Exemplo n.º 1
0
def test_bcrypt_gen_password_hash():
    pw = "youwillneverguessthis"

    # Normal password hash generation, and check on that hash
    hashed_pw = auth_lib.bcrypt_gen_password_hash(pw)
    assert auth_lib.bcrypt_check_password(pw, hashed_pw)
    assert not auth_lib.bcrypt_check_password("notthepassword", hashed_pw)

    # Same thing, extra salt.
    hashed_pw = auth_lib.bcrypt_gen_password_hash(pw, "3><7R45417")
    assert auth_lib.bcrypt_check_password(pw, hashed_pw, "3><7R45417")
    assert not auth_lib.bcrypt_check_password("notthepassword", hashed_pw, "3><7R45417")
Exemplo n.º 2
0
def test_bcrypt_gen_password_hash():
    pw = 'youwillneverguessthis'

    # Normal password hash generation, and check on that hash
    hashed_pw = auth_lib.bcrypt_gen_password_hash(pw)
    assert auth_lib.bcrypt_check_password(pw, hashed_pw)
    assert not auth_lib.bcrypt_check_password('notthepassword', hashed_pw)

    # Same thing, extra salt.
    hashed_pw = auth_lib.bcrypt_gen_password_hash(pw, '3><7R45417')
    assert auth_lib.bcrypt_check_password(pw, hashed_pw, '3><7R45417')
    assert not auth_lib.bcrypt_check_password('notthepassword', hashed_pw,
                                              '3><7R45417')
Exemplo n.º 3
0
def edit_account(request):
    user = request.user
    form = forms.EditAccountForm(request.form, wants_comment_notification=user.get("wants_comment_notification"))

    if request.method == "POST":
        form_validated = form.validate()

        # if the user has not filled in the new or old password fields
        if not form.new_password.data and not form.old_password.data:
            if form.wants_comment_notification.validate(form):
                user.wants_comment_notification = form.wants_comment_notification.data
                user.save()
                messages.add_message(request, messages.SUCCESS, _("Account settings saved"))
                return redirect(request, "mediagoblin.user_pages.user_home", user=user.username)

        # so the user has filled in one or both of the password fields
        else:
            if form_validated:
                password_matches = auth_lib.bcrypt_check_password(form.old_password.data, user.pw_hash)
                if password_matches:
                    # the entire form validates and the password matches
                    user.pw_hash = auth_lib.bcrypt_gen_password_hash(form.new_password.data)
                    user.wants_comment_notification = form.wants_comment_notification.data
                    user.save()
                    messages.add_message(request, messages.SUCCESS, _("Account settings saved"))
                    return redirect(request, "mediagoblin.user_pages.user_home", user=user.username)
                else:
                    form.old_password.errors.append(_("Wrong password"))

    return render_to_response(request, "mediagoblin/edit/edit_account.html", {"user": user, "form": form})
Exemplo n.º 4
0
def register(request):
    """The registration view.

    Note that usernames will always be lowercased. Email domains are lowercased while
    the first part remains case-sensitive.
    """
    # Redirects to indexpage if registrations are disabled
    if not mg_globals.app_config["allow_registration"]:
        messages.add_message(
            request,
            messages.WARNING,
            _('Sorry, registration is disabled on this instance.'))
        return redirect(request, "index")

    register_form = auth_forms.RegistrationForm(request.form)

    if request.method == 'POST' and register_form.validate():
        # TODO: Make sure the user doesn't exist already
        users_with_username = User.query.filter_by(username=register_form.data['username']).count()
        users_with_email = User.query.filter_by(email=register_form.data['email']).count()

        extra_validation_passes = True

        if users_with_username:
            register_form.username.errors.append(
                _(u'Sorry, a user with that name already exists.'))
            extra_validation_passes = False
        if users_with_email:
            register_form.email.errors.append(
                _(u'Sorry, a user with that email address already exists.'))
            extra_validation_passes = False

        if extra_validation_passes:
            # Create the user
            user = User()
            user.username = register_form.data['username']
            user.email = register_form.data['email']
            user.pw_hash = auth_lib.bcrypt_gen_password_hash(
                register_form.password.data)
            user.verification_key = unicode(uuid.uuid4())
            user.save()

            # log the user in
            request.session['user_id'] = unicode(user.id)
            request.session.save()

            # send verification email
            email_debug_message(request)
            send_verification_email(user, request)

            # redirect the user to their homepage... there will be a
            # message waiting for them to verify their email
            return redirect(
                request, 'mediagoblin.user_pages.user_home',
                user=user.username)

    return render_to_response(
        request,
        'mediagoblin/auth/register.html',
        {'register_form': register_form})
Exemplo n.º 5
0
def edit_account(request):
    user = request.user
    form = forms.EditAccountForm(
        request.form,
        wants_comment_notification=user.wants_comment_notification,
        license_preference=user.license_preference,
    )

    if request.method == "POST":
        form_validated = form.validate()

        if form_validated and form.wants_comment_notification.validate(form):
            user.wants_comment_notification = form.wants_comment_notification.data

        if form_validated and form.new_password.data or form.old_password.data:
            password_matches = auth_lib.bcrypt_check_password(form.old_password.data, user.pw_hash)
            if password_matches:
                # the entire form validates and the password matches
                user.pw_hash = auth_lib.bcrypt_gen_password_hash(form.new_password.data)
            else:
                form.old_password.errors.append(_("Wrong password"))

        if form_validated and form.license_preference.validate(form):
            user.license_preference = form.license_preference.data

        if form_validated and not form.errors:
            user.save()
            messages.add_message(request, messages.SUCCESS, _("Account settings saved"))
            return redirect(request, "mediagoblin.user_pages.user_home", user=user.username)

    return render_to_response(request, "mediagoblin/edit/edit_account.html", {"user": user, "form": form})
Exemplo n.º 6
0
def register(request):
    """
    Your classic registration view!
    """
    register_form = auth_forms.RegistrationForm(request.POST)

    if request.method == "POST" and register_form.validate():
        # TODO: Make sure the user doesn't exist already
        users_with_username = request.db.User.find({"username": request.POST["username"]}).count()

        if users_with_username:
            register_form.username.errors.append(u"Sorry, a user with that name already exists.")

        else:
            # Create the user
            entry = request.db.User()
            entry["username"] = request.POST["username"]
            entry["email"] = request.POST["email"]
            entry["pw_hash"] = auth_lib.bcrypt_gen_password_hash(request.POST["password"])
            entry.save(validate=True)

            # TODO: Send email authentication request

            # Redirect to register_success
            return exc.HTTPFound(location=request.urlgen("mediagoblin.auth.register_success"))

    # render
    template = request.template_env.get_template("mediagoblin/auth/register.html")
    return Response(template.render({"request": request, "register_form": register_form}))
Exemplo n.º 7
0
def adduser(args):
    #TODO: Lets trust admins this do not validate Emails :)
    commands_util.setup_app(args)

    args.username = commands_util.prompt_if_not_set(args.username, "Username:"******"Password:"******"Email:")

    db = mg_globals.database
    users_with_username = \
        db.User.find({
            'username': args.username.lower(),
        }).count()

    if users_with_username:
        print u'Sorry, a user with that name already exists.'

    else:
        # Create the user
        entry = db.User()
        entry.username = unicode(args.username.lower())
        entry.email = unicode(args.email)
        entry.pw_hash = auth_lib.bcrypt_gen_password_hash(args.password)
        entry.status = u'active'
        entry.email_verified = True
        entry.save(validate=True)

        print "User created (and email marked as verified)"
Exemplo n.º 8
0
def register(request):
    """
    Your classic registration view!
    """
    register_form = auth_forms.RegistrationForm(request.POST)

    if request.method == 'POST' and register_form.validate():
        # TODO: Make sure the user doesn't exist already

        users_with_username = \
            request.db.User.find({
                'username': request.POST['username'].lower()
            }).count()

        if users_with_username:
            register_form.username.errors.append(
                u'Sorry, a user with that name already exists.')

        else:
            # Create the user
            entry = request.db.User()
            entry['username'] = request.POST['username'].lower()
            entry['email'] = request.POST['email']
            entry['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
                request.POST['password'])
            entry.save(validate=True)

            send_verification_email(entry, request)

            return redirect(request, "mediagoblin.auth.register_success")

    return render_to_response(request, 'mediagoblin/auth/register.html',
                              {'register_form': register_form})
Exemplo n.º 9
0
def changepw(args):
    commands_util.setup_app(args)

    db = mg_globals.database

    user = db.User.one({'username':unicode(args.username.lower())})
    if user:
        user['pw_hash'] = auth_lib.bcrypt_gen_password_hash(args.password)
        user.save()
        print 'Password successfully changed'
    else:
        print 'The user doesn\'t exist'
Exemplo n.º 10
0
def verify_forgot_password(request):
    """
    Check the forgot-password verification and possibly let the user
    change their password because of it.
    """
    # get form data variables, and specifically check for presence of token
    formdata = _process_for_token(request)
    if not formdata['has_userid_and_token']:
        return render_404(request)

    formdata_token = formdata['vars']['token']
    formdata_userid = formdata['vars']['userid']
    formdata_vars = formdata['vars']

    # check if it's a valid Id
    try:
        user = request.db.User.find_one(
            {'_id': ObjectId(unicode(formdata_userid))})
    except InvalidId:
        return render_404(request)

    # check if we have a real user and correct token
    if ((user and user.fp_verification_key and
         user.fp_verification_key == unicode(formdata_token) and
         datetime.datetime.now() < user.fp_token_expire
         and user.email_verified and user.status == 'active')):

        cp_form = auth_forms.ChangePassForm(formdata_vars)

        if request.method == 'POST' and cp_form.validate():
            user.pw_hash = auth_lib.bcrypt_gen_password_hash(
                request.form['password'])
            user.fp_verification_key = None
            user.fp_token_expire = None
            user.save()

            messages.add_message(
                request,
                messages.INFO,
                _("You can now log in using your new password."))
            return redirect(request, 'mediagoblin.auth.login')
        else:
            return render_to_response(
                request,
                'mediagoblin/auth/change_fp.html',
                {'cp_form': cp_form})

    # in case there is a valid id but no user whit that id in the db
    # or the token expired
    else:
        return render_404(request)
Exemplo n.º 11
0
def fixture_add_user(username=u"chris", password="******", active_user=True):
    test_user = mg_globals.database.User()
    test_user.username = username
    test_user.email = username + u"@example.com"
    if password is not None:
        test_user.pw_hash = bcrypt_gen_password_hash(password)
    if active_user:
        test_user.email_verified = True
        test_user.status = u"active"

    test_user.save()

    # Reload
    test_user = mg_globals.database.User.find_one({"username": username})

    # ... and detach from session:
    Session.expunge(test_user)

    return test_user
Exemplo n.º 12
0
def fixture_add_user(username=u'chris', password='******',
                     active_user=True):
    test_user = mg_globals.database.User()
    test_user.username = username
    test_user.email = username + u'@example.com'
    if password is not None:
        test_user.pw_hash = bcrypt_gen_password_hash(password)
    if active_user:
        test_user.email_verified = True
        test_user.status = u'active'

    test_user.save()

    # Reload
    test_user = mg_globals.database.User.find_one({'username': username})

    # ... and detach from session:
    from mediagoblin.db.sql.base import Session
    Session.expunge(test_user)

    return test_user
Exemplo n.º 13
0
def register(request):
    """
    Your classic registration view!
    """
    register_form = auth_forms.RegistrationForm(request.POST)

    if request.method == 'POST' and register_form.validate():
        # TODO: Make sure the user doesn't exist already
        users_with_username = \
            request.db.User.find({'username': request.POST['username']}).count()

        if users_with_username:
            register_form.username.errors.append(
                u'Sorry, a user with that name already exists.')

        else:
            # Create the user
            entry = request.db.User()
            entry['username'] = request.POST['username']
            entry['email'] = request.POST['email']
            entry['pw_hash'] = auth_lib.bcrypt_gen_password_hash(
                request.POST['password'])
            entry.save(validate=True)

            # TODO: Send email authentication request

            # Redirect to register_success
            return exc.HTTPFound(
                location=request.urlgen("mediagoblin.auth.register_success"))

    # render
    template = request.template_env.get_template(
        'mediagoblin/auth/register.html')
    return Response(
        template.render({
            'request': request,
            'register_form': register_form
        }))
Exemplo n.º 14
0
def fixture_add_user(username=u'chris', password=u'toast',
                     active_user=True):
    # Reuse existing user or create a new one
    test_user = User.query.filter_by(username=username).first()
    if test_user is None:
        test_user = User()
    test_user.username = username
    test_user.email = username + u'@example.com'
    if password is not None:
        test_user.pw_hash = bcrypt_gen_password_hash(password)
    if active_user:
        test_user.email_verified = True
        test_user.status = u'active'

    test_user.save()

    # Reload
    test_user = User.query.filter_by(username=username).first()

    # ... and detach from session:
    Session.expunge(test_user)

    return test_user
Exemplo n.º 15
0
def adduser(args):
    #TODO: Lets trust admins this do not validate Emails :)
    commands_util.setup_app(args)

    db = mg_globals.database
    users_with_username = \
        db.User.find({
            'username': args.username.lower()
        }).count()

    if users_with_username:
        print u'Sorry, a user with that name already exists.'

    else:
        # Create the user
        entry = db.User()
        entry['username'] = unicode(args.username.lower())
        entry['email'] = unicode(args.email)
        entry['pw_hash'] = auth_lib.bcrypt_gen_password_hash(args.password)
        entry['status'] = u'active'
        entry['email_verified'] = True
        entry.save(validate=True)

        print "User created (and email marked as verified)"
Exemplo n.º 16
0
def register(request):
    """
    Your classic registration view!
    """
    # Redirects to indexpage if registrations are disabled
    if not mg_globals.app_config["allow_registration"]:
        messages.add_message(
            request,
            messages.WARNING,
            _('Sorry, registration is disabled on this instance.'))
        return redirect(request, "index")

    register_form = auth_forms.RegistrationForm(request.form)

    if request.method == 'POST' and register_form.validate():
        # TODO: Make sure the user doesn't exist already
        username = unicode(request.form['username'].lower())
        em_user, em_dom = unicode(request.form['email']).split("@", 1)
        em_dom = em_dom.lower()
        email = em_user + "@" + em_dom
        users_with_username = request.db.User.find(
            {'username': username}).count()
        users_with_email = request.db.User.find(
            {'email': email}).count()

        extra_validation_passes = True

        if users_with_username:
            register_form.username.errors.append(
                _(u'Sorry, a user with that name already exists.'))
            extra_validation_passes = False
        if users_with_email:
            register_form.email.errors.append(
                _(u'Sorry, a user with that email address already exists.'))
            extra_validation_passes = False

        if extra_validation_passes:
            # Create the user
            user = request.db.User()
            user.username = username
            user.email = email
            user.pw_hash = auth_lib.bcrypt_gen_password_hash(
                request.form['password'])
            user.verification_key = unicode(uuid.uuid4())
            user.save(validate=True)

            # log the user in
            request.session['user_id'] = unicode(user._id)
            request.session.save()

            # send verification email
            email_debug_message(request)
            send_verification_email(user, request)

            # redirect the user to their homepage... there will be a
            # message waiting for them to verify their email
            return redirect(
                request, 'mediagoblin.user_pages.user_home',
                user=user.username)

    return render_to_response(
        request,
        'mediagoblin/auth/register.html',
        {'register_form': register_form})
Exemplo n.º 17
0
def test_authentication_views(test_app):
    """
    Test logging in and logging out
    """
    # Make a new user
    test_user = mg_globals.database.User()
    test_user['username'] = u'chris'
    test_user['email'] = u'*****@*****.**'
    test_user['pw_hash'] = auth_lib.bcrypt_gen_password_hash('toast')
    test_user.save()

    # Get login
    # ---------
    test_app.get('/auth/login/')
    assert util.TEMPLATE_TEST_CONTEXT.has_key(
        'mediagoblin/auth/login.html')

    # Failed login - blank form
    # -------------------------
    util.clear_test_template_context()
    response = test_app.post('/auth/login/')
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html']
    form = context['login_form']
    assert form.username.errors == [u'This field is required.']
    assert form.password.errors == [u'This field is required.']

    # Failed login - blank user
    # -------------------------
    util.clear_test_template_context()
    response = test_app.post(
        '/auth/login/', {
            'password': u'toast'})
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html']
    form = context['login_form']
    assert form.username.errors == [u'This field is required.']

    # Failed login - blank password
    # -----------------------------
    util.clear_test_template_context()
    response = test_app.post(
        '/auth/login/', {
            'username': u'chris'})
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html']
    form = context['login_form']
    assert form.password.errors == [u'This field is required.']

    # Failed login - bad user
    # -----------------------
    util.clear_test_template_context()
    response = test_app.post(
        '/auth/login/', {
            'username': u'steve',
            'password': '******'})
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html']
    assert context['login_failed']

    # Failed login - bad password
    # ---------------------------
    util.clear_test_template_context()
    response = test_app.post(
        '/auth/login/', {
            'username': u'chris',
            'password': '******'})
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/auth/login.html']
    assert context['login_failed']

    # Successful login
    # ----------------
    util.clear_test_template_context()
    response = test_app.post(
        '/auth/login/', {
            'username': u'chris',
            'password': '******'})

    # User should be redirected
    response.follow()
    assert_equal(
        urlparse.urlsplit(response.location)[2],
        '/')
    assert util.TEMPLATE_TEST_CONTEXT.has_key(
        'mediagoblin/root.html')

    # Make sure user is in the session
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/root.html']
    session = context['request'].session
    assert session['user_id'] == unicode(test_user['_id'])

    # Successful logout
    # -----------------
    util.clear_test_template_context()
    response = test_app.get('/auth/logout/')

    # Should be redirected to index page
    response.follow()
    assert_equal(
        urlparse.urlsplit(response.location)[2],
        '/')
    assert util.TEMPLATE_TEST_CONTEXT.has_key(
        'mediagoblin/root.html')

    # Make sure the user is not in the session
    context = util.TEMPLATE_TEST_CONTEXT['mediagoblin/root.html']
    session = context['request'].session
    assert session.has_key('user_id') == False

    # User is redirected to custom URL if POST['next'] is set
    # -------------------------------------------------------
    util.clear_test_template_context()
    response = test_app.post(
        '/auth/login/', {
            'username': u'chris',
            'password': '******',
            'next' : '/u/chris/'})
    assert_equal(
        urlparse.urlsplit(response.location)[2],
        '/u/chris/')