def auth_login(auth, **kwargs): """If GET request, show login page. If POST, attempt to log user in if login form passsed; else send forgot password email. """ campaign = request.args.get('campaign') next_url = request.args.get('next') if campaign: next_url = campaigns.campaign_url_for(campaign) if auth.logged_in: if not request.args.get('logout'): if next_url: return redirect(next_url) return redirect(web_url_for('dashboard')) # redirect user to CAS for logout, return here w/o authentication return auth_logout(redirect_url=request.url) if kwargs.get('first', False): status.push_status_message('You may now log in', 'info') status_message = request.args.get('status', '') if status_message == 'expired': status.push_status_message('The private link you used is expired.') if next_url: status.push_status_message(language.MUST_LOGIN) # set login_url to form action, upon successful authentication specifically w/o logout=True, # allows for next to be followed or a redirect to the dashboard. redirect_url = web_url_for('auth_login', next=next_url, _absolute=True) data = {} if campaign and campaign in campaigns.CAMPAIGNS: data['campaign'] = campaign data['login_url'] = cas.get_login_url(redirect_url, auto=True) return data, http.OK
def dropbox_oauth_finish(auth, **kwargs): """View called when the Oauth flow is completed. Adds a new DropboxUserSettings record to the user and saves the user's access token and account info. """ if not auth.logged_in: raise HTTPError(http.FORBIDDEN) user = auth.user node = Node.load(session.data.get('dropbox_auth_nid')) result = finish_auth(node) # If result is a redirect response, follow the redirect if isinstance(result, BaseResponse): return result # Make sure user has dropbox enabled user.add_addon('dropbox') user.save() user_settings = user.get_addon('dropbox') user_settings.owner = user user_settings.access_token = result.access_token user_settings.dropbox_id = result.dropbox_id client = get_client_from_user_settings(user_settings) user_settings.dropbox_info = client.account_info() user_settings.save() if node: del session.data['dropbox_auth_nid'] # Automatically use newly-created auth if node.has_addon('dropbox'): node_addon = node.get_addon('dropbox') node_addon.set_user_auth(user_settings) node_addon.save() return redirect(node.web_url_for('node_setting')) return redirect(web_url_for('user_addons'))
def user_account_password(auth, **kwargs): user = auth.user old_password = request.form.get('old_password', None) new_password = request.form.get('new_password', None) confirm_password = request.form.get('confirm_password', None) # It has been more than 1 hour since last invalid attempt to change password. Reset the counter for invalid attempts. if throttle_period_expired(user.change_password_last_attempt, settings.TIME_RESET_CHANGE_PASSWORD_ATTEMPTS): user.reset_old_password_invalid_attempts() # There have been more than 3 failed attempts and throttle hasn't expired. if user.old_password_invalid_attempts >= settings.INCORRECT_PASSWORD_ATTEMPTS_ALLOWED and not throttle_period_expired(user.change_password_last_attempt, settings.CHANGE_PASSWORD_THROTTLE): push_status_message( message='Too many failed attempts. Please wait a while before attempting to change your password.', kind='warning', trust=False ) return redirect(web_url_for('user_account')) try: user.change_password(old_password, new_password, confirm_password) except ChangePasswordError as error: for m in error.messages: push_status_message(m, kind='warning', trust=False) else: # We have to logout the user first so all CAS sessions are invalid user.save() osf_logout() return redirect(cas.get_logout_url(cas.get_login_url( web_url_for('user_account', _absolute=True) + '?password_reset=True', username=user.username, verification_key=user.verification_key, ))) user.save() return redirect(web_url_for('user_account'))
def user_account_password(auth, **kwargs): user = auth.user old_password = request.form.get('old_password', None) new_password = request.form.get('new_password', None) confirm_password = request.form.get('confirm_password', None) # It has been more than 1 hour since last invalid attempt to change password. Reset the counter for invalid attempts. if throttle_period_expired(user.change_password_last_attempt, settings.TIME_RESET_CHANGE_PASSWORD_ATTEMPTS): user.reset_old_password_invalid_attempts() # There have been more than 3 failed attempts and throttle hasn't expired. if user.old_password_invalid_attempts >= settings.INCORRECT_PASSWORD_ATTEMPTS_ALLOWED and not throttle_period_expired(user.change_password_last_attempt, settings.CHANGE_PASSWORD_THROTTLE): push_status_message( message='Too many failed attempts. Please wait a while before attempting to change your password.', kind='warning', trust=False ) return redirect(web_url_for('user_account')) try: user.change_password(old_password, new_password, confirm_password) if user.verification_key_v2: user.verification_key_v2['expires'] = timezone.now() user.save() except ChangePasswordError as error: for m in error.messages: push_status_message(m, kind='warning', trust=False) else: push_status_message('Password updated successfully.', kind='success', trust=False) user.save() return redirect(web_url_for('user_account'))
def googledrive_oauth_start(auth, **kwargs): """View function that does OAuth Authorization and returns access token""" # Run through the OAuth flow and retrieve credentials # Store the node ID on the session in order to get the correct redirect URL # upon finishing the flow user = auth.user nid = kwargs.get('nid') or kwargs.get('pid') node = models.Node.load(nid) if nid else None node_addon = user.get_addon('googledrive') # Fail if node provided and user not contributor if node and not node.is_contributor(user): raise HTTPError(http.FORBIDDEN) # Handle if user has already authorized google drive if node_addon and node_addon.has_auth: return redirect(web_url_for('user_addons')) client = GoogleAuthClient() authorization_url, state = client.start() session.data['googledrive_auth_state'] = state if nid: session.data['googledrive_auth_nid'] = nid return redirect(authorization_url)
def auth_login(auth, **kwargs): """If GET request, show login page. If POST, attempt to log user in if login form passsed; else send forgot password email. """ next_url = request.args.get('next') if auth.logged_in: if not request.args.get('logout'): if next_url: return redirect(next_url) return redirect(web_url_for('dashboard')) # redirect user to CAS for logout, return here w/o authentication return auth_logout(redirect_url=request.url) if kwargs.get('first', False): status.push_status_message('You may now log in', 'info') status_message = request.args.get('status', '') if status_message == 'expired': status.push_status_message('The private link you used is expired.') code = http.OK if next_url: status.push_status_message(language.MUST_LOGIN) # Don't raise error if user is being logged out if not request.args.get('logout'): code = http.UNAUTHORIZED # set login_url to form action, upon successful authentication specifically w/o logout=True, # allows for next to be followed or a redirect to the dashboard. redirect_url = web_url_for('auth_login', next=next_url, _absolute=True) login_url = cas.get_login_url(redirect_url, auto=True) return {'login_url': login_url}, code
def auth_register_post(): if not settings.ALLOW_REGISTRATION: status.push_status_message(language.REGISTRATION_UNAVAILABLE) return redirect('/') form = RegistrationForm(request.form, prefix='register') # Process form if form.validate(): try: user = framework.auth.register_unconfirmed( form.username.data, form.password.data, form.fullname.data) framework.auth.signals.user_registered.send(user) except (ValidationValueError, DuplicateEmailError): status.push_status_message( language.ALREADY_REGISTERED.format(email=form.username.data)) return auth_login() if user: if settings.CONFIRM_REGISTRATIONS_BY_EMAIL: send_confirm_email(user, email=user.username) message = language.REGISTRATION_SUCCESS.format(email=user.username) status.push_status_message(message, 'success') return auth_login() else: return redirect('/login/first/') else: forms.push_errors_to_status(form.errors) return auth_login()
def verify_two_factor(user_id, two_factor_code): """Verifies user two factor authentication for specified user :param user_id: ID for user attempting login :param two_factor_code: two factor code for authentication :return: Response object """ user = User.load(user_id) two_factor_auth = user.get_addon('twofactor') if two_factor_auth and not two_factor_auth.verify_code(two_factor_code): # Raise error if incorrect code is submitted raise TwoFactorValidationError('Two-Factor auth does not match.') # Update session field verifying two factor and delete key used for auth session.data.update(session.data['two_factor_auth']) del session.data['two_factor_auth'] next_url = session.data.get('next_url', False) if next_url: response = redirect(next_url) else: # NOTE: avoid circular import /hrybacki from website.util import web_url_for response = redirect(web_url_for('dashboard')) return response
def make_response_from_ticket(ticket, service_url): """ Given a CAS ticket and service URL, attempt to validate the user and return a proper redirect response. :param str ticket: CAS service ticket :param str service_url: Service URL from which the authentication request originates :return: redirect response """ service_furl = furl.furl(service_url) if 'ticket' in service_furl.args: service_furl.args.pop('ticket') client = get_client() cas_resp = client.service_validate(ticket, service_furl.url) if cas_resp.authenticated: user, external_credential, action = get_user_from_cas_resp(cas_resp) # user found and authenticated if user and action == 'authenticate': # if we successfully authenticate and a verification key is present, invalidate it if user.verification_key: user.verification_key = None user.save() # if user is authenticated by external IDP, ask CAS to authenticate user for a second time # this extra step will guarantee that 2FA are enforced # current CAS session created by external login must be cleared first before authentication if external_credential: user.verification_key = generate_verification_key() user.save() return redirect(get_logout_url(get_login_url( service_url, username=user.username, verification_key=user.verification_key ))) # if user is authenticated by CAS return authenticate( user, cas_resp.attributes['accessToken'], redirect(service_furl.url) ) # first time login from external identity provider if not user and external_credential and action == 'external_first_login': from website.util import web_url_for # orcid attributes can be marked private and not shared, default to orcid otherwise fullname = '{} {}'.format(cas_resp.attributes.get('given-names', ''), cas_resp.attributes.get('family-name', '')).strip() if not fullname: fullname = external_credential['id'] user = { 'external_id_provider': external_credential['provider'], 'external_id': external_credential['id'], 'fullname': fullname, 'access_token': cas_resp.attributes['accessToken'], } return external_first_login_authenticate( user, redirect(web_url_for('external_login_email_get')) ) # Unauthorized: ticket could not be validated, or user does not exist. return redirect(service_furl.url)
def auth_login(auth, **kwargs): """If GET request, show login page. If POST, attempt to log user in if login form passsed; else send forgot password email. """ campaign = request.args.get('campaign') next_url = request.args.get('next') must_login_warning = True if campaign: next_url = campaigns.campaign_url_for(campaign) if not next_url: next_url = request.args.get('redirect_url') must_login_warning = False if next_url: # Only allow redirects which are relative root or full domain, disallows external redirects. if not (next_url[0] == '/' or next_url.startswith(settings.DOMAIN) or next_url.startswith(settings.CAS_SERVER_URL) or next_url.startswith(settings.MFR_SERVER_URL)): raise HTTPError(http.InvalidURL) if auth.logged_in: if not request.args.get('logout'): if next_url: return redirect(next_url) return redirect('/') # redirect user to CAS for logout, return here w/o authentication return auth_logout(redirect_url=request.url) if kwargs.get('first', False): status.push_status_message('You may now log in', kind='info', trust=False) status_message = request.args.get('status', '') if status_message == 'expired': status.push_status_message('The private link you used is expired.', trust=False) status.push_status_message('The private link you used is expired. Please <a href="/settings/account/">' 'resend email.</a>', trust=False) if next_url and must_login_warning: status.push_status_message(language.MUST_LOGIN, trust=False) # set login_url to form action, upon successful authentication specifically w/o logout=True, # allows for next to be followed or a redirect to the dashboard. redirect_url = web_url_for('auth_login', next=next_url, _absolute=True) data = {} if campaign and campaign in campaigns.CAMPAIGNS: if (campaign == 'institution' and settings.ENABLE_INSTITUTIONS) or campaign != 'institution': data['campaign'] = campaign data['login_url'] = cas.get_login_url(redirect_url, auto=True) data['institution_redirect'] = cas.get_institution_target(redirect_url) data['redirect_url'] = next_url data['sign_up'] = request.args.get('sign_up', False) data['existing_user'] = request.args.get('existing_user', None) return data, http.OK
def confirm_email_get(token, auth=None, **kwargs): """View for email confirmation links. Authenticates and redirects to user settings page if confirmation is successful, otherwise shows an "Expired Link" error. methods: GET """ user = User.load(kwargs['uid']) is_merge = 'confirm_merge' in request.args is_initial_confirmation = not user.date_confirmed if user is None: raise HTTPError(http.NOT_FOUND) if auth and auth.user and (auth.user._id == user._id or auth.user._id == user.merged_by._id): if not is_merge: # determine if the user registered through a campaign campaign = campaigns.campaign_for_user(user) if campaign: return redirect( campaigns.campaign_url_for(campaign) ) status.push_status_message(language.WELCOME_MESSAGE, 'default', jumbotron=True) # Go to dashboard return redirect(web_url_for('dashboard')) status.push_status_message(language.MERGE_COMPLETE, 'success') return redirect(web_url_for('user_account')) try: user.confirm_email(token, merge=is_merge) except exceptions.EmailConfirmTokenError as e: raise HTTPError(http.BAD_REQUEST, data={ 'message_short': e.message_short, 'message_long': e.message_long }) if is_initial_confirmation: user.date_last_login = datetime.datetime.utcnow() user.save() # Send out our welcome message mails.send_mail( to_addr=user.username, mail=mails.WELCOME, mimetype='html', user=user ) # Redirect to CAS and authenticate the user with a verification key. user.verification_key = security.random_string(20) user.save() return redirect(cas.get_login_url( request.url, auto=True, username=user.username, verification_key=user.verification_key ))
def claim_user_registered(auth, node, **kwargs): """View that prompts user to enter their password in order to claim contributorship on a project. A user must be logged in. """ current_user = auth.user sign_out_url = web_url_for('auth_login', logout=True, next=request.url) if not current_user: return redirect(sign_out_url) # Logged in user should not be a contributor the project if node.is_contributor(current_user): logout_url = web_url_for('auth_logout', redirect_url=request.url) data = { 'message_short': 'Already a contributor', 'message_long': ('The logged-in user is already a contributor to this ' 'project. Would you like to <a href="{}">log out</a>?').format(logout_url) } raise HTTPError(http.BAD_REQUEST, data=data) uid, pid, token = kwargs['uid'], kwargs['pid'], kwargs['token'] unreg_user = User.load(uid) if not verify_claim_token(unreg_user, token, pid=node._primary_key): raise HTTPError(http.BAD_REQUEST) # Store the unreg_user data on the session in case the user registers # a new account session.data['unreg_user'] = { 'uid': uid, 'pid': pid, 'token': token } form = PasswordForm(request.form) if request.method == 'POST': if form.validate(): if current_user.check_password(form.password.data): node.replace_contributor(old=unreg_user, new=current_user) node.save() status.push_status_message( 'You are now a contributor to this project.', kind='success', trust=False ) return redirect(node.url) else: status.push_status_message(language.LOGIN_FAILED, kind='warning', trust=False) else: forms.push_errors_to_status(form.errors) if is_json_request(): form_ret = forms.utils.jsonify(form) user_ret = profile_utils.serialize_user(current_user, full=False) else: form_ret = form user_ret = current_user return { 'form': form_ret, 'user': user_ret, 'signOutUrl': sign_out_url }
def claim_user_form(auth, **kwargs): """ View for rendering the set password page for a claimed user. Must have ``token`` as a querystring argument. Renders the set password form, validates it, and sets the user's password. HTTP Method: GET, POST """ uid, pid = kwargs['uid'], kwargs['pid'] token = request.form.get('token') or request.args.get('token') user = User.load(uid) # If unregistered user is not in database, or url bears an invalid token raise HTTP 400 error if not user or not verify_claim_token(user, token, pid): error_data = { 'message_short': 'Invalid url.', 'message_long': 'Claim user does not exists, the token in the URL is invalid or has expired.' } raise HTTPError(http.BAD_REQUEST, data=error_data) # If user is logged in, redirect to 're-enter password' page if auth.logged_in: return redirect(web_url_for('claim_user_registered', uid=uid, pid=pid, token=token)) unclaimed_record = user.unclaimed_records[pid] user.fullname = unclaimed_record['name'] user.update_guessed_names() # The email can be the original referrer email if no claimer email has been specified. claimer_email = unclaimed_record.get('claimer_email') or unclaimed_record.get('email') form = SetEmailAndPasswordForm(request.form, token=token) if request.method == 'POST': if form.validate(): username, password = claimer_email, form.password.data user.register(username=username, password=password) # Clear unclaimed records user.unclaimed_records = {} user.verification_key = generate_verification_key() user.save() # Authenticate user and redirect to project page status.push_status_message(language.CLAIMED_CONTRIBUTOR, kind='success', trust=True) # Redirect to CAS and authenticate the user with a verification key. return redirect(cas.get_login_url( web_url_for('view_project', pid=pid, _absolute=True), username=user.username, verification_key=user.verification_key )) else: forms.push_errors_to_status(form.errors) return { 'firstname': user.given_name, 'email': claimer_email if claimer_email else '', 'fullname': user.fullname, 'form': forms.utils.jsonify(form) if is_json_request() else form, }
def box_oauth_finish(auth, **kwargs): """View called when the Oauth flow is completed. Adds a new BoxUserSettings record to the user and saves the user's access token and account info. """ user = auth.user node = Node.load(session.data.pop('box_auth_nid', None)) # Handle request cancellations from Box's API if request.args.get('error'): flash('Box authorization request cancelled.') if node: return redirect(node.web_url_for('node_setting')) return redirect(web_url_for('user_addons')) result = finish_auth() # If result is a redirect response, follow the redirect if isinstance(result, BaseResponse): return result client = BoxClient(CredentialsV2( result['access_token'], result['refresh_token'], settings.BOX_KEY, settings.BOX_SECRET, )) about = client.get_user_info() oauth_settings = BoxOAuthSettings.load(about['id']) if not oauth_settings: oauth_settings = BoxOAuthSettings(user_id=about['id'], username=about['name']) oauth_settings.save() oauth_settings.refresh_token = result['refresh_token'] oauth_settings.access_token = result['access_token'] oauth_settings.expires_at = datetime.utcfromtimestamp(time.time() + 3600) # Make sure user has box enabled user.add_addon('box') user.save() user_settings = user.get_addon('box') user_settings.oauth_settings = oauth_settings user_settings.save() flash('Successfully authorized Box', 'success') if node: # Automatically use newly-created auth if node.has_addon('box'): node_addon = node.get_addon('box') node_addon.set_user_auth(user_settings) node_addon.save() return redirect(node.web_url_for('node_setting')) return redirect(web_url_for('user_addons'))
def claim_user_form(auth, **kwargs): """View for rendering the set password page for a claimed user. Must have ``token`` as a querystring argument. Renders the set password form, validates it, and sets the user's password. """ uid, pid = kwargs['uid'], kwargs['pid'] token = request.form.get('token') or request.args.get('token') # If user is logged in, redirect to 're-enter password' page if auth.logged_in: return redirect(web_url_for('claim_user_registered', uid=uid, pid=pid, token=token)) user = User.load(uid) # The unregistered user # user ID is invalid. Unregistered user is not in database if not user: raise HTTPError(http.BAD_REQUEST) # If claim token not valid, redirect to registration page if not verify_claim_token(user, token, pid): return redirect(web_url_for('auth_login')) unclaimed_record = user.unclaimed_records[pid] user.fullname = unclaimed_record['name'] user.update_guessed_names() # The email can be the original referrer email if no claimer email has been specified. claimer_email = unclaimed_record.get('claimer_email') or unclaimed_record.get('email') form = SetEmailAndPasswordForm(request.form, token=token) if request.method == 'POST': if form.validate(): username, password = claimer_email, form.password.data user.register(username=username, password=password) # Clear unclaimed records user.unclaimed_records = {} user.verification_key = security.random_string(20) user.save() # Authenticate user and redirect to project page node = Node.load(pid) status.push_status_message(language.CLAIMED_CONTRIBUTOR.format(node=node), kind='success', trust=True) # Redirect to CAS and authenticate the user with a verification key. return redirect(cas.get_login_url( web_url_for('user_profile', _absolute=True), auto=True, username=user.username, verification_key=user.verification_key )) else: forms.push_errors_to_status(form.errors) return { 'firstname': user.given_name, 'email': claimer_email if claimer_email else '', 'fullname': user.fullname, 'form': forms.utils.jsonify(form) if is_json_request() else form, }
def claim_user_registered(auth, node, **kwargs): """ View that prompts user to enter their password in order to claim being a contributor on a project. A user must be logged in. """ current_user = auth.user sign_out_url = web_url_for("auth_register", logout=True, next=request.url) if not current_user: return redirect(sign_out_url) # Logged in user should not be a contributor the project if node.is_contributor(current_user): logout_url = web_url_for("auth_logout", redirect_url=request.url) data = { "message_short": "Already a contributor", "message_long": ( "The logged-in user is already a contributor to this " 'project. Would you like to <a href="{}">log out</a>?' ).format(logout_url), } raise HTTPError(http.BAD_REQUEST, data=data) uid, pid, token = kwargs["uid"], kwargs["pid"], kwargs["token"] unreg_user = User.load(uid) if not verify_claim_token(unreg_user, token, pid=node._primary_key): error_data = { "message_short": "Invalid url.", "message_long": "The token in the URL is invalid or has expired.", } raise HTTPError(http.BAD_REQUEST, data=error_data) # Store the unreg_user data on the session in case the user registers # a new account session.data["unreg_user"] = {"uid": uid, "pid": pid, "token": token} form = PasswordForm(request.form) if request.method == "POST": if form.validate(): if current_user.check_password(form.password.data): node.replace_contributor(old=unreg_user, new=current_user) node.save() status.push_status_message("You are now a contributor to this project.", kind="success", trust=False) return redirect(node.url) else: status.push_status_message(language.LOGIN_FAILED, kind="warning", trust=False) else: forms.push_errors_to_status(form.errors) if is_json_request(): form_ret = forms.utils.jsonify(form) user_ret = profile_utils.serialize_user(current_user, full=False) else: form_ret = form user_ret = current_user return {"form": form_ret, "user": user_ret, "signOutUrl": sign_out_url}
def resolve_guid(guid, suffix=None): """Resolve GUID to corresponding URL and return result of appropriate view function. This effectively yields a redirect without changing the displayed URL of the page. :param guid: GUID value (not the object) :param suffix: String to append to GUID route :return: Werkzeug response """ # Get prefix; handles API routes prefix = request.path.split(guid)[0].rstrip('/') # Look up GUID guid_object = Guid.load(guid) if guid_object: # verify that the object is a GuidStoredObject descendant. If a model # was once a descendant but that relationship has changed, it's # possible to have referents that are instances of classes that don't # have a redirect_mode attribute or otherwise don't behave as # expected. if not isinstance(guid_object.referent, GuidStoredObject): sentry.log_message( 'Guid `{}` resolved to non-guid object'.format(guid) ) raise HTTPError(http.NOT_FOUND) referent = guid_object.referent if referent is None: logger.error('Referent of GUID {0} not found'.format(guid)) raise HTTPError(http.NOT_FOUND) mode = referent.redirect_mode if mode is None: raise HTTPError(http.NOT_FOUND) url = referent.deep_url if mode == 'proxy' else referent.url url = _build_guid_url(url, prefix, suffix) # Always redirect API URLs; URL should identify endpoint being called if prefix or mode == 'redirect': if request.query_string: url += '?' + request.query_string return redirect(url) return proxy_url(url) # GUID not found; try lower-cased and redirect if exists guid_object_lower = Guid.load(guid.lower()) if guid_object_lower: return redirect( _build_guid_url( guid.lower(), prefix, suffix ) ) # GUID not found raise HTTPError(http.NOT_FOUND)
def googledrive_oauth_finish(auth, **kwargs): """View called when the Oauth flow is completed. Adds a new GoogleDriveUserSettings record to the user and saves the user's access token and account info. """ user = auth.user node = Node.load(session.data.pop('googledrive_auth_nid', None)) # Handle request cancellations from Google's API if request.args.get('error'): flash('Google Drive authorization request cancelled.') if node: return redirect(node.web_url_for('node_setting')) return redirect(web_url_for('user_addons')) user.add_addon('googledrive') user.save() code = request.args.get('code') user_settings = user.get_addon('googledrive') state = session.data.pop('googledrive_auth_state') if state != request.args.get('state'): raise HTTPError(http.BAD_REQUEST) if code is None: raise HTTPError(http.BAD_REQUEST) auth_client = GoogleAuthClient() token = auth_client.finish(code) info = auth_client.userinfo(token['access_token']) # Attempt to attach an existing oauth settings model oauth_settings = GoogleDriveOAuthSettings.load(info['sub']) # Create a new oauth settings model if not oauth_settings: oauth_settings = GoogleDriveOAuthSettings() oauth_settings.user_id = info['sub'] oauth_settings.save() user_settings.oauth_settings = oauth_settings user_settings.username = info['name'] user_settings.access_token = token['access_token'] user_settings.refresh_token = token['refresh_token'] user_settings.expires_at = datetime.utcfromtimestamp(token['expires_at']) user_settings.save() flash('Successfully authorized Google Drive', 'success') if node: if node.has_addon('googledrive'): node_addon = node.get_addon('googledrive') node_addon.set_user_auth(user_settings) node_addon.save() return redirect(node.web_url_for('node_setting')) return redirect(web_url_for('user_addons'))
def auth_logout(auth, redirect_url=None, next_url=None): """ Log out, delete current session and remove OSF cookie. If next url is valid and auth is logged in, redirect to CAS logout endpoint with the current request url as service. If next url is valid and auth is logged out, redirect directly to the next url. Otherwise, redirect to CAS logout or login endpoint with redirect url as service. The CAS logout endpoint which clears sessions and cookies for CAS and Shibboleth. HTTP Method: GET Note 1: OSF tells CAS where it wants to be redirected back after successful logout. However, CAS logout flow may not respect this url if user is authenticated through remote identity provider. Note 2: The name of the query parameter is `next`, `next_url` is used to avoid python reserved word. :param auth: the authentication context :param redirect_url: url to DIRECTLY redirect after CAS logout, default is `OSF/goodbye` :param next_url: url to redirect after OSF logout, which is after CAS logout :return: the response """ # For `?next=`: # takes priority # the url must be a valid OSF next url, # the full request url is set to CAS service url, # does not support `reauth` # For `?redirect_url=`: # the url must be valid CAS service url # the redirect url is set to CAS service url. # support `reauth` # logout/?next=<an OSF verified next url> next_url = next_url or request.args.get('next', None) if next_url and validate_next_url(next_url): cas_logout_endpoint = cas.get_logout_url(request.url) if auth.logged_in: resp = redirect(cas_logout_endpoint) else: resp = redirect(next_url) # logout/ or logout/?redirect_url=<a CAS verified redirect url> else: redirect_url = redirect_url or request.args.get('redirect_url') or web_url_for('goodbye', _absolute=True) # set redirection to CAS log out (or log in if `reauth` is present) if 'reauth' in request.args: cas_endpoint = cas.get_login_url(redirect_url) else: cas_endpoint = cas.get_logout_url(redirect_url) resp = redirect(cas_endpoint) # perform OSF logout osf_logout() # set response to delete OSF cookie resp.delete_cookie(settings.COOKIE_NAME, domain=settings.OSF_COOKIE_DOMAIN) return resp
def goback(n=1): next_url = request.args.get('next') or request.form.get('next_url') if next_url: return redirect(next_url) if session._get_current_object() is None: return redirect('/') try: for _ in range(n): url = session.data['history'].pop() except IndexError: url = '/dashboard/' return redirect(url)
def retraction_handler(action, registration, registered_from): status.push_status_message( { "approve": "Your retraction approval has been accepted.", "reject": "Your disapproval has been accepted and the retraction has been cancelled.", }[action], kind="success", trust=False, ) if action == "approve": return redirect(registered_from.web_url_for("view_project")) elif action == "reject": return redirect(registration.web_url_for("view_project"))
def claim_user_form(auth, **kwargs): """View for rendering the set password page for a claimed user. Must have ``token`` as a querystring argument. Renders the set password form, validates it, and sets the user's password. """ uid, pid = kwargs['uid'], kwargs['pid'] token = request.form.get('token') or request.args.get('token') # If user is logged in, redirect to 're-enter password' page if auth.logged_in: return redirect(web_url_for('claim_user_registered', uid=uid, pid=pid, token=token)) user = User.load(uid) # The unregistered user # user ID is invalid. Unregistered user is not in database if not user: raise HTTPError(http.BAD_REQUEST) # If claim token not valid, redirect to registration page if not verify_claim_token(user, token, pid): return redirect('/account/') unclaimed_record = user.unclaimed_records[pid] user.fullname = unclaimed_record['name'] user.update_guessed_names() email = unclaimed_record['email'] form = SetEmailAndPasswordForm(request.form, token=token) if request.method == 'POST': if form.validate(): username, password = email, form.password.data user.register(username=username, password=password) # Clear unclaimed records user.unclaimed_records = {} user.save() # Authenticate user and redirect to project page response = redirect('/settings/') node = Node.load(pid) status.push_status_message(language.CLAIMED_CONTRIBUTOR.format(node=node), 'success') return authenticate(user, response) else: forms.push_errors_to_status(form.errors) return { 'firstname': user.given_name, 'email': email if email else '', 'fullname': user.fullname, 'form': forms.utils.jsonify(form) if is_json_request() else form, }
def figshare_oauth_callback(auth, **kwargs): user = auth.user nid = kwargs.get('nid') or kwargs.get('pid') node = models.Node.load(nid) if nid else None # Fail if node provided and user not contributor if node and not node.is_contributor(user): raise HTTPError(http.FORBIDDEN) if user is None: raise HTTPError(http.NOT_FOUND) if kwargs.get('nid') and not node: raise HTTPError(http.NOT_FOUND) figshare_user = user.get_addon('figshare') verifier = request.args.get('oauth_verifier') access_token, access_token_secret = oauth_get_token( figshare_user.oauth_request_token, figshare_user.oauth_request_token_secret, verifier ) # Handle request cancellations from FigShare's API if not access_token or not access_token_secret: push_status_message('figshare authorization request cancelled.') if node: return redirect(node.web_url_for('node_setting')) return redirect(web_url_for('user_addons')) figshare_user.oauth_request_token = None figshare_user.oauth_request_token_secret = None figshare_user.oauth_access_token = access_token figshare_user.oauth_access_token_secret = access_token_secret figshare_user.save() if node: figshare_node = node.get_addon('figshare') figshare_node.user_settings = figshare_user figshare_node.save() if node: return redirect(os.path.join(node.url, 'settings')) return redirect(web_url_for('user_addons'))
def project_wiki_id_page(auth, wid, **kwargs): node = kwargs['node'] or kwargs['project'] wiki_page = node.get_wiki_page(id=wid) if wiki_page: return redirect(node.web_url_for('project_wiki_view', wname=wiki_page.page_name, _guid=True)) else: raise WIKI_PAGE_NOT_FOUND_ERROR
def auth_logout(redirect_url=None): """ Log out, delete current session and remove OSF cookie. Redirect to CAS logout which clears sessions and cookies for CAS and Shibboleth (if any). Final landing page may vary. HTTP Method: GET :param redirect_url: url to redirect user after CAS logout, default is 'goodbye' :return: """ # OSF tells CAS where it wants to be redirected back after successful logout. # However, CAS logout flow may not respect this url if user is authenticated through remote identity provider. redirect_url = redirect_url or request.args.get('redirect_url') or web_url_for('goodbye', _absolute=True) # OSF log out, remove current OSF session osf_logout() # set redirection to CAS log out (or log in if `reauth` is present) if 'reauth' in request.args: cas_endpoint = cas.get_login_url(redirect_url) else: cas_endpoint = cas.get_logout_url(redirect_url) resp = redirect(cas_endpoint) # delete OSF cookie resp.delete_cookie(settings.COOKIE_NAME, domain=settings.OSF_COOKIE_DOMAIN) return resp
def confirm_email_get(**kwargs): """View for email confirmation links. Authenticates and redirects to user settings page if confirmation is successful, otherwise shows an "Expired Link" error. methods: GET """ user = User.load(kwargs['uid']) token = kwargs['token'] if user: if user.confirm_email(token): # Confirm and register the user user.date_last_login = datetime.datetime.utcnow() user.save() # Go to settings page status.push_status_message(language.WELCOME_MESSAGE, 'success') response = redirect('/settings/') return framework.auth.authenticate(user, response=response) # Return data for the error template return { 'code': http.BAD_REQUEST, 'message_short': 'Link Expired', 'message_long': language.LINK_EXPIRED }, http.BAD_REQUEST
def auth_email_logout(token, user): """ When a user is adding an email or merging an account, add the email to the user and log them out. """ redirect_url = cas.get_logout_url(service_url=cas.get_login_url(service_url=web_url_for('index', _absolute=True))) try: unconfirmed_email = user.get_unconfirmed_email_for_token(token) except InvalidTokenError: raise HTTPError(http.BAD_REQUEST, data={ 'message_short': 'Bad token', 'message_long': 'The provided token is invalid.' }) except ExpiredTokenError: status.push_status_message('The private link you used is expired.') raise HTTPError(http.BAD_REQUEST, data={ 'message_short': 'Expired link', 'message_long': 'The private link you used is expired.' }) try: user_merge = User.find_one(Q('emails', 'eq', unconfirmed_email)) except NoResultsFound: user_merge = False if user_merge: remove_sessions_for_user(user_merge) user.email_verifications[token]['confirmed'] = True user.save() remove_sessions_for_user(user) resp = redirect(redirect_url) resp.delete_cookie(settings.COOKIE_NAME, domain=settings.OSF_COOKIE_DOMAIN) return resp
def auth_logout(): """Log out and delete cookie. """ logout() rv = redirect('/goodbye/') rv.delete_cookie(website.settings.COOKIE_NAME) return rv
def reset_password(auth, **kwargs): if auth.logged_in: return auth_logout(redirect_url=request.url) verification_key = kwargs['verification_key'] form = ResetPasswordForm(request.form) user_obj = get_user(verification_key=verification_key) if not user_obj: error_data = {'message_short': 'Invalid url.', 'message_long': 'The verification key in the URL is invalid or ' 'has expired.'} raise HTTPError(400, data=error_data) if request.method == 'POST' and form.validate(): # new random verification key, allows CAS to authenticate the user w/o password one time only. user_obj.verification_key = security.random_string(20) user_obj.set_password(form.password.data) user_obj.save() status.push_status_message('Password reset', 'success') # Redirect to CAS and authenticate the user with a verification key. return redirect(cas.get_login_url( web_url_for('user_account', _absolute=True), auto=True, username=user_obj.username, verification_key=user_obj.verification_key )) forms.push_errors_to_status(form.errors) return { 'verification_key': verification_key, }
def prepare_private_key(): """ `before_request` handler that checks the Referer header to see if the user is requesting from a view-only link. If so, re-append the view-only key. NOTE: In order to ensure the execution order of the before_request callbacks, this is attached in website.app.init_app rather than using @app.before_request. """ # Done if not GET request if request.method != "GET": return # Done if private_key in args if request.args.get("view_only", ""): return # Grab query key from previous request for not logged-in users if request.referrer: referrer_parsed = urlparse.urlparse(request.referrer) scheme = referrer_parsed.scheme key = urlparse.parse_qs(urlparse.urlparse(request.referrer).query).get("view_only") if key: key = key[0] else: scheme = None key = None # Update URL and redirect if key and not session.is_authenticated: new_url = add_key_to_url(request.url, scheme, key) return redirect(new_url, code=http.TEMPORARY_REDIRECT)
def claim_user_registered(auth, node, **kwargs): """ View that prompts user to enter their password in order to claim being a contributor on a project. A user must be logged in. """ current_user = auth.user sign_out_url = web_url_for('auth_login', logout=True, next=request.url) if not current_user: return redirect(sign_out_url) # Logged in user should not be a contributor the project if node.is_contributor(current_user): logout_url = web_url_for('auth_logout', redirect_url=request.url) data = { 'message_short': 'Already a contributor', 'message_long': ('The logged-in user is already a contributor to this ' 'project. Would you like to <a href="{}">log out</a>?').format(logout_url) } raise HTTPError(http.BAD_REQUEST, data=data) uid, pid, token = kwargs['uid'], kwargs['pid'], kwargs['token'] unreg_user = User.load(uid) if not verify_claim_token(unreg_user, token, pid=node._primary_key): error_data = { 'message_short': 'Invalid url.', 'message_long': 'The token in the URL is invalid or has expired.' } raise HTTPError(http.BAD_REQUEST, data=error_data) # Store the unreg_user data on the session in case the user registers # a new account session.data['unreg_user'] = { 'uid': uid, 'pid': pid, 'token': token } form = PasswordForm(request.form) if request.method == 'POST': if form.validate(): if current_user.check_password(form.password.data): node.replace_contributor(old=unreg_user, new=current_user) node.save() status.push_status_message( 'You are now a contributor to this project.', kind='success', trust=False ) return redirect(node.url) else: status.push_status_message(language.LOGIN_FAILED, kind='warning', trust=False) else: forms.push_errors_to_status(form.errors) if is_json_request(): form_ret = forms.utils.jsonify(form) user_ret = profile_utils.serialize_user(current_user, full=False) else: form_ret = form user_ret = current_user return { 'form': form_ret, 'user': user_ret, 'signOutUrl': sign_out_url }
def confirm_email_get(token, auth=None, **kwargs): """ View for email confirmation links. Authenticates and redirects to user settings page if confirmation is successful, otherwise shows an "Expired Link" error. HTTP Method: GET """ user = User.load(kwargs['uid']) is_merge = 'confirm_merge' in request.args is_initial_confirmation = not user.date_confirmed log_out = request.args.get('logout', None) if user is None: raise HTTPError(http.NOT_FOUND) # if the user is merging or adding an email (they already are an osf user) if log_out: return auth_email_logout(token, user) if auth and auth.user and (auth.user._id == user._id or auth.user._id == user.merged_by._id): if not is_merge: # determine if the user registered through a campaign campaign = campaigns.campaign_for_user(user) if campaign: return redirect(campaigns.campaign_url_for(campaign)) # go to home page with push notification if len(auth.user.emails) == 1 and len( auth.user.email_verifications) == 0: status.push_status_message(language.WELCOME_MESSAGE, kind='default', jumbotron=True, trust=True) if token in auth.user.email_verifications: status.push_status_message( language.CONFIRM_ALTERNATE_EMAIL_ERROR, kind='danger', trust=True) return redirect(web_url_for('index')) status.push_status_message(language.MERGE_COMPLETE, kind='success', trust=False) return redirect(web_url_for('user_account')) try: user.confirm_email(token, merge=is_merge) except exceptions.EmailConfirmTokenError as e: raise HTTPError(http.BAD_REQUEST, data={ 'message_short': e.message_short, 'message_long': e.message_long }) if is_initial_confirmation: user.date_last_login = datetime.datetime.utcnow() user.save() # send out our welcome message mails.send_mail(to_addr=user.username, mail=mails.WELCOME, mimetype='html', user=user) # new random verification key, allows CAS to authenticate the user w/o password one-time only. user.verification_key = generate_verification_key() user.save() # redirect to CAS and authenticate the user with a verification key. return redirect( cas.get_login_url(request.url, username=user.username, verification_key=user.verification_key))
def project_statistics_redirect(auth, node, **kwargs): return redirect(node.web_url_for("project_statistics", _guid=True))
def node_registration_retraction_redirect(auth, node, **kwargs): return redirect(node.web_url_for('node_registration_retraction_get', _guid=True))
def claim_user_form(auth, **kwargs): """ View for rendering the set password page for a claimed user. Must have ``token`` as a querystring argument. Renders the set password form, validates it, and sets the user's password. HTTP Method: GET, POST """ uid, pid = kwargs['uid'], kwargs['pid'] token = request.form.get('token') or request.args.get('token') user = OSFUser.load(uid) # If unregistered user is not in database, or url bears an invalid token raise HTTP 400 error if not user or not verify_claim_token(user, token, pid): error_data = { 'message_short': 'Invalid url.', 'message_long': 'Claim user does not exists, the token in the URL is invalid or has expired.' } raise HTTPError(http_status.HTTP_400_BAD_REQUEST, data=error_data) # If user is logged in, redirect to 're-enter password' page if auth.logged_in: return redirect( web_url_for('claim_user_registered', uid=uid, pid=pid, token=token)) unclaimed_record = user.unclaimed_records[pid] user.fullname = unclaimed_record['name'] user.update_guessed_names() # The email can be the original referrer email if no claimer email has been specified. claimer_email = unclaimed_record.get( 'claimer_email') or unclaimed_record.get('email') # If there is a registered user with this email, redirect to 're-enter password' page try: user_from_email = OSFUser.objects.get( emails__address=claimer_email.lower().strip( )) if claimer_email else None except OSFUser.DoesNotExist: user_from_email = None if user_from_email and user_from_email.is_registered: return redirect( web_url_for('claim_user_registered', uid=uid, pid=pid, token=token)) form = SetEmailAndPasswordForm(request.form, token=token) if request.method == 'POST': if not form.validate(): forms.push_errors_to_status(form.errors) elif settings.RECAPTCHA_SITE_KEY and not validate_recaptcha( request.form.get('g-recaptcha-response'), remote_ip=request.remote_addr): status.push_status_message('Invalid captcha supplied.', kind='error') else: username, password = claimer_email, form.password.data if not username: raise HTTPError( http_status.HTTP_400_BAD_REQUEST, data=dict( message_long= 'No email associated with this account. Please claim this ' 'account on the project to which you were invited.')) user.register( username=username, password=password, accepted_terms_of_service=form.accepted_terms_of_service.data) # Clear unclaimed records user.unclaimed_records = {} user.verification_key = generate_verification_key() user.save() # Authenticate user and redirect to project page status.push_status_message(language.CLAIMED_CONTRIBUTOR, kind='success', trust=True) # Redirect to CAS and authenticate the user with a verification key. provider = PreprintProvider.load(pid) redirect_url = None if provider: redirect_url = web_url_for('auth_login', next=provider.landing_url, _absolute=True) else: # Add related claimed tags to user _add_related_claimed_tag_to_user(pid, user) redirect_url = web_url_for('resolve_guid', guid=pid, _absolute=True) return redirect( cas.get_login_url(redirect_url, username=user.username, verification_key=user.verification_key)) return { 'firstname': user.given_name, 'email': claimer_email if claimer_email else '', 'fullname': user.fullname, 'form': forms.utils.jsonify(form) if is_json_request() else form, 'osf_contact_email': settings.OSF_CONTACT_EMAIL, }
def project_wiki_edit(wname, **kwargs): node = kwargs['node'] or kwargs['project'] return redirect(node.web_url_for('project_wiki_view', wname=wname, _guid=True) + '?edit&view&menu')
def redirect_to_meetings(**kwargs): return redirect('/meetings/')
def redirect_about(**kwargs): return redirect('https://osf.io/4znzp/wiki/home/')
def redirect_help(**kwargs): return redirect('/faq/')
def resolve_guid(guid, suffix=None): """Load GUID by primary key, look up the corresponding view function in the routing table, and return the return value of the view function without changing the URL. :param str guid: GUID primary key :param str suffix: Remainder of URL after the GUID :return: Return value of proxied view function """ try: # Look up guid_object = Guid.load(guid) except KeyError as e: if e.message == 'osfstorageguidfile': # Used when an old detached OsfStorageGuidFile object is accessed raise HTTPError(http.NOT_FOUND) else: raise e if guid_object: # verify that the object implements a GuidStoredObject-like interface. If a model # was once GuidStoredObject-like but that relationship has changed, it's # possible to have referents that are instances of classes that don't # have a deep_url attribute or otherwise don't behave as # expected. if not hasattr(guid_object.referent, 'deep_url'): sentry.log_message('Guid resolved to an object with no deep_url', dict(guid=guid)) raise HTTPError(http.NOT_FOUND) referent = guid_object.referent if referent is None: logger.error('Referent of GUID {0} not found'.format(guid)) raise HTTPError(http.NOT_FOUND) if not referent.deep_url: raise HTTPError(http.NOT_FOUND) # Handle file `/download` shortcut with supported types. if suffix and suffix.rstrip('/').lower() == 'download': file_referent = None if isinstance(referent, PreprintService) and referent.primary_file: if not referent.is_published: # TODO: Ideally, permissions wouldn't be checked here. # This is necessary to prevent a logical inconsistency with # the routing scheme - if a preprint is not published, only # admins should be able to know it exists. auth = Auth.from_kwargs(request.args.to_dict(), {}) if not referent.node.has_permission( auth.user, permissions.ADMIN): raise HTTPError(http.NOT_FOUND) file_referent = referent.primary_file elif isinstance(referent, BaseFileNode) and referent.is_file: file_referent = referent if file_referent: # Extend `request.args` adding `action=download`. request.args = request.args.copy() request.args.update({'action': 'download'}) # Do not include the `download` suffix in the url rebuild. url = _build_guid_url(urllib.unquote(file_referent.deep_url)) return proxy_url(url) if suffix and suffix.rstrip('/').lower() == 'addtimestamp': file_referent = None if isinstance(referent, PreprintService) and referent.primary_file: if not referent.is_published: # TODO: Ideally, permissions wouldn't be checked here. # This is necessary to prevent a logical inconsistency with # the routing scheme - if a preprint is not published, only # admins should be able to know it exists. auth = Auth.from_kwargs(request.args.to_dict(), {}) if not referent.node.has_permission( auth.user, permissions.ADMIN): raise HTTPError(http.NOT_FOUND) file_referent = referent.primary_file elif isinstance(referent, BaseFileNode) and referent.is_file: file_referent = referent if file_referent: # Extend `request.args` adding `action=addtimestamp`. request.args = request.args.copy() request.args.update({'action': 'addtimestamp'}) # Do not include the `addtimestamp` suffix in the url rebuild. # Do not include the `addtimestamp` suffix in the url rebuild. url = _build_guid_url(urllib.unquote(file_referent.deep_url)) return proxy_url(url) elif suffix and suffix.rstrip('/').split( '/')[-1].lower() == 'addtimestamp': # Extend `request.args` adding `action=addtimestamp`. request.args = request.args.copy() request.args.update({'action': 'addtimestamp'}) # Do not include the `addtimestamp` suffix in the url rebuild. # Do not include the `addtimestamp` suffix in the url rebuild. url = _build_guid_url(urllib.unquote(referent.deep_url), suffix.split('/')[0]) return proxy_url(url) if isinstance(referent, PreprintService): if referent.provider.domain_redirect_enabled: # This route should always be intercepted by nginx for the branded domain, # w/ the exception of `<guid>/download` handled above. return redirect(referent.absolute_url, http.MOVED_PERMANENTLY) if PROXY_EMBER_APPS: resp = requests.get(EXTERNAL_EMBER_APPS['preprints']['server'], stream=True, timeout=EXTERNAL_EMBER_SERVER_TIMEOUT) return Response(stream_with_context(resp.iter_content()), resp.status_code) return send_from_directory(preprints_dir, 'index.html') if isinstance(referent, BaseFileNode ) and referent.is_file and referent.node.is_quickfiles: if referent.is_deleted: raise HTTPError(http.GONE) if PROXY_EMBER_APPS: resp = requests.get( EXTERNAL_EMBER_APPS['ember_osf_web']['server'], stream=True, timeout=EXTERNAL_EMBER_SERVER_TIMEOUT) return Response(stream_with_context(resp.iter_content()), resp.status_code) return send_from_directory(ember_osf_web_dir, 'index.html') url = _build_guid_url(urllib.unquote(referent.deep_url), suffix) return proxy_url(url) # GUID not found; try lower-cased and redirect if exists guid_object_lower = Guid.load(guid.lower()) if guid_object_lower: return redirect(_build_guid_url(guid.lower(), suffix)) # GUID not found raise HTTPError(http.NOT_FOUND)
def reproducibility(): return redirect('/ezcuj/wiki')
def project_wiki_compare(wname, wver, **kwargs): node = kwargs['node'] or kwargs['project'] return redirect(node.web_url_for('project_wiki_view', wname=wname, _guid=True) + '?view&compare={0}&menu'.format(wver))
def forgot_password_get(auth, *args, **kwargs): """Return forgot password page upon. """ if auth.logged_in: return redirect(web_url_for('dashboard')) return {}
def make_response_from_ticket(ticket, service_url): """ Given a CAS ticket and service URL, attempt to validate the user and return a proper redirect response. :param str ticket: CAS service ticket :param str service_url: Service URL from which the authentication request originates :return: redirect response """ service_furl = furl.furl(service_url) # `service_url` is guaranteed to be removed of `ticket` parameter, which has been pulled off in # `framework.sessions.before_request()`. if 'ticket' in service_furl.args: service_furl.args.pop('ticket') client = get_client() cas_resp = client.service_validate(ticket, service_furl.url) if cas_resp.authenticated: user, external_credential, action = get_user_from_cas_resp(cas_resp) # user found and authenticated if user and action == 'authenticate': # if we successfully authenticate and a verification key is present, invalidate it if user.verification_key: user.verification_key = None user.save() # if user is authenticated by external IDP, ask CAS to authenticate user for a second time # this extra step will guarantee that 2FA are enforced # current CAS session created by external login must be cleared first before authentication if external_credential: user.verification_key = generate_verification_key() user.save() return redirect( get_logout_url( get_login_url(service_url, username=user.username, verification_key=user.verification_key))) # if user is authenticated by CAS # TODO [CAS-27]: Remove Access Token From Service Validation return authenticate(user, cas_resp.attributes.get('accessToken', ''), redirect(service_furl.url)) # first time login from external identity provider if not user and external_credential and action == 'external_first_login': from website.util import web_url_for # orcid attributes can be marked private and not shared, default to orcid otherwise fullname = u'{} {}'.format( cas_resp.attributes.get('given-names', ''), cas_resp.attributes.get('family-name', '')).strip() if not fullname: fullname = external_credential['id'] # TODO [CAS-27]: Remove Access Token From Service Validation user = { 'external_id_provider': external_credential['provider'], 'external_id': external_credential['id'], 'fullname': fullname, 'access_token': cas_resp.attributes.get('accessToken', ''), 'service_url': service_furl.url, } return external_first_login_authenticate( user, redirect(web_url_for('external_login_email_get'))) # Unauthorized: ticket could not be validated, or user does not exist. return redirect(service_furl.url)
def auth_login(auth, **kwargs): """ This view serves as the entry point for OSF login and campaign login. HTTP Method: GET GET '/login/' without any query parameter: redirect to CAS login page with dashboard as target service GET '/login/?logout=true log user out and redirect to CAS login page with redirect_url or next_url as target service GET '/login/?campaign=instituion: if user is logged in, redirect to 'dashboard' show institution login GET '/login/?campaign=prereg: if user is logged in, redirect to prereg home page else show sign up page and notify user to sign in, set next to prereg home page GET '/login/?next=next_url: if user is logged in, redirect to next_url else redirect to CAS login page with next_url as target service """ campaign = request.args.get('campaign') next_url = request.args.get('next') log_out = request.args.get('logout') must_login_warning = True if not campaign and not next_url and not log_out: if auth.logged_in: return redirect(web_url_for('dashboard')) return redirect( cas.get_login_url(web_url_for('dashboard', _absolute=True))) if campaign: must_login_warning = False next_url = campaigns.campaign_url_for(campaign) if not next_url: next_url = request.args.get('redirect_url') must_login_warning = False if not validate_next_url(next_url): raise HTTPError(http.BAD_REQUEST) if auth.logged_in: if not log_out: if next_url: return redirect(next_url) return redirect('dashboard') # redirect user to CAS for logout, return here w/o authentication return auth_logout(redirect_url=request.url) status_message = request.args.get('status', '') if status_message == 'expired': status.push_status_message('The private link you used is expired.', trust=False) status.push_status_message( 'The private link you used is expired. Please <a href="/settings/account/">' 'resend email.</a>', trust=False) if next_url and must_login_warning: status.push_status_message(language.MUST_LOGIN, trust=False) # set login_url to form action, upon successful authentication specifically w/o logout=True, # allows for next to be followed or a redirect to the dashboard. redirect_url = web_url_for('auth_login', next=next_url, _absolute=True) data = {} if campaign and campaign in campaigns.CAMPAIGNS: if (campaign == 'institution' and settings.ENABLE_INSTITUTIONS) or campaign != 'institution': data['campaign'] = campaign data['login_url'] = cas.get_login_url(redirect_url) data['institution_redirect'] = cas.get_institution_target(redirect_url) data['redirect_url'] = next_url data['sign_up'] = request.args.get('sign_up', False) data['existing_user'] = request.args.get('existing_user', None) return data, http.OK
def make_response_from_ticket(ticket, service_url): """ Given a CAS ticket and service URL, attempt to validate the user and return a proper redirect response. :param str ticket: CAS service ticket :param str service_url: Service URL from which the authentication request originates :return: redirect response """ service_furl = furl.furl(service_url) # `service_url` is guaranteed to be removed of `ticket` parameter, which has been pulled off in # `framework.sessions.before_request()`. if 'ticket' in service_furl.args: service_furl.args.pop('ticket') client = get_client() cas_resp = client.service_validate(ticket, service_furl.url) if cas_resp.authenticated: user, external_credential, action = get_user_from_cas_resp(cas_resp) user_updates = {} # serialize updates to user to be applied async # user found and authenticated if user and action == 'authenticate': print_cas_log( f'CAS response - authenticating user: user=[{user._id}], ' f'external=[{external_credential}], action=[{action}]', LogLevel.INFO, ) # If users check the TOS consent checkbox via CAS, CAS sets the attribute `termsOfServiceChecked` to `true` # and then release it to OSF among other authentication attributes. When OSF receives it, it trusts CAS and # updates the user object if this is THE FINAL STEP of the login flow. DON'T update TOS consent status when # `external_credential == true` (i.e. w/ `action == 'authenticate'` or `action == 'external_first_login'`) # since neither is the final step of a login flow. tos_checked_via_cas = cas_resp.attributes.get( 'termsOfServiceChecked', 'false') == 'true' if tos_checked_via_cas: user_updates['accepted_terms_of_service'] = timezone.now() print_cas_log( f'CAS TOS consent checked: {user.guids.first()._id}, {user.username}', LogLevel.INFO) # if we successfully authenticate and a verification key is present, invalidate it if user.verification_key: user_updates['verification_key'] = None # if user is authenticated by external IDP, ask CAS to authenticate user for a second time # this extra step will guarantee that 2FA are enforced # current CAS session created by external login must be cleared first before authentication if external_credential: user.verification_key = generate_verification_key() user.save() print_cas_log( f'CAS response - redirect existing external IdP login to verification key login: user=[{user._id}]', LogLevel.INFO) return redirect( get_logout_url( get_login_url(service_url, username=user.username, verification_key=user.verification_key))) # if user is authenticated by CAS # TODO [CAS-27]: Remove Access Token From Service Validation print_cas_log( f'CAS response - finalizing authentication: user=[{user._id}]', LogLevel.INFO) return authenticate(user, cas_resp.attributes.get('accessToken', ''), redirect(service_furl.url), user_updates) # first time login from external identity provider if not user and external_credential and action == 'external_first_login': print_cas_log( f'CAS response - first login from external IdP: ' f'external=[{external_credential}], action=[{action}]', LogLevel.INFO, ) from website.util import web_url_for # orcid attributes can be marked private and not shared, default to orcid otherwise fullname = u'{} {}'.format( cas_resp.attributes.get('given-names', ''), cas_resp.attributes.get('family-name', '')).strip() # TODO [CAS-27]: Remove Access Token From Service Validation user = { 'external_id_provider': external_credential['provider'], 'external_id': external_credential['id'], 'fullname': fullname, 'access_token': cas_resp.attributes.get('accessToken', ''), 'service_url': service_furl.url, } print_cas_log( f'CAS response - creating anonymous session: external=[{external_credential}]', LogLevel.INFO) return external_first_login_authenticate( user, redirect(web_url_for('external_login_email_get'))) # Unauthorized: ticket could not be validated, or user does not exist. print_cas_log( 'Ticket validation failed or user does not exist. Redirect back to service URL (logged out).', LogLevel.ERROR) return redirect(service_furl.url)
def project_wiki_home(**kwargs): node = kwargs['node'] or kwargs['project'] return redirect(node.web_url_for('project_wiki_view', wname='home', _guid=True))
def goodbye(): # Redirect to dashboard if logged in if _get_current_user(): return redirect(util.web_url_for('dashboard')) status.push_status_message(language.LOGOUT, 'info') return {}
def confirm_email_get(token, auth=None, **kwargs): """View for email confirmation links. Authenticates and redirects to user settings page if confirmation is successful, otherwise shows an "Expired Link" error. methods: GET """ user = User.load(kwargs['uid']) is_merge = 'confirm_merge' in request.args is_initial_confirmation = not user.date_confirmed if user is None: raise HTTPError(http.NOT_FOUND) if auth and auth.user and (auth.user._id == user._id or auth.user._id == user.merged_by._id): if not is_merge: # determine if the user registered through a campaign campaign = campaigns.campaign_for_user(user) if campaign: return redirect( campaigns.campaign_url_for(campaign) ) if len(auth.user.emails) == 1 and len(auth.user.email_verifications) == 0: status.push_status_message(language.WELCOME_MESSAGE, 'default', jumbotron=True) if token in auth.user.email_verifications: status.push_status_message(language.CONFIRM_ALTERNATE_EMAIL_ERROR, 'danger') # Go to home page return redirect(web_url_for('index')) status.push_status_message(language.MERGE_COMPLETE, 'success') return redirect(web_url_for('user_account')) try: user.confirm_email(token, merge=is_merge) except exceptions.EmailConfirmTokenError as e: raise HTTPError(http.BAD_REQUEST, data={ 'message_short': e.message_short, 'message_long': e.message_long }) if is_initial_confirmation: user.date_last_login = datetime.datetime.utcnow() user.save() # Send out our welcome message mails.send_mail( to_addr=user.username, mail=mails.WELCOME, mimetype='html', user=user ) # Redirect to CAS and authenticate the user with a verification key. user.verification_key = security.random_string(20) user.save() return redirect(cas.get_login_url( request.url, auto=True, username=user.username, verification_key=user.verification_key ))
def auth_registerbeta(): return redirect('/account')
def redirect_to_cos_news(**kwargs): # Redirect to COS News page return redirect('https://cos.io/news/')
def redirect_to_home(): return redirect('/')
def external_login_confirm_email_get(auth, uid, token): """ View for email confirmation links when user first login through external identity provider. HTTP Method: GET When users click the confirm link, they are expected not to be logged in. If not, they will be logged out first and redirected back to this view. After OSF verifies the link and performs all actions, they will be automatically logged in through CAS and redirected back to this view again being authenticated. :param auth: the auth context :param uid: the user's primary key :param token: the verification token """ user = OSFUser.load(uid) if not user: raise HTTPError(http.BAD_REQUEST) destination = request.args.get('destination') if not destination: raise HTTPError(http.BAD_REQUEST) # if user is already logged in if auth and auth.user: # if it is a wrong user if auth.user._id != user._id: return auth_logout(redirect_url=request.url) # if it is the expected user new = request.args.get('new', None) if destination in campaigns.get_campaigns(): # external domain takes priority campaign_url = campaigns.external_campaign_url_for(destination) if not campaign_url: campaign_url = campaigns.campaign_url_for(destination) return redirect(campaign_url) if new: status.push_status_message(language.WELCOME_MESSAGE, kind='default', jumbotron=True, trust=True, id='welcome_message') return redirect(web_url_for('dashboard')) # token is invalid if token not in user.email_verifications: raise HTTPError(http.BAD_REQUEST) verification = user.email_verifications[token] email = verification['email'] provider = verification['external_identity'].keys()[0] provider_id = verification['external_identity'][provider].keys()[0] # wrong provider if provider not in user.external_identity: raise HTTPError(http.BAD_REQUEST) external_status = user.external_identity[provider][provider_id] try: ensure_external_identity_uniqueness(provider, provider_id, user) except ValidationError as e: raise HTTPError(http.FORBIDDEN, e.message) if not user.is_registered: user.register(email) if not user.emails.filter(address=email.lower()): user.emails.create(address=email.lower()) user.date_last_logged_in = timezone.now() user.external_identity[provider][provider_id] = 'VERIFIED' user.social[provider.lower()] = provider_id del user.email_verifications[token] user.verification_key = generate_verification_key() user.save() service_url = request.url if external_status == 'CREATE': mails.send_mail( to_addr=user.username, mail=mails.WELCOME, mimetype='html', user=user, domain=settings.DOMAIN, osf_support_email=settings.OSF_SUPPORT_EMAIL, storage_flag_is_active=storage_i18n_flag_active(), ) service_url += '&{}'.format(urllib.urlencode({'new': 'true'})) elif external_status == 'LINK': mails.send_mail( user=user, to_addr=user.username, mail=mails.EXTERNAL_LOGIN_LINK_SUCCESS, external_id_provider=provider, can_change_preferences=False, ) # redirect to CAS and authenticate the user with the verification key return redirect( cas.get_login_url(service_url, username=user.username, verification_key=user.verification_key))
def redirect_getting_started(**kwargs): return redirect('https://openscience.zendesk.com/hc/en-us')
def auth_register(auth): """ View for OSF register. Land on the register page, redirect or go to `auth_logout` depending on `data` returned by `login_and_register_handler`. `/register` only takes a valid campaign, a valid next, the logout flag or no query parameter `login_and_register_handler()` handles the following cases: if campaign and logged in, go to campaign landing page (or valid next_url if presents) if campaign and logged out, go to campaign register page (with next_url if presents) if next_url and logged in, go to next url if next_url and logged out, go to cas login page with current request url as service parameter if next_url and logout flag, log user out first and then go to the next_url if none, go to `/dashboard` which is decorated by `@must_be_logged_in` :param auth: the auth context :return: land, redirect or `auth_logout` :raise: http.BAD_REQUEST """ context = {} # a target campaign in `auth.campaigns` campaign = request.args.get('campaign') # the service url for CAS login or redirect url for OSF next_url = request.args.get('next') # TODO: no longer used for `claim_user_registered`, see [#PLAT-1151] logout = request.args.get('logout') # logout must have next_url if logout and not next_url: raise HTTPError(http.BAD_REQUEST) data = login_and_register_handler(auth, login=False, campaign=campaign, next_url=next_url, logout=logout) # land on register page if data['status_code'] == http.OK: if data['must_login_warning']: status.push_status_message(language.MUST_LOGIN, trust=False) destination = cas.get_login_url(data['next_url']) # "Already have and account?" link context['non_institution_login_url'] = destination # "Sign In" button in navigation bar, overwrite the default value set in routes.py context['login_url'] = destination # "Login through your institution" link context['institution_login_url'] = cas.get_login_url( data['next_url'], campaign='institution') context['preprint_campaigns'] = { k._id + '-preprints': { 'id': k._id, 'name': k.name, 'logo_path': k.get_asset_url('square_color_no_transparent') } for k in PreprintProvider.objects.all() if k._id != 'osf' } context['campaign'] = data['campaign'] return context, http.OK # redirect to url elif data['status_code'] == http.FOUND: return redirect(data['next_url']) # go to other views elif data['status_code'] == 'auth_logout': return auth_logout(redirect_url=data['next_url']) raise HTTPError(http.BAD_REQUEST)
def redirect_howosfworks(**kwargs): return redirect('/getting-started/')
def preprint_redirect(**kwargs): return redirect('/preprints/')
def redirect_faq(**kwargs): return redirect('http://help.osf.io/m/faqs/')
def dashboard(auth): return redirect('/')
def external_login_confirm_email_get(auth, uid, token): """ View for email confirmation links when user first login through external identity provider. HTTP Method: GET When users click the confirm link, they are expected not to be logged in. If not, they will be logged out first and redirected back to this view. After OSF verifies the link and performs all actions, they will be automatically logged in through CAS and redirected back to this view again being authenticated. :param auth: the auth context :param uid: the user's primary key :param token: the verification token """ user = User.load(uid) if not user: raise HTTPError(http.BAD_REQUEST) # if user is already logged in if auth and auth.user: # if it is the expected user if auth.user._id == user._id: new = request.args.get('new', None) if new: status.push_status_message(language.WELCOME_MESSAGE, kind='default', jumbotron=True, trust=True) return redirect(web_url_for('index')) # if it is a wrong user return auth_logout(redirect_url=request.url) # token is invalid if token not in user.email_verifications: raise HTTPError(http.BAD_REQUEST) verification = user.email_verifications[token] email = verification['email'] provider = verification['external_identity'].keys()[0] provider_id = verification['external_identity'][provider].keys()[0] # wrong provider if provider not in user.external_identity: raise HTTPError(http.BAD_REQUEST) external_status = user.external_identity[provider][provider_id] try: ensure_external_identity_uniqueness(provider, provider_id, user) except ValidationError as e: raise HTTPError(http.FORBIDDEN, e.message) if not user.is_registered: user.set_password(uuid.uuid4(), notify=False) user.register(email) if email.lower() not in user.emails: user.emails.append(email.lower()) user.date_last_logged_in = datetime.datetime.utcnow() user.external_identity[provider][provider_id] = 'VERIFIED' user.social[provider.lower()] = provider_id del user.email_verifications[token] user.verification_key = generate_verification_key() user.save() service_url = request.url if external_status == 'CREATE': mails.send_mail(to_addr=user.username, mail=mails.WELCOME, mimetype='html', user=user) service_url = service_url + '?new=true' elif external_status == 'LINK': mails.send_mail( user=user, to_addr=user.username, mail=mails.EXTERNAL_LOGIN_LINK_SUCCESS, external_id_provider=provider, ) # redirect to CAS and authenticate the user with the verification key return redirect( cas.get_login_url(service_url, username=user.username, verification_key=user.verification_key))