_id': genToken(),
            'created': now,
            'expires': now + datetime.timedelta(days=float(days)),
            'scope': scope
        }

        if user is None:
            # Since these tokens don't correspond to a user, we want to be
            # able to load them by their value without passing a user or
            # force=True, so we set it to public access. This is OK since tokens
            # are not exposed externally for listing, and the _id is the secure
            # token value.
            self.setPublic(token, True, save=False)
        else:
            token['userId'] = user['_id']
            self.setUserAccess(token,
                               user=user,
                               level=AccessType.ADMIN,
                               save=False)

        if apiKey is not None:
            token['apiKeyId'] = apiKey['_id']

        return self.save(token)