def login_for_apps():
"""Login for API access only"""
if request.method == "GET":
session['unsigned_access_token'] = random_token()
session['logged_in'] = False
return jsonify({
"token":
session['unsigned_access_token'],
"signature":
server_key.sign_message(session['unsigned_access_token'])
})
elif request.method == "POST":
# Client posts it's login name and a signed token.
data = request.get_json()
# Verify signed token against stored public key for that name.
pubkey = APIKey(db.get_pub_key(data['login'])['pubkey'])
try:
pubkey.verify_message(session['unsigned_access_token'],
data['signature'])
except Exception, e:
session['logged_in'] = False
del session['unsigned_access_token']
return make_response(jsonify({'error': 'Bad token signature.'}),
401)
# Token has valid signature, grant login:
session['user_id'] = data['login']
session['logged_in'] = True
# Mark this session as safe to bypass csrf protection, due to the ECDSA authentication:
session['bypass_csrf'] = True
return jsonify({'success': 'Logged in'})
def authenticate():
token_to_sign = random_token()
cmd = Command.new(ws, action='authenticate', token=token_to_sign)
response = cmd.send()
context['cluster'] = cluster = response['cluster']
client_pubkey = db.get_pub_key(cluster)
client_apikey = APIKey(client_pubkey['pubkey'])
# Verify the client correctly signed the token:
try:
client_apikey.verify_message(token_to_sign, response.get('signature'))
except:
response.respond(message='Bad Signature of token for authentication', done=True)
log.error('client provided bad signature for auth token')
raise
response.respond(authenticated=True, done=True)
# Client will ask us to authenticate too:
command = receive_data(ws)
assert command.get('action') == 'authenticate'
data = {'signature' :context['apikey'].sign_message(command['token'])}
response = command.respond(**data)
if response.get('authenticated') != True:
raise UnauthenticatedError("Our peer could not validate our signed auth token")
def login_for_apps():
"""Login for API access only"""
if request.method == "GET":
session["unsigned_access_token"] = random_token()
session["logged_in"] = False
return jsonify(
{
"token": session["unsigned_access_token"],
"signature": server_key.sign_message(session["unsigned_access_token"]),
}
)
elif request.method == "POST":
# Client posts it's login name and a signed token.
data = request.get_json()
# Verify signed token against stored public key for that name.
pubkey = APIKey(db.get_pub_key(data["login"])["pubkey"])
try:
pubkey.verify_message(session["unsigned_access_token"], data["signature"])
except Exception, e:
session["logged_in"] = False
del session["unsigned_access_token"]
return make_response(jsonify({"error": "Bad token signature."}), 401)
# Token has valid signature, grant login:
session["user_id"] = data["login"]
session["logged_in"] = True
# Mark this session as safe to bypass csrf protection, due to the ECDSA authentication:
session["bypass_csrf"] = True
return jsonify({"success": "Logged in"})
def authenticate():
token_to_sign = random_token()
cmd = Command.new(ws, action='authenticate', token=token_to_sign)
response = cmd.send()
context['cluster'] = cluster = response['cluster']
client_pubkey = db.get_pub_key(cluster)
client_apikey = APIKey(client_pubkey['pubkey'])
# Verify the client correctly signed the token:
try:
client_apikey.verify_message(token_to_sign,
response.get('signature'))
except:
response.respond(
message='Bad Signature of token for authentication', done=True)
log.error('client provided bad signature for auth token')
raise
response.respond(authenticated=True, done=True)
# Client will ask us to authenticate too:
command = receive_data(ws)
assert command.get('action') == 'authenticate'
data = {'signature': context['apikey'].sign_message(command['token'])}
response = command.respond(**data)
if response.get('authenticated') != True:
raise UnauthenticatedError(
"Our peer could not validate our signed auth token")
