def login_facebook():
"""Attempt to login a user with FB credentials encoded in the POST body.
Expects the following form data:
fb_access_token: Facebook user access token. This is used to verify
that the user did authenticate with Facebook and is authenticated
to our app. The user's FB ID is also obtained from this token.
Responds with the session cookie via the `set-cookie` header on success.
Send the associated cookie for all subsequent API requests that accept
user authentication.
"""
req = flask.request
fb_access_token = req.form.get('fb_access_token')
# We perform a check to confirm the fb_access_token is indeed the person
# identified by fbid, and that it was our app that generated the token.
token_info = facebook.get_access_token_info(fb_access_token)
if not token_info['is_valid'] or not token_info.get('user_id'):
raise api_util.ApiForbiddenError(
'The given FB credentials are invalid.')
fbid = str(token_info['user_id'])
user = m.User.objects(fbid=fbid).first()
if not user:
raise api_util.ApiForbiddenError('No user with fbid %s exists. '
'Create an account at uwflow.com.' %
fbid)
view_helpers.login_as_user(user)
return api_util.jsonify({'message': 'Logged in user %s' % user.name})
def login_facebook():
"""Attempt to login a user with FB credentials encoded in the POST body.
Expects the following form data:
fb_access_token: Facebook user access token. This is used to verify
that the user did authenticate with Facebook and is authenticated
to our app. The user's FB ID is also obtained from this token.
Responds with the session cookie via the `set-cookie` header on success.
Send the associated cookie for all subsequent API requests that accept
user authentication.
Also returns the CSRF token, which must be sent as the value of the
"X-CSRF-Token" header for all non-GET requests.
"""
# Prevent a CSRF attack from replacing a logged-in user's account with the
# attacker's.
current_user = view_helpers.get_current_user()
if current_user:
return api_util.jsonify({'message': 'A user is already logged in.'})
rmclogger.log_event(
rmclogger.LOG_CATEGORY_API,
rmclogger.LOG_EVENT_SIGNUP,
{
'type': rmclogger.LOGIN_TYPE_STRING_FACEBOOK,
},
)
req = flask.request
fb_access_token = req.form.get('fb_access_token')
# We perform a check to confirm the fb_access_token is indeed the person
# identified by fbid, and that it was our app that generated the token.
token_info = facebook.get_access_token_info(fb_access_token)
if not token_info['is_valid'] or not token_info.get('user_id'):
raise api_util.ApiForbiddenError(
'The given FB credentials are invalid.')
fbid = str(token_info['user_id'])
user = m.User.objects(fbid=fbid).first()
if not user:
raise api_util.ApiForbiddenError('No user with fbid %s exists. '
'Create an account at uwflow.com.' %
fbid)
view_helpers.login_as_user(user)
# TODO(sandy): We don't need to do this anymore, just use the endpoint
csrf_token = view_helpers.generate_csrf_token()
return api_util.jsonify({
'message': 'Logged in user %s' % user.name,
'csrf_token': csrf_token,
})
def _get_user_require_auth(user_id=None):
"""Return the requested user only if authenticated and authorized.
Defaults to the current user if no user_id given.
Guaranteed to return a user object.
"""
current_user = view_helpers.get_current_user()
if not current_user:
raise api_util.ApiBadRequestError('Must authenticate as a user.')
if not user_id:
return current_user
try:
user_id_bson = bson.ObjectId(user_id)
except bson.errors.InvalidId:
raise api_util.ApiBadRequestError(
'User ID %s is not a valid BSON ObjectId.' % user_id)
# Does the the current user have permission to get info about this user?
if (user_id_bson == current_user.id
or user_id_bson in current_user.friend_ids):
user = m.User.objects.with_id(user_id_bson)
if user:
return user
raise api_util.ApiForbiddenError(
'Not authorized to get info about this user.')