def reset_password(token): if g.user is not None and g.user.is_authenticated: return redirect(url_for('admin.home')) s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) data = None try: data = s.loads(token) except: abort(404) if data.get('id'): id = data.get('id') else: id = 0 user = User.query.get_or_404(id) form = ResetForm() if form.validate_on_submit(): user.password = form.password.data.strip() db.session.add(user) db.session.commit() flash('Your password has now been reset.') return redirect(url_for('main.login')) return render_template('reset.html', title='Reset Password', form=form, user=user, token=token)
def post(self): args = self.prase.parse_args() username = args['username'] error = ApiError.check_param(username, str) if error is not None: return error password = args['password'] error = ApiError.check_param(password, str) if error is not None: return error user_collection = self.db['user'] result = user_collection.find( { 'username': username } ) if result is not None: return ApiError.user_exist_error token = JSONWebSignatureSerializer('secret-key') token = token.dumps({'username': username, 'time':time.time()}) user_collection.insert({ { 'username': username, 'password': password, 'token': token } }) data = {'token':token} return ApiSuccess.success(data)
def get_by_authorization(self_class, token, svc_account): if token: token = token.replace('Basic ', '', 1) s = JSONWebSignatureSerializer(flask.current_app.config['SECRET_KEY']) data = s.loads(token) return User.get(data['id'], svc_account) return None
def parse_token(token: str) -> str: s = JSONWebSignatureSerializer(current_app.secret_key, salt="auth") try: return s.loads(token) except BadSignature: return None
def check_authorization(*args, **kwargs): instance = args[0] # self argument request_args = instance.auth_parser.parse_args() token = request_args.get('api_token') # parse token JWT = JWS(os.environ.get('SECRET_KEY')) try: token_data = JWT.loads(token) except BadSignature: return jsonify({ 'status': 'auth error', 'message': 'invalid token' }) # check validation if datetime.datetime.now().timestamp() < token_data.get('expires'): # token valid and not expired # add current user id to instance as an attribute # this allows linking items to users with re-parsing the tokens instance.user_id = token_data.get('id') return f(*args, **kwargs) else: # token expired return jsonify({ 'status': 'auth error', 'message': 'token expired', 'help': 'get a new token generated from login endpoint' })
def post(self): args = self.parser.parse_args() code = args['code'] #参数校验 error = ApiError.check_param(code, str) if error is not None: return error encryptedData = args['encryptedData'] error = ApiError.check_param(encryptedData, str) if error is not None: return error iv = args['iv'] error = ApiError.check_param(iv, str) if error is not None: return error #解码wx openid appid = 'wxc4e842b5c56f443c' secret = '77b0864fffbd6b395fdaa4e28fb27c72' wx = Wx() data = wx.jscode2ses(code, appid, secret, encryptedData, iv) openId = data['openId'] if openId is None: return ApiError.wx_jscode2ses_error #生成用户token token = JSONWebSignatureSerializer('secret-key') token = token.dumps({'openId': openId, 'time': time.time()}) user_collection = self.db['user'] user_collection.update({'openId': openId}, {'$set': { 'token': token }}, True) data = {'token': token} return ApiSuccess.success(data)
def VerifyToken(token, secret): s = Serializer(secret) try: data = s.loads(token) except BadSignature as e: raise InvalidAuth('bad_token', e.message) return data
def decode_auth_token(token): try: s = JSONWebSignatureSerializer(app.secret_key) print token return s.loads(token) except: return None
def accept_link(token): s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) data = None try: data = s.loads(token) except: abort(404) if data.get('id'): id = data.get('id') else: id = 0 if data.get('friend_id'): friend_id = data.get('friend_id') else: friend_id = 0 user = User.query.get_or_404(friend_id) friend = User.query.get_or_404(id) if user.id == g.user.id: g.user.link(friend) db.session.add(user) db.session.commit() flash('You are now friends with ' + friend.first_name) else: flash('Invalid token') return redirect(url_for('admin.friends'))
def generate_token(): new_user = User.create_user() # 创建新用户 s = Serializer(new_user.key) # 建立序列 data = {'create_at': str(new_user.create_at)} # 加密数据集 token = str(new_user.id) + '.' + s.dumps(data).decode( 'ascii') # 生成令牌,在真正的token前加了一个用户id return token
def genernate(mail): #生成token应该保存到数据库内部以做比较 #根据时间生成token time_now = str(time.time()) s = JSONWebSignatureSerializer('Please-input-your-secret-key') return s.dumps({"id": mail+time_now}).decode('utf-8')
def decode_jwt_token( request: typing.Any, secret_key: str = jwt_settings.JWT_AUTH_SECRET_KEY, cache_name: str = 'default', token_key: str = '', ) -> typing.Any: """ 解密token中的用户数据 :param request: Request实例 :param secret_key: :param cache_name: cache名称 :param token_key: jwt token :return: """ token_key = token_key or get_header_token(request) serializer = JSONWebSignatureSerializer(secret_key) try: user_data = serializer.loads(token_key) except (BadSignature, Exception) as e: raise JwtNotRightError else: user_pk = getattr(jwt_settings, 'JWT_USER_PK', jwt_settings.JWT_USER_PK) user_id = user_data.get(user_pk, '') check_jwt_token(jwt_settings.JWT_REDIS_KEY.format(user_id=user_id), token_key, cache_name) request.user = user_data return user_data, None
def confirm(token): if g.user.is_confirmed(): return redirect(url_for('admin.home')) s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) data = None try: data = s.loads(token) except: abort(404) if data.get('id'): id = data.get('id') else: id = 0 user = User.query.get_or_404(id) if user.id == g.user.id: user.confirmed = True db.session.add(user) db.session.commit() flash('You have successfully confirmed your account!') else: flash('Invalid token') return render_template("admin/confirm.html", title='Confirm Account')
def test_token_generation(self): """ Verify token generation using known hashes and signature """ test_user = self.TEST_USER not_user = self.NOT_USER known_hashhash = ('5106273f7789f1e26b4a212789992f75c15433f402f3e94a' 'd18e7c80aee80faf') with self.app.app_context(): token = generate_token(test_user) # Verify hashhash against known value hashhash = get_hashhash(test_user) self.assertEqual(hashhash, known_hashhash) # Now that we verified our hashhash, independently verify # the data with a serializer from config (not trusting # get_signature here). serializer = Serializer(self.app.config['FLASK_SECRET']) self.assertEqual(serializer.loads(token)['hashhash'], hashhash) # Now go ahead and verify the reverse serializer = get_signature() data = serializer.loads(token) self.assertEqual(data['username'], test_user) self.assertEqual(data['hashhash'], hashhash) # Verify no user handling (don't really care what # exception gets raised). with self.assertRaises(Exception): token = generate_token(not_user)
def validate_token(user, token, operation, new_password=None): s = Serializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except (SignatureExpired, BadSignature): return False if operation != data.get('operation') or user.id != data.get('id'): return False if operation == Operation.CONFIRM: user.confirmed = True elif operation == Operation.CHANGE_EMAIL: new_email = data.get('new_email') if User.query.filter_by(email=new_email).first(): return False if new_email is None: return False user.email = new_email elif operation == Operation.RESET_PASSWORD: user.password_hash = user.set_password(new_password) else: return False db.session.commit() return True
def test_token_generation(self): """ Verify token generation using known hashes and signature """ test_user = self.TEST_USER not_user = self.NOT_USER known_hashhash = ('5106273f7789f1e26b4a212789992f75c15433f402f3e94a' 'd18e7c80aee80faf') self._setup_normal_extension() with self.app.app_context(): token = self.htpasswd.generate_token(test_user) # Verify hashhash against known value hashhash = self.htpasswd.get_hashhash(test_user) self.assertEqual(hashhash, known_hashhash) # Now that we verified our hashhash, independently verify # the data with a serializer from config (not trusting # get_signature here). serializer = Serializer(self.app.config['FLASK_SECRET']) self.assertEqual(serializer.loads(token)['hashhash'], hashhash) # Now go ahead and verify the reverse, trusting, and # verifying get_signature. serializer = self.htpasswd.get_signature() data = serializer.loads(token) self.assertTrue(data['username'], test_user) self.assertTrue(data['hashhash'], hashhash) # Verify no user handling (don't really care what # exception gets raised). with self.assertRaises(Exception): token = self.htpasswd.generate_token(not_user)
def confirm_login(): # Check for state and for 0 errors state = session.get('oauth2_state') if not state or request.values.get('error'): return redirect(url_for('index')) # Fetch token discord = make_session(state=state) discord_token = discord.fetch_token(TOKEN_URL, client_secret=OAUTH2_CLIENT_SECRET, authorization_response=request.url) if not discord_token: return redirect(url_for('index')) # Fetch the user user = get_user(discord_token) # Generate api_key from user_id serializer = JSONWebSignatureSerializer(app.config['SECRET_KEY']) api_key = str(serializer.dumps({'user_id': user['id']})) # Store api_key db.set('user:{}:api_key'.format(user['id']), api_key) # Store token db.set('user:{}:discord_token'.format(user['id']), json.dumps(discord_token)) # Store api_token in client session api_token = {'api_key': api_key, 'user_id': user['id']} session.permanent = True session['api_token'] = api_token return redirect(url_for('select_server'))
def generate_token(user): secret_key = get_secret_key() s = JSONWebSignatureSerializer(secret_key) expired_at = utcnow().replace(hours=+2).timestamp d = {'user': user, 'expired_at': expired_at} token = s.dumps(d).decode('utf-8') return token, d
def confirm_login(): # Check for state and for 0 errors state = session.get('oauth2_state') if not state or request.values.get('error'): return redirect(url_for('index')) # Fetch token discord = make_session(state=state) discord_token = discord.fetch_token( TOKEN_URL, client_secret=OAUTH2_CLIENT_SECRET, authorization_response=request.url) if not discord_token: return redirect(url_for('index')) # Fetch the user user = get_user(discord_token) # Generate api_key from user_id serializer = JSONWebSignatureSerializer(app.config['SECRET_KEY']) api_key = str(serializer.dumps({'user_id': user['id']})) # Store api_key db.set('user:{}:api_key'.format(user['id']), api_key) # Store token db.set('user:{}:discord_token'.format(user['id']), json.dumps(discord_token)) # Store api_token in client session api_token = { 'api_key': api_key, 'user_id': user['id'] } session.permanent = True session['api_token'] = api_token return redirect(url_for('select_server'))
def hmac(payload, private_key): '''Generate a decryptable signature on the server side that the client can analzye. Server generated HMAC signatures aren't timed. ''' payload = organize_payload(payload) t = Token(secret_key=private_key) return t.dumps(payload)
def get_user(cls, token): """Use this function to validate tokens sent by users.""" # Decode token, try to fetch and verify key, and if so return user # DEVELOPMENT ACCESS if current_app.config.get("DEBUG") == True: if token == current_app.config.get("DEV_CRON_API_KEY"): return user_model.User.query.filter_by( email=current_app.config.get("DEV_CRON_EMAIL")).first() s = Signer(current_app.config["SECRET_KEY"]) try: data = s.loads(token.strip()) # Remove whitespace except: return None if not data.get("id"): return None if not data.get("key"): return None apikey = ApiKey.query.get(data.get("id")) if apikey is not None: if apikey.verify_key(data.get("key")): return user_model.User.query.get(apikey.user_id) return None
def get_from_timeout_token(token): s = Serializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except: return {} return data
def verify_token(token): s = SigSerializer(SECRET_KEY) try: data = s.loads(token) except (BadSignature): return None return data
def validate(): """ Endpoint used by nginx auth_request. Uses Flask session or token in "Authorization" header. Gets a GET request without body for every request to the resource. Returns 2xx for access granted and 4xx for access denied. """ app.logger.debug('validate headers: %s' % request.headers) uri = request.headers.get('Original-Uri') if current_user.is_authenticated: app.logger.debug("query_auth OK for %s" % uri) return 'OK' auth_header = request.headers.get('Authorization') if auth_header: signer = JSONWebSignatureSerializer(os.environ['SECRET_KEY']) try: jwt_token = auth_header.replace('Bearer ', '', 1) token = signer.loads(jwt_token) app.logger.debug("validate token: %s" % repr(token)) audience = token['aud'] exp_time = token['exp'] curr_time = int(time.time()) if curr_time <= exp_time and audience == TOKEN_AUDIENCE: app.logger.debug("query_auth OK for %s" % uri) return 'OK' except: app.logger.debug("Unable to validate auth token: %s" % auth_header) app.logger.debug("query_auth FAIL for %s" % uri) abort(401)
def generate_key(user_id, name): """Generate a new key and return the plaintext token""" apikey = ApiKey() apikey.user_id = user_id apikey.name = name # Generate key # Want 40 char string which is urandom 20. # urandom is cryptographically secure. key = binascii.hexlify(os.urandom(20)) apikey.key = key db.session.add(apikey) db.session.commit() # Send an email about this action u = user_model.User.query.get(user_id) u.send_email( "[Alert] New API Key Issued", render_template( "email/new-api-key.html", name=name, ), force_send=True) # Generate token, which include the indexed id and key s = Signer(current_app.config["SECRET_KEY"]) return s.dumps({"id": apikey.id, "key": key})
def generate_api_key(self): s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) byte_str = s.dumps({ 'user': str(self.id), 'time': time(), }) self.apikey = byte_str.decode()
def register(): form = Register() if form.validate_on_submit(): # form.validate_email(form.email.data) # form.validate_username(form.username.data) # 根据表单数据 创建用户对象 u = User(username=form.username.data, password=form.password.data, emil=form.email.data) # 把用户信息保存到数据库 db.session.add(u) # 发送账户激活邮件 # 标识身份数据 s = Serializer(current_app.config['SECRET_KEY']) # 当前用户id为空,要手动提交 db.session.commit() token = s.dumps({'id': u.id}) send_mail('账户激活', u.emil, 'email/ectivate.html', username=u.username, token=token) flash('您已经注册成功,请点击邮件中链接进行激活!') return redirect(url_for('main.index')) return render_template('user/register.html', form=form)
def get_credential(a_token): s = JSONWebSignatureSerializer(server_secret_key) try: credential = s.loads(a_token) return credential except: return None
def generate_token(a_username,a_password): if valid_lpirc_session(a_username) is None: create_lpirc_session(a_username) else: # Session already created, nothing to do send previously generated token if recycle_db != 1: sess = Session.query.filter_by(username=a_username).first() token = sess.token return token else: # Recycle # Should be a penalty for multiple login attempts delete_lpirc_session(a_username) create_lpirc_session(a_username) sess = Session.query.filter_by(username=a_username).first() s = JSONWebSignatureSerializer(server_secret_key) dt = sess.timestamp dt_str = dt.strftime(datetime_format) print dt_str # Adding session created time for timeout validation token = s.dumps({ff_username: a_username, ff_password: a_password, ff_timestamp: dt_str}) # Update session database sess.token = token if (enable_powermeter == 1) and (a_username != powermeter_user): sess.powermeter_status = powermeter_status_stop # So that, it can be restarted later if a_username == powermeter_user: sess.mytimeout = sys.maxint db.session.commit() return token
def jwt_decode(self, string): """ JSON Web Token解码 Description 通过itsdangerous模块内部的JSONWebSignatureSerializer对数据进行序列化,通过序列化对象loads方法提取反序列化结果 注意 默认算法为HS512,目前仅支持HS512、HS384、HS256算法 Example: >>>Codec(key="hello").jwt_decode('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiREVBREYxU0hfQ0FUIiwibW9kdWxlIjoiY29kZWMifQ.2GYkiUswkUdNFuA74lW9NKWVwX8KDhLEWf_0L-rSmH0') {"alg": "HS256", "typ": "JWT"} {"name": "DEADF1SH_CAT", "module": "codec"} """ try: jwt = string if(self.secret_key == None): self.secret_key = "" if(self.alg == None): sign = JSONWebSignatureSerializer(self.secret_key) else: #自动识别加密算法 header = json.loads(base64.b64decode(jwt.split('.')[0])) self.alg = header['alg'] sign = JSONWebSignatureSerializer(self.secret_key, algorithm_name=self.alg) #将数据分块输出,顺序为header、payload result = json.dumps(sign.loads(jwt,return_header=True)[1]) + "\n" + json.dumps(sign.loads(jwt,return_header=True)[0]) return result except TypeError: raise TypeError("Secret_key can't be None!")
def verify_device_id(device_id): s = Serializer(SECRET_KEY) try: data = s.loads(device_id) except: return None return Device.objects.get(id=data['id'])
def verify_auth_token(token): s = Serializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except: return None return User.query.get(data['id'])
def jwt_encode(self, string): """ JSON Web Token编码 Description: 通过itsdangerous模块内部的JSONWebSignatureSerializer对数据进行序列化,通过序列化对象dumps方法输出编码后结果 注意 默认算法为HS512,目前仅支持HS512、HS384、HS256算法 Example: >>>Codec(key="hello").jwt_encode('{"name":"DEADF1SH_CAT","module":"codec"}') eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiREVBREYxU0hfQ0FUIiwibW9kdWxlIjoiY29kZWMifQ.2GYkiUswkUdNFuA74lW9NKWVwX8KDhLEWf_0L-rSmH0 """ try: jwt = dict(ast.literal_eval(string)) if(self.secret_key == None): self.secret_key = "" if(self.alg == None): sign = JSONWebSignatureSerializer(self.secret_key) else: sign = JSONWebSignatureSerializer(self.secret_key, algorithm_name=self.alg) result = sign.dumps(jwt, header_fields={"typ":"JWT"}) return result except TypeError: raise TypeError("Secret_key can't be None!")
class AuthTokenFactory: @staticmethod def withPrivateKeyFile(path_to_private_key): key = open(path_to_private_key, encoding="utf8").read() auth_factory = AuthTokenFactory(private_key=key) return auth_factory def __init__(self, private_key): self.private_key = private_key self.serializer = JSONWebSignatureSerializer(private_key) def generate(self, lifetime_in_seconds=DEFAULT_TOKEN_LIFETIME, **kwargs): # exp: Expiration time info = {'exp': time() + lifetime_in_seconds} if 'exp' in kwargs: raise Exception("'exp' is a reserved key value.") info.update(**kwargs) token = self.serializer.dumps(info) return token.decode() def validate(self, token): info = self.serializer.loads(token.encode()) if time() > info['exp']: raise SignatureExpired("Token has expired, get a new token.") return info
def verify_auth_token(token): s = Serializer(app.config['SECRET_KEY']) try: return s.loads(token) except BadSignature: return None
def verify_reset_token(token): s = Serializer(current_app.config['SECRET_KEY']) try: user_id = s.loads(token)['user_id'] except: return None return User.query.get(user_id)
def post(self): username = request.form.get('username') password = request.form.get('pwd') email = request.form.get('email') if not all([username, password, email]): return render_template('register.html', errmsg='数据不完整!') allow = request.form.get('allow') if allow != 'on': return render_template('register.html', **{'errmsg': '请同意协议!'}) reg = "[\w!#$%&'*+/=?^_`{|}~-]+(?:\.[\w!#$%&'*+/=?^_`{|}~-]+)*@(?:[\w](?:[\w-]*[\w])?\.)+[\w](?:[\w-]*[\w])?" if not re.match(reg, email): return render_template('register.html', **{'errmsg': '邮箱不合法!'}) if db.session.query(User).filter(User.username == username).first(): return render_template('register.html', **{'errmsg': '用户名已被注册!'}) if db.session.query(User).filter(User.email == email).first(): return render_template('register.html', **{'errmsg': '邮箱已被注册!'}) user = User(username=username, password=password, email=email) db.session.add(user) db.session.commit() serializer = Serializer(SECRET_KEY) data = {'id': user.id, 'time': time.time()} token = serializer.dumps(data).decode() send_register_mail(email, username, token) return redirect(url_for('user.login'))
def verify_shared_token(token): s = InfinitSerializer(current_app.config['SECRET_KEY'])#Cargamos el objeto Serializer try: post_id = s.loads(token)['post_id']#Comprobamos que el token es correcto y no ha expirado except: return None return Post.query.get(post_id)
def verify_auth_token(token): s = JSONWebSignatureSerializer(app.config['SECRET_KEY']) try: data = s.loads(token) except BadSignature: return None user = User.query.get(data['id']) return user
def unsign(self, value): if value is None: return value s = JSONWebSignatureSerializer(self.secret_key, algorithm_name='HS256') try: return s.loads(value) except BadSignature: return {}
def verify_group_token(token): s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except: return None group = Group.query.get(data['id']) return group
def unsign(self, value): if value is None: return value s = JSONWebSignatureSerializer(self.secret_key) try: return s.loads(value) except BadSignature: return {}
def verify_tn_proxy_token(token): s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except BadSignature: return None client_id = data['client_id'] return client_id
def verify_auth_token(token): s = Serializer(app.config['SECRET_KEY']) try: data = s.loads(token) except SignatureExpired: return None # valid token, but expired except BadSignature: return None # invalid token return User.query.get(data['id'])
def confirm_reset_token(self, token): s = JSONWebSignatureSerializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except: return False if data.get('reset') != self.id: return False return True
def get_event_page_no(token): """convert token into the pagenumber arg: token: token return: return the page number to convert it. """ page_no = PageSerializer(config.SECRET_KEY) return page_no.loads(token)
def verify_auth_token(self, token): s = Serializer(SECRET_KEY) try: data = s.loads(token) except SignatureExpired: return None # valid token, but expired except BadSignature: return None # invalid token return [data['username'], data['password']]
def generate_token(self): JWT = JWS(os.environ.get('SECRET_KEY')) return JWT.dumps({ "id": self.id, "username": self.username, # 2 hrs expiration "expires": (datetime.datetime.now() + datetime.timedelta(seconds=2*60*60)).timestamp() }).decode('utf-8')
def verify_auth_token(token): """verify the user with token""" s = Serializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except: return None # get id return User.query.get_or_404(data['id'])
def verify_auth_token(token): s = Serializer(app.config['SECRET_KEY']) print 'token:' + token try: data = s.loads(token) except: return None print 'data:{}'.format(data) user = User.get_one(email=data) return user
def af_reset_send(cls_, email, returnurl): user = cls_.find_first({'email': email}) if not user: raise ApiValidationError(ValidationError('Unknown email')) serializer = JSONWebSignatureSerializer(current_app.config['API_KEY']) resettoken = serializer.dumps({"id": user.id, "signature": user.signature}).decode('utf-8') content = 'Click here to reset your password: %s' % (returnurl + resettoken) mailer.send(user.email, user.name, 'Password reset link', content) return {'success': True}
def af_reset_recieve(cls_, token, password): serializer = JSONWebSignatureSerializer(current_app.config['API_KEY']) try: payload = serializer.loads(token) user = cls_.get(payload['id']) if user is None or payload['signature'] != user.signature or user.status != const.STATUS_ACTIVE: raise ApiValidationError(ValidationError('User reset not allowed')) user.update(password=password, signature=random_string()) return user.jsonify(acl=const.ACL_OWNER) except (itsdangerous.SignatureExpired, itsdangerous.BadSignature): raise ApiValidationError(ValidationError('Token is broken'))
def confirm(self,token): s = Serializer(current_app.config['SECRET_KEY']) try: data = s.loads(token) except: return false if data.get('confirm') != self.id: return false self.confirmed = True db.session.add(self) return True
def test_invalid_token(f_session, f_user): secret_key = get_secret_key() s = JSONWebSignatureSerializer(secret_key) expired_at = arrow.utcnow().replace(hours=-2).timestamp d = { 'user': {'id': f_user.id, 'email': f_user.email, 'name': f_user.name}, 'expired_at': expired_at } token = s.dumps(d).decode('utf-8') with raises(InvalidTokenError): t = validate_token('dadfa.asdf') with raises(ExpiredTokenError): t = validate_token(token)