示例#1
0
 def post(self):
     '''Returns a JWT for the user that owns the provided credentials.'''
     id_token = request.json.get('id_token')
     username = request.json.get('username')
     password = request.json.get('password')
     user = None
     # process OIDC credentials
     if id_token:
         payload = get_unverified_jwt_payload(id_token)
         email = payload['email']
         user = User.get_by_email(email)
         if not user:
             # register the user
             user = User(
                 username=email.split('@')[0],
                 email=email,
                 avatar=payload['picture'],
                 signature='',
                 name=payload['name'],
                 password=token_urlsafe(20),
                 question=0,
                 answer=token_urlsafe(10),
             )
             db.session.add(user)
             db.session.commit()
     # process username and password credentials
     elif username and password:
         user = User.get_by_username(username)
         if user and not user.check_password(password):
             user = None
     # handle authentication
     if user and user.is_enabled:
         data = {'user': user.serialize_self()}
         # build other claims
         claims = {}
         path = os.path.join(current_app.config['UPLOAD_FOLDER'],
                             md5(str(user.id).encode()).hexdigest())
         if not os.path.exists(path):
             os.makedirs(path)
         claims['upload_folder'] = path
         # create a JWT
         token = encode_jwt(user.id, claims=claims)
         # send the JWT as a Bearer token when the feature is enabled
         if Config.get_value('BEARER_AUTH_ENABLE'):
             data['access_token'] = token
             # remove any existing access token cookie
             return data, 200, {
                 'Set-Cookie':
                 'access_token=; Expires=Thu, 01-Jan-1970 00:00:00 GMT'
             }
         # default to cookie authentication
         # return a CSRF token when using cookie authentication
         csrf_obj = CsrfToken(user.id)
         csrf_obj.sign(current_app.config['SECRET_KEY'])
         data['csrf_token'] = csrf_obj.serialize()
         # set the JWT as a HttpOnly cookie
         return data, 200, {'Set-Cookie': f"access_token={token}; HttpOnly"}
     abort(400, 'Invalid username or password.')
示例#2
0
文件: api.py 项目: asm121/pwnedhub
 def post(self):
     '''Returns a JWT for the user that owns the provided credentials.'''
     id_token = request.json.get('id_token')
     username = request.json.get('username')
     password = request.json.get('password')
     user = None
     if id_token:
         payload = get_unverified_jwt_payload(id_token)
         user = User.get_by_email(payload['email'])
     elif username and password:
         user = User.get_by_username(username)
         if user and not user.check_password(password):
             user = None
     if user and user.is_enabled:
         data = {'user': user.serialize()}
         # build other claims
         claims = {}
         path = os.path.join(current_app.config['UPLOAD_FOLDER'],
                             md5(str(user.id).encode()).hexdigest())
         if not os.path.exists(path):
             os.makedirs(path)
         claims['upload_folder'] = path
         # create a JWT
         token = encode_jwt(user.id, claims=claims)
         # send the JWT as a Bearer token when the feature is enabled
         if Config.get_value('BEARER_AUTH_ENABLE'):
             data['token'] = token
             # remove any existing access token cookie
             return data, 200, {
                 'Set-Cookie':
                 'access_token=; Expires=Thu, 01-Jan-1970 00:00:00 GMT'
             }
         # set the JWT as a HttpOnly cookie by default
         return data, 200, {
             'Set-Cookie': 'access_token=' + token + '; HttpOnly'
         }
     return {'message': 'Invalid username or password.'}
示例#3
0
 def config_cors(response):
     if Config.get_value('CORS_RESTRICT'):
         # apply the CORS whitelist from the config
         if not is_allowed_origin(response):
             response = remove_cors_headers(response)
     return response