def sign_in(): if current_user and current_user.is_authenticated: return redirect(url_for('main.choose_account')) form = LoginForm() if form.validate_on_submit(): user = user_api_client.get_user_by_email_or_none(form.email_address.data) user = _get_and_verify_user(user, form.password.data) if user: if user.state == 'pending': return redirect(url_for('main.resend_email_verification')) if session.get('invited_user'): invited_user = session.get('invited_user') if user.email_address.lower() != invited_user['email_address'].lower(): flash("You can't accept an invite for another person.") session.pop('invited_user', None) abort(403) else: invite_api_client.accept_invite(invited_user['service'], invited_user['id']) session['user_details'] = { 'id': user.id, 'email': user.email_address, } if user.is_active: if user.auth_type == 'email_auth': return sign_in_email(user.id, user.email_address) elif user.auth_type == 'sms_auth': return sign_in_sms(user.id, user.mobile_number) # Vague error message for login in case of user not known, # locked, inactive or password not verified flash(Markup( ( "The email address or password you entered is incorrect." " <a href={password_reset}>Forgot your password</a>?" ).format(password_reset=url_for('.forgot_password')) )) other_device = current_user.logged_in_elsewhere() return render_template( 'views/signin.html', form=form, again=bool(request.args.get('next')), other_device=other_device )
def sign_in(): if current_user and current_user.is_authenticated: return redirect(url_for('main.choose_service')) form = LoginForm() if form.validate_on_submit(): user = user_api_client.get_user_by_email_or_none(form.email_address.data) user = _get_and_verify_user(user, form.password.data) if user and user.state == 'pending': flash("You haven't verified your email or mobile number yet.") return redirect(url_for('main.sign_in')) if user and session.get('invited_user'): invited_user = session.get('invited_user') if user.email_address != invited_user['email_address']: flash("You can't accept an invite for another person.") session.pop('invited_user', None) abort(403) else: invite_api_client.accept_invite(invited_user['service'], invited_user['id']) if user: # Remember me login if not login_fresh() and \ not current_user.is_anonymous and \ current_user.id == user.id and \ user.is_active: confirm_login() services = service_api_client.get_services({'user_id': str(user.id)}).get('data', []) if (len(services) == 1): return redirect(url_for('main.service_dashboard', service_id=services[0]['id'])) else: return redirect(url_for('main.choose_service')) session['user_details'] = {"email": user.email_address, "id": user.id} if user.is_active: user_api_client.send_verify_code(user.id, 'sms', user.mobile_number) if request.args.get('next'): return redirect(url_for('.two_factor', next=request.args.get('next'))) else: return redirect(url_for('.two_factor')) # Vague error message for login in case of user not known, locked, inactive or password not verified flash(Markup(( "The email address or password you entered is incorrect." " <a href={password_reset}>Forgot your password</a>?" ).format(password_reset=url_for('.forgot_password')) )) return render_template('views/signin.html', form=form)
def sign_in(): if current_user and current_user.is_authenticated: return redirect(url_for('main.choose_service')) form = LoginForm() if form.validate_on_submit(): user = user_api_client.get_user_by_email_or_none(form.email_address.data) user = _get_and_verify_user(user, form.password.data) if user and user.state == 'pending': return redirect(url_for('main.resend_email_verification')) if user and session.get('invited_user'): invited_user = session.get('invited_user') if user.email_address != invited_user['email_address']: flash("You can't accept an invite for another person.") session.pop('invited_user', None) abort(403) else: invite_api_client.accept_invite(invited_user['service'], invited_user['id']) if user: # Remember me login if not login_fresh() and \ not current_user.is_anonymous and \ current_user.id == user.id and \ user.is_active: confirm_login() services = service_api_client.get_services({'user_id': str(user.id)}).get('data', []) if (len(services) == 1): return redirect(url_for('main.service_dashboard', service_id=services[0]['id'])) else: return redirect(url_for('main.choose_service')) session['user_details'] = {"email": user.email_address, "id": user.id} if user.is_active: user_api_client.send_verify_code(user.id, 'sms', user.mobile_number) if request.args.get('next'): return redirect(url_for('.two_factor', next=request.args.get('next'))) else: return redirect(url_for('.two_factor')) # Vague error message for login in case of user not known, locked, inactive or password not verified flash(Markup(( "The email address or password you entered is incorrect." " <a href={password_reset}>Forgot your password</a>?" ).format(password_reset=url_for('.forgot_password')) )) return render_template('views/signin.html', form=form)
def accept_invite(token): invited_user = invite_api_client.check_token(token) if not current_user.is_anonymous and current_user.email_address != invited_user.email_address: message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format(current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_user.status == 'cancelled': from_user = user_api_client.get_user(invited_user.from_user) service = service_api_client.get_service(invited_user.service)['data'] return render_template('views/cancelled-invitation.html', from_user=from_user.name, service_name=service['name']) if invited_user.status == 'accepted': session.pop('invited_user', None) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) session['invited_user'] = invited_user.serialize() existing_user = user_api_client.get_user_by_email_or_none( invited_user.email_address) service_users = user_api_client.get_users_for_service(invited_user.service) if existing_user: invite_api_client.accept_invite(invited_user.service, invited_user.id) if existing_user in service_users: return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: user_api_client.add_user_to_service(invited_user.service, existing_user.id, invited_user.permissions) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: return redirect(url_for('main.register_from_invite'))
def accept_org_invite(token): invited_org_user = org_invite_api_client.check_token(token) if not current_user.is_anonymous and current_user.email_address.lower( ) != invited_org_user.email_address.lower(): message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format(current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_org_user.status == 'cancelled': invited_by = user_api_client.get_user(invited_org_user.invited_by) organisation = organisations_client.get_organisation( invited_org_user.organisation) return render_template('views/cancelled-invitation.html', from_user=invited_by.name, organisation_name=organisation['name']) if invited_org_user.status == 'accepted': session.pop('invited_org_user', None) return redirect( url_for('main.organisation_dashboard', org_id=invited_org_user.organisation)) session['invited_org_user'] = invited_org_user.serialize() existing_user = user_api_client.get_user_by_email_or_none( invited_org_user.email_address) organisation_users = user_api_client.get_users_for_organisation( invited_org_user.organisation) if existing_user: org_invite_api_client.accept_invite(invited_org_user.organisation, invited_org_user.id) if existing_user not in organisation_users: user_api_client.add_user_to_organisation( invited_org_user.organisation, existing_user.id) return redirect( url_for('main.organisation_dashboard', org_id=invited_org_user.organisation)) else: return redirect(url_for('main.register_from_org_invite'))
def accept_invite(token): invited_user = invite_api_client.check_token(token) if not current_user.is_anonymous and current_user.email_address != invited_user.email_address: message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format( current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_user.status == 'cancelled': from_user = user_api_client.get_user(invited_user.from_user) service = service_api_client.get_service(invited_user.service)['data'] return render_template('views/cancelled-invitation.html', from_user=from_user.name, service_name=service['name']) if invited_user.status == 'accepted': session.pop('invited_user', None) return redirect(url_for('main.service_dashboard', service_id=invited_user.service)) session['invited_user'] = invited_user.serialize() existing_user = user_api_client.get_user_by_email_or_none(invited_user.email_address) service_users = user_api_client.get_users_for_service(invited_user.service) if existing_user: invite_api_client.accept_invite(invited_user.service, invited_user.id) if existing_user in service_users: return redirect(url_for('main.service_dashboard', service_id=invited_user.service)) else: user_api_client.add_user_to_service(invited_user.service, existing_user.id, invited_user.permissions) return redirect(url_for('main.service_dashboard', service_id=invited_user.service)) else: return redirect(url_for('main.register_from_invite'))
def accept_invite(token): try: invited_user = invite_api_client.check_token(token) except HTTPError as e: if e.status_code == 400 and 'invitation' in e.message: flash(e.message['invitation']) return redirect(url_for('main.sign_in')) else: raise e if not current_user.is_anonymous and current_user.email_address.lower( ) != invited_user.email_address.lower(): message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format(current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_user.status == 'cancelled': from_user = user_api_client.get_user(invited_user.from_user) service = service_api_client.get_service(invited_user.service)['data'] return render_template('views/cancelled-invitation.html', from_user=from_user.name, service_name=service['name']) if invited_user.status == 'accepted': session.pop('invited_user', None) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) session['invited_user'] = invited_user.serialize() existing_user = user_api_client.get_user_by_email_or_none( invited_user.email_address) service_users = user_api_client.get_users_for_service(invited_user.service) if existing_user: invite_api_client.accept_invite(invited_user.service, invited_user.id) if existing_user in service_users: return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: service = service_api_client.get_service( invited_user.service)['data'] # if the service you're being added to can modify auth type, then check if this is relevant if 'email_auth' in service['permissions'] and ( # they have a phone number, we want them to start using it. if they dont have a mobile we just # ignore that option of the invite (existing_user.mobile_number and invited_user.auth_type == 'sms_auth') or # we want them to start sending emails. it's always valid, so lets always update invited_user.auth_type == 'email_auth'): user_api_client.update_user_attribute( existing_user.id, auth_type=invited_user.auth_type) user_api_client.add_user_to_service(invited_user.service, existing_user.id, invited_user.permissions) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: return redirect(url_for('main.register_from_invite'))
def accept_invite(token): try: check_token(token, current_app.config['SECRET_KEY'], current_app.config['DANGEROUS_SALT'], current_app.config['INVITATION_EXPIRY_SECONDS']) except SignatureExpired: errors = [ 'Your invitation to GOV.UK Notify has expired. ' 'Please ask the person that invited you to send you another one' ] return render_template("error/400.html", message=errors), 400 invited_user = invite_api_client.check_token(token) if not current_user.is_anonymous and current_user.email_address.lower( ) != invited_user.email_address.lower(): message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format(current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_user.status == 'cancelled': from_user = user_api_client.get_user(invited_user.from_user) service = service_api_client.get_service(invited_user.service)['data'] return render_template('views/cancelled-invitation.html', from_user=from_user.name, service_name=service['name']) if invited_user.status == 'accepted': session.pop('invited_user', None) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) session['invited_user'] = invited_user.serialize() existing_user = user_api_client.get_user_by_email_or_none( invited_user.email_address) service_users = user_api_client.get_users_for_service(invited_user.service) if existing_user: invite_api_client.accept_invite(invited_user.service, invited_user.id) if existing_user in service_users: return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: service = service_api_client.get_service( invited_user.service)['data'] # if the service you're being added to can modify auth type, then check if this is relevant if 'email_auth' in service['permissions'] and ( # they have a phone number, we want them to start using it. if they dont have a mobile we just # ignore that option of the invite (existing_user.mobile_number and invited_user.auth_type == 'sms_auth') or # we want them to start sending emails. it's always valid, so lets always update invited_user.auth_type == 'email_auth'): user_api_client.update_user_attribute( existing_user.id, auth_type=invited_user.auth_type) user_api_client.add_user_to_service(invited_user.service, existing_user.id, invited_user.permissions) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: return redirect(url_for('main.register_from_invite'))