def logout(app, request):
if request.method == "POST":
# Delete our session, the user is logging out and we no longer want it
request.session.delete()
# We'll want to redirect the user with a 303 once we've completed the
# log in process.
resp = redirect_next(
request,
default=url_for(request, "warehouse.views.index"),
)
# Delete the username cookie, the user is logging out and we no longer
# want to store the username that they used when they were logged in.
resp.delete_cookie("username")
# Return our prepared response to the now logged out user
return resp
# This is a simple GET request, so we just want to render the template
return render_response(
app,
request,
"accounts/logout.html",
next=request.values.get("next"),
)
def login(app, request):
form = LoginForm(
request.form,
authenticator=app.db.accounts.user_authenticate,
translations=app.translations,
)
if request.method == "POST" and form.validate():
# Get the user's ID, this is what we will use as the identifier anytime
# we need to securely reference the user within the database.
user_id = app.db.accounts.get_user_id(form.username.data)
if request.session.get("user.id") != user_id:
# To avoid reusing another user's session data, clear the session
# data if the existing session corresponds to a different
# authenticated user.
request.session.clear()
# Cycle the session key to prevent session fixation attacks from
# crossing an authentication boundary
request.session.cycle()
# Cycle the CSRF token to prevent a CSRF via session fixation attack
# from crossing an authentication boundary
csrf_cycle(request.session)
# Log the user in by storing their user id in their session
request.session["user.id"] = user_id
# We'll want to redirect the user with a 303 once we've completed the
# log in process.
resp = redirect_next(
request,
default=url_for(request, "warehouse.views.index"),
)
# Store the user's name in a cookie so that the client side can use
# it for display purposes. This value **MUST** not be used for any
# sort of access control.
resp.set_cookie("username", form.username.data)
# Return our prepared response to the user
return resp
# Either this is a GET request or it is a POST request with a failing form
# validation. Either way we want to simply render our template with the
# form available.
return render_response(
app,
request,
"accounts/login.html",
form=form,
next=request.values.get("next"),
)
def login(app, request):
form = LoginForm(
request.form,
authenticator=app.db.accounts.user_authenticate,
translations=app.translations,
)
if request.method == "POST" and form.validate():
# Get the user's ID, this is what we will use as the identifier anytime
# we need to securely reference the user within the database.
user_id = app.db.accounts.get_user_id(form.username.data)
if request.session.get("user.id") != user_id:
# To avoid reusing another user's session data, clear the session
# data if the existing session corresponds to a different
# authenticated user.
request.session.clear()
# Cycle the session key to prevent session fixation attacks from
# crossing an authentication boundary
request.session.cycle()
# Cycle the CSRF token to prevent a CSRF via session fixation attack
# from crossing an authentication boundary
csrf_cycle(request.session)
# Log the user in by storing their user id in their session
request.session["user.id"] = user_id
# We'll want to redirect the user with a 303 once we've completed the
# log in process.
resp = redirect_next(
request,
default=url_for(request, "warehouse.views.index"),
)
# Store the user's name in a cookie so that the client side can use
# it for display purposes. This value **MUST** not be used for any
# sort of access control.
resp.set_cookie("username", form.username.data)
# Return our prepared response to the user
return resp
# Either this is a GET request or it is a POST request with a failing form
# validation. Either way we want to simply render our template with the
# form available.
return render_response(
app, request, "accounts/login.html",
form=form,
next=request.values.get("next"),
)
def logout(app, request):
if request.method == "POST":
# Delete our session, the user is logging out and we no longer want it
request.session.delete()
# We'll want to redirect the user with a 303 once we've completed the
# log in process.
resp = redirect_next(
request,
default=url_for(request, "warehouse.views.index"),
)
# Delete the username cookie, the user is logging out and we no longer
# want to store the username that they used when they were logged in.
resp.delete_cookie("username")
# Return our prepared response to the now logged out user
return resp
# This is a simple GET request, so we just want to render the template
return render_response(
app, request, "accounts/logout.html",
next=request.values.get("next"),
)
def test_redirect_next(values, host, kwargs, expected):
request = pretend.stub(values=values, host=host)
response = redirect_next(request, **kwargs)
assert response.headers["Location"] == expected["location"]
assert response.status_code == expected["code"]
def test_redirect_next(values, host, kwargs, expected):
request = pretend.stub(values=values, host=host)
response = redirect_next(request, **kwargs)
assert response.headers["Location"] == expected["location"]
assert response.status_code == expected["code"]
