def user_get():
"""
Returns user with the given username, email address or Twitter id
"""
name = request.form.get('name')
if not name:
return api_result('error', error='no_name_provided')
user = getuser(name)
if user:
return api_result('ok',
type='user',
userid=user.userid,
name=user.username,
title=user.fullname)
else:
return api_result('error', error='not_found')
def user_get():
"""
Returns user with the given username, email address or Twitter id
"""
name = request.form.get('name')
if not name:
return api_result('error', error='no_name_provided')
user = getuser(name)
if user:
return api_result('ok',
type='user',
userid=user.userid,
name=user.username,
title=user.fullname)
else:
return api_result('error', error='not_found')
def validate_username(self, field):
user = getuser(field.data)
if user is None:
raise wtf.ValidationError("Could not find a user with that id")
self.user = user
def validate_password(self, field):
user = getuser(self.username.data)
if user is None or not user.password_is(field.data):
raise wtf.ValidationError("Incorrect password")
self.user = user
def validate_username(self, field):
existing = getuser(field.data)
if existing is None:
raise wtf.ValidationError("User does not exist")
def validate_username(self, field):
existing = getuser(field.data)
if existing is None:
raise wtf.ValidationError("User does not exist")
self.user = existing
def oauth_token():
"""
OAuth2 server -- token endpoint
"""
# Always required parameters
grant_type = request.form.get('grant_type')
client = g.client # Provided by @requires_client_login
scope = request.form.get('scope', u'').split(u' ')
# if grant_type == 'authorization_code' (POST)
code = request.form.get('code')
redirect_uri = request.form.get('redirect_uri')
# if grant_type == 'password' (GET)
username = request.form.get('username')
password = request.form.get('password')
# Validations 1: Required parameters
if not grant_type:
return oauth_token_error('invalid_request', "Missing grant_type")
# grant_type == 'refresh_token' is not supported. All tokens are permanent unless revoked
if grant_type not in ['authorization_code', 'client_credentials', 'password']:
return oauth_token_error('unsupported_grant_type')
# Validations 2: client scope
if grant_type == 'client_credentials':
# Client data. User isn't part of it
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
token = oauth_make_token(user=None, client=client, scope=scope)
return oauth_token_success(token)
# Validations 3: auth code
elif grant_type == 'authorization_code':
authcode = AuthCode.query.filter_by(code=code, client=client).first()
if not authcode:
return oauth_token_error('invalid_grant', "Unknown auth code")
if authcode.created_at < (datetime.utcnow() - timedelta(minutes=1)): # XXX: Time limit: 1 minute
db.session.delete(authcode)
db.session.commit()
return oauth_token_error('invalid_grant', "Expired auth code")
# Validations 3.1: scope in authcode
if not scope or scope[0] == '':
return oauth_token_error('invalid_scope', "Scope is blank")
if not set(scope).issubset(set(authcode.scope)):
return oauth_token_error('invalid_scope', "Scope expanded")
else:
# Scope not provided. Use whatever the authcode allows
scope = authcode.scope
if redirect_uri != authcode.redirect_uri:
return oauth_token_error('invalid_client', "redirect_uri does not match")
token = oauth_make_token(user=authcode.user, client=client, scope=scope)
db.session.delete(authcode)
return oauth_token_success(token, userinfo=get_userinfo(user=authcode.user, client=client, scope=scope))
elif grant_type == 'password':
# Validations 4.1: password grant_type is only for trusted clients
if not client.trusted:
# Refuse to untrusted clients
return oauth_token_error('unauthorized_client', "Client is not trusted for password grant_type")
# Validations 4.2: Are username and password provided and correct?
if not username or not password:
return oauth_token_error('invalid_request', "Username or password not provided")
user = getuser(username)
if not user:
return oauth_token_error('invalid_client', "No such user") # XXX: invalid_client doesn't seem right
if not user.password_is(password):
return oauth_token_error('invalid_client', "Password mismatch")
# Validations 4.3: verify scope
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
# All good. Grant access
token = oauth_make_token(user=user, client=client, scope=scope)
return oauth_token_success(token, userinfo=get_userinfo(user=user, client=client, scope=scope))
def validate_username(self, field):
user = getuser(field.data)
if user is None:
raise wtf.ValidationError("Could not find a user with that id")
self.user = user
def validate_password(self, field):
user = getuser(self.username.data)
if user is None or not user.password_is(field.data):
raise wtf.ValidationError, "Incorrect password"
self.user = user
def oauth_token():
"""
OAuth2 server -- token endpoint
"""
# Always required parameters
grant_type = request.form.get('grant_type')
client = g.client # Provided by @requires_client_login
scope = request.form.get('scope', u'').split(u' ')
# if grant_type == 'authorization_code' (POST)
code = request.form.get('code')
redirect_uri = request.form.get('redirect_uri')
# if grant_type == 'password' (GET)
username = request.form.get('username')
password = request.form.get('password')
# Validations 1: Required parameters
if not grant_type:
return oauth_token_error('invalid_request', "Missing grant_type")
# grant_type == 'refresh_token' is not supported. All tokens are permanent unless revoked
if grant_type not in ['authorization_code', 'client_credentials', 'password']:
return oauth_token_error('unsupported_grant_type')
# Validations 2: client scope
if grant_type == 'client_credentials':
# Client data. User isn't part of it
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
token = oauth_make_token(user=None, client=client, scope=scope)
return oauth_token_success(token)
# Validations 3: auth code
elif grant_type == 'authorization_code':
authcode = AuthCode.query.filter_by(code=code, client=client).first()
if not authcode:
return oauth_token_error('invalid_grant', "Unknown auth code")
if authcode.created_at < (datetime.utcnow() - timedelta(minutes=1)): # XXX: Time limit: 1 minute
db.session.delete(authcode)
db.session.commit()
return oauth_token_error('invalid_grant', "Expired auth code")
# Validations 3.1: scope in authcode
if not scope or scope[0] == '':
return oauth_token_error('invalid_scope', "Scope is blank")
if not set(scope).issubset(set(authcode.scope)):
return oauth_token_error('invalid_scope', "Scope expanded")
else:
# Scope not provided. Use whatever the authcode allows
scope = authcode.scope
if redirect_uri != authcode.redirect_uri:
return oauth_token_error('invalid_client', "redirect_uri does not match")
token = oauth_make_token(user=authcode.user, client=client, scope=scope)
db.session.delete(authcode)
return oauth_token_success(token, userinfo=get_userinfo(user=authcode.user, client=client, scope=scope))
elif grant_type == 'password':
# Validations 4.1: password grant_type is only for trusted clients
if not client.trusted:
# Refuse to untrusted clients
return oauth_token_error('unauthorized_client', "Client is not trusted for password grant_type")
# Validations 4.2: Are username and password provided and correct?
if not username or not password:
return oauth_token_error('invalid_request', "Username or password not provided")
user = getuser(username)
if not user:
return oauth_token_error('invalid_client', "No such user") # XXX: invalid_client doesn't seem right
if not user.password_is(password):
return oauth_token_error('invalid_client', "Password mismatch")
# Validations 4.3: verify scope
try:
verifyscope(scope, client)
except ScopeException as scopeex:
return oauth_token_error('invalid_scope', unicode(scopeex))
# All good. Grant access
token = oauth_make_token(user=user, client=client, scope=scope)
return oauth_token_success(token, userinfo=get_userinfo(user=user, client=client, scope=scope))
