Пример #1
0
def login(username, password):
    try:
        session = web.ctx.session
    except Exception as e:
        raise StandardError(e)
    try:
        the_user = Users.objects.get(username=username)
    except Exception as e:
        raise StandardError("User Not Found")
    if not auth.is_password_match(password, the_user['hashed_pwd'], the_user['salt']):
        raise StandardError("Password do not match")
    try:
        #Generate a random token that will be compared from session data against user token
        created_token = auth.create_token(the_user['userid'])
        #set this token in session
        session.token = created_token
        #Set other session values
        session.userid = the_user['userid']
        session.authenticated = True
        session.priv_lev = the_user['priv_lev']

        #Update user tokens
        #MongoDb/MongoEngine Using Atomic Updates
        #mongodb.users.update( { 'username': dbUser['username'] },
        #{ '$set': { 'tokens':dbUser['tokens'] } }
        #)
        #Update Query in MongoEngine
        #https://github.com/hmarr/mongoengine/blob/master/docs/guide/querying.rst
        Users.objects(username=the_user['username']).update_one(
            push__tokens = created_token
            #set__tokens__S = created_token
        )

        #Remove expired tokens from curent user
        for token in the_user['tokens']:
            if auth.is_token_expired(token, token_lifetime):
                token_exp.append(token)
                Users.objects(username=the_user['username']).update_one(
                    pull__tokens = token
                )

        #Get Our user object.
        user_obj = Users.objects.get(username=the_user['username'])
        ret_obj = {}

        ret_obj['userid'] = serializers.SerializeObject(user_obj['userid'])
        ret_obj['name'] = serializers.SerializeObject(user_obj['name'])
        ret_obj['username'] = serializers.SerializeObject(user_obj['username'])
        ret_obj['priv_lev'] = serializers.SerializeObject(user_obj['priv_lev'])

        r_dict = dict(r='ok',data=ret_obj)
        #returns true
        return r_dict

    except Exception as e:
        raise StandardError(e)

    #Hacking attempt
    raise StandardError("Not Allowed")
Пример #2
0
def authenticate():
    try:
        the_user = getUserFromToken()
        session_data = getTokenData()
        if auth.is_token_expired(session_data['token'], token_lifetime):
            raise StandardError("Token Expired")

        #Compare token session_data/user_data
        #if token matches authentication is Okay
        for token in the_user['tokens']:
            #user token is still valid with session token
            if token == session_data['token']:
                #Return authenticated user with public fields
                r_dict = dict(r='ok')
                r_dict['data'] = exclude_fields(the_user)
                #returns true
                return r_dict
    except Exception as e:
        raise StandardError("Unable to authenticate user with session")

    #This may be an attempt of cookie stealing and/or session hijacking
    #http://en.wikipedia.org/wiki/Session_hijacking
    #EXCEPTION #8, Login hacking attempt
    raise StandardError("Not Allowed")