def process_response(self, request, response): # If the "_logout" flag is set on the response, generate a response # that will log the user out. if getattr(response, '_logout', False): return auth.logout(redirect=request.GET.get('redirect', None)) # If our security token is old, issue a new one. if hasattr(request, 'user'): cred = getattr(request.user, '_credentials', None) if cred and cred.security_token_is_stale: auth.attach_credentials(response, request.user) return response
def test_attach_credentials(self): # Set up a test user. email = '*****@*****.**' user = User(email=email) # Attach the user's credentials to a test response. response = http.HttpResponse('test') auth.attach_credentials(response, user) # Make sure the response now contains a cookie with the correct # security token. self.assertTrue(auth._CHIRP_SECURITY_TOKEN_COOKIE in response.cookies) token = response.cookies[auth._CHIRP_SECURITY_TOKEN_COOKIE].value cred = auth._parse_security_token(token) self.assertEqual(email, cred.email)
def reset_password(request): """Allow a user to reset their password. The user authenticates by presenting a security token. Users will arrive at this page by clicking on the URL in the email they are sent by the /auth/forgot_password page. """ if request.user: return http.HttpResponseForbidden('Logged-in users prohibited.') tmpl = loader.get_template('auth/reset_password.html') ctx_vars = { 'Title': 'Reset Password', } user = None if request.method == 'GET': token = request.GET.get('token') if token is None: return http.HttpResponseForbidden('Missing token') email = auth.parse_password_reset_token(token) if email is None: return http.HttpResponseForbidden('Invalid token') ctx_vars['form'] = auth_forms.ResetPasswordForm( initial={'token': token}) else: form = auth_forms.ResetPasswordForm(request.POST) if not form.is_valid(): ctx_vars['form'] = form else: token = form.cleaned_data['token'] email = token and auth.parse_password_reset_token(token) if email is None: return http.HttpResponseForbidden('Invalid token') user = User.get_by_email(email) if user is None: return http.HttpResponseForbidden('No user for token') user.set_password(form.cleaned_data['new_password']) # We are also logging the user in automatically, so record # the time. user.last_login = datetime.datetime.now() AutoRetry(user).save() # Attach the user to the request so that our page will # display the chrome shown to logged-in users. request.user = user ctx = RequestContext(request, ctx_vars) response = http.HttpResponse(tmpl.render(ctx)) if request.user: auth.attach_credentials(response, request.user) return response
def hello(request): """Implements our login page.""" redirect = '/' tmpl = loader.get_template('auth/hello.html') if request.method == 'GET': redirect = request.GET.get('redirect', '/') # Already signed in? Then redirect immediately. if request.user: return http.HttpResponseRedirect(redirect) form = auth_forms.LoginForm(initial={ 'redirect': redirect, }) else: form = auth_forms.LoginForm(request.POST) if form.is_valid(): response = http.HttpResponseRedirect(form.cleaned_data['redirect']) auth.attach_credentials(response, form.user) # Update the last login time in the User record. form.user.last_login = datetime.datetime.now() AutoRetry(form.user).save() return response ctx = RequestContext(request, {'form': form}) return http.HttpResponse(tmpl.render(ctx))