示例#1
0
def login():
    """ Login page """
    user_manager = UserManager()
    session_token = request.cookies.get('session_token')

    # redirect_page = request.args.get('redirect', request.headers.get('Referer', '/'))
    redirect_page = request.args.get('redirect')
    if not redirect_page:
        redirect_page = request.headers.get('Referer', '/')
    if re.search('(^https?://[^/]+)?/login[^?#]?', redirect_page):
        # Prevent redirect loop
        redirect_page = '/'

    if session_token:
        user, session = user_manager.authenticate_user_session(session_token)
        if user:
            return redirect(redirect_page, 302)

    if request.form:
        username = request.form.get('username')
        password = request.form.get('password')
        remember = request.form.get('remember')
        expires = datetime.datetime.utcnow() + datetime.timedelta(days=365) \
            if remember else None

        session = user_manager.create_user_session(username=username, password=password,
                                                   expires_at=expires)

        if session:
            redirect_target = redirect(redirect_page, 302)
            response = make_response(redirect_target)
            response.set_cookie('session_token', session.session_token, expires=expires)
            return response

    return render_template('login.html', utils=HttpUtils)
示例#2
0
def register():
    """ Registration page """
    user_manager = UserManager()
    redirect_page = request.args.get('redirect', '/')
    session_token = request.cookies.get('session_token')

    if session_token:
        user, session = user_manager.authenticate_user_session(session_token)
        if user:
            return redirect(redirect_page, 302)

    if request.form:
        username = request.form.get('username')
        password = request.form.get('password')
        confirm_password = request.form.get('confirm_password')
        remember = request.form.get('remember')

        if password == confirm_password:
            user_manager.create_user(username=username, password=password)
            session = user_manager.create_user_session(
                username=username,
                password=password,
                expires_at=datetime.datetime.utcnow() +
                datetime.timedelta(days=1) if not remember else None)

            if session:
                redirect_target = redirect(redirect_page, 302)
                response = make_response(redirect_target)
                response.set_cookie('session_token', session.session_token)
                return response

    if user_manager.get_user_count() > 0:
        return redirect('/login?redirect=' + redirect_page, 302)

    return render_template('register.html', utils=HttpUtils)
示例#3
0
def _authenticate_session():
    user_manager = UserManager()
    user_session_token = None
    user = None

    if 'X-Session-Token' in request.headers:
        user_session_token = request.headers['X-Session-Token']
    elif 'session_token' in request.args:
        user_session_token = request.args.get('session_token')
    elif 'session_token' in request.cookies:
        user_session_token = request.cookies.get('session_token')

    if user_session_token:
        user, session = user_manager.authenticate_user_session(
            user_session_token)

    return user is not None
示例#4
0
def register():
    """ Registration page """
    user_manager = UserManager()
    redirect_page = request.args.get('redirect')
    if not redirect_page:
        redirect_page = request.headers.get('Referer', '/')
    if re.search('(^https?://[^/]+)?/register[^?#]?', redirect_page):
        # Prevent redirect loop
        redirect_page = '/'

    session_token = request.cookies.get('session_token')

    if session_token:
        user, session = user_manager.authenticate_user_session(session_token)
        if user:
            return redirect(redirect_page, 302)  # lgtm [py/url-redirection]

    if user_manager.get_user_count() > 0:
        return redirect('/login?redirect=' + redirect_page,
                        302)  # lgtm [py/url-redirection]

    if request.form:
        username = request.form.get('username')
        password = request.form.get('password')
        confirm_password = request.form.get('confirm_password')
        remember = request.form.get('remember')

        if password == confirm_password:
            user_manager.create_user(username=username, password=password)
            session = user_manager.create_user_session(
                username=username,
                password=password,
                expires_at=datetime.datetime.utcnow() +
                datetime.timedelta(days=1) if not remember else None)

            if session:
                redirect_target = redirect(redirect_page,
                                           302)  # lgtm [py/url-redirection]
                response = make_response(redirect_target)
                response.set_cookie('session_token', session.session_token)
                return response
        else:
            abort(400, 'Password mismatch')

    return render_template('index.html', utils=HttpUtils)
示例#5
0
def logout():
    """ Logout page """
    user_manager = UserManager()
    redirect_page = request.args.get('redirect',
                                     request.headers.get('Referer', '/login'))
    session_token = request.cookies.get('session_token')

    if not session_token:
        return abort(417, 'Not logged in')

    user, session = user_manager.authenticate_user_session(session_token)
    if not user:
        return abort(403, 'Invalid session token')

    redirect_target = redirect(redirect_page, 302)
    response = make_response(redirect_target)
    response.set_cookie('session_token', '', expires=0)
    return response
示例#6
0
def _authenticate_csrf_token():
    user_manager = UserManager()
    user_session_token = None

    if 'X-Session-Token' in request.headers:
        user_session_token = request.headers['X-Session-Token']
    elif 'session_token' in request.args:
        user_session_token = request.args.get('session_token')
    elif 'session_token' in request.cookies:
        user_session_token = request.cookies.get('session_token')

    if user_session_token:
        user, session = user_manager.authenticate_user_session(
            user_session_token)
    else:
        return False

    if user is None:
        return False

    return session.csrf_token is None or request.form.get(
        'csrf_token') == session.csrf_token
示例#7
0
class UserPlugin(Plugin):
    """
    Plugin to programmatically create and manage users and user sessions
    """

    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.user_manager = UserManager()

    @action
    def create_user(self, username, password, executing_user=None, executing_user_password=None, session_token=None,
                    **kwargs):
        """
        Create a user. This action needs to be executed by an already existing user, who needs to authenticate with
            their own credentials, unless this is the first user created on the system.

        :return: dict.

        Format::

            {
                "user_id": int,
                "username": str,
                "created_at": str (in ISO format)
            }

        """

        if self.user_manager.get_user_count() > 0 and not executing_user and not session_token:
            return None, "You need to authenticate in order to create another user"

        if not self.user_manager.authenticate_user(executing_user, executing_user_password):
            user, session = self.user_manager.authenticate_user_session(session_token)
            if not user:
                return None, "Invalid credentials and/or session_token"

        try:
            user = self.user_manager.create_user(username, password, **kwargs)
        except (NameError, ValueError) as e:
            return None, str(e)

        return {
            'user_id': user.user_id,
            'username': user.username,
            'created_at': user.created_at.isoformat(),
        }

    @action
    def authenticate_user(self, username, password):
        """
        Authenticate a user
        :return: True if the provided username and password are correct, False otherwise
        """

        return True if self.user_manager.authenticate_user(username, password) else False

    @action
    def update_password(self, username, old_password, new_password):
        """
        Update the password of a user
        :return: True if the password was successfully updated, false otherwise
        """

        return self.user_manager.update_password(username, old_password, new_password)

    @action
    def delete_user(self, username, executing_user=None, executing_user_password=None, session_token=None):
        """
        Delete a user
        """

        if not self.user_manager.authenticate_user(executing_user, executing_user_password):
            user, session = self.user_manager.authenticate_user_session(session_token)
            if not user:
                return None, "Invalid credentials and/or session_token"

        try:
            return self.user_manager.delete_user(username)
        except NameError:
            return None, "No such user: {}".format(username)

    @action
    def create_session(self, username, password, expires_at=None):
        """
        Create a user session
        :return: dict::

            {
                "session_token": str,
                "user_id": int,
                "created_at": str (in ISO format),
                "expires_at": str (in ISO format),
            }

        """

        session = self.user_manager.create_user_session(username=username,
                                                        password=password,
                                                        expires_at=expires_at)

        if not session:
            return None, "Invalid credentials"

        return {
            'session_token': session.session_token,
            'user_id': session.user_id,
            'created_at': session.created_at.isoformat(),
            'expires_at': session.expires_at.isoformat() if session.expires_at else None,
        }

    @action
    def authenticate_session(self, session_token):
        """
        Authenticate a session by token and return the associated user
        :return: dict.

        Format::

            {
                "user_id": int,
                "username": str,
                "created_at": str (in ISO format)
            }

        """

        user, session = self.user_manager.authenticate_user_session(session_token=session_token)
        if not user:
            return None, 'Invalid session token'

        return {
            'user_id': user.user_id,
            'username': user.username,
            'created_at': user.created_at.isoformat(),
        }

    @action
    def delete_session(self, session_token):
        """
        Delete a user session
        """

        return self.user_manager.delete_user_session(session_token)

    @action
    def get_users(self) -> List[Dict[str, Any]]:
        """
        Get the list of registered users.
        :return:

            .. code-block:: json

                [
                    {
                        "user_id": 1,
                        "username": "******",
                        "created_at": "2020-11-26T22:41:40.550574"
                    },
                    {
                        "user_id": 2,
                        "username": "******",
                        "created_at": "2020-11-28T21:10:23.224813"
                    }
                ]

        """
        return [
            {
                'user_id': user.user_id,
                'username': user.username,
                'created_at': user.created_at.isoformat(),
            }
            for user in self.user_manager.get_users().all()
        ]

    @action
    def get_user_by_session(self, session_token: str) -> dict:
        """
        Get the user record associated to a session token.

        :param session_token: Session token.
        :return:

            .. code-block:: json

                [
                    {
                        "user_id": 1,
                        "username": "******",
                        "created_at": "2020-11-26T22:41:40.550574"
                    }
                ]

        """
        user = self.user_manager.get_user_by_session(session_token)
        assert user, 'No user associated with the specified session token'

        return {
            'user_id': user.user_id,
            'username': user.username,
            'created_at': user.created_at.isoformat(),
        }
示例#8
0
class UserPlugin(Plugin):
    """
    Plugin to programmatically create and manage users and user sessions
    """
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.user_manager = UserManager()

    @action
    def create_user(self,
                    username,
                    password,
                    executing_user=None,
                    executing_user_password=None,
                    session_token=None,
                    **kwargs):
        """
        Create a user. This action needs to be executed by an already existing user, who needs to authenticate with
            their own credentials, unless this is the first user created on the system.

        :return: dict.

        Format::

            {
                "user_id": int,
                "username": str,
                "created_at": str (in ISO format)
            }

        """

        if self.user_manager.get_user_count(
        ) > 0 and not executing_user and not session_token:
            return None, "You need to authenticate in order to create another user"

        if not self.user_manager.authenticate_user(executing_user,
                                                   executing_user_password):
            user, session = self.user_manager.authenticate_user_session(
                session_token)
            if not user:
                return None, "Invalid credentials and/or session_token"

        try:
            user = self.user_manager.create_user(username, password, **kwargs)
        except (NameError, ValueError) as e:
            return None, str(e)

        return {
            'user_id': user.user_id,
            'username': user.username,
            'created_at': user.created_at.isoformat(),
        }

    @action
    def authenticate_user(self, username, password):
        """
        Authenticate a user
        :return: True if the provided username and password are correct, False otherwise
        """

        return self.user_manager.authenticate_user(username, password)

    @action
    def update_password(self, username, old_password, new_password):
        """
        Update the password of a user
        :return: True if the password was successfully updated, false otherwise
        """

        return self.user_manager.update_password(username, old_password,
                                                 new_password)

    @action
    def delete_user(self,
                    username,
                    executing_user=None,
                    executing_user_password=None,
                    session_token=None):
        """
        Delete a user
        """

        if not self.user_manager.authenticate_user(executing_user,
                                                   executing_user_password):
            user, session = self.user_manager.authenticate_user_session(
                session_token)
            if not user:
                return None, "Invalid credentials and/or session_token"

        try:
            return self.user_manager.delete_user(username)
        except NameError:
            return None, "No such user: {}".format(username)

    @action
    def create_session(self, username, password, expires_at=None):
        """
        Create a user session
        :return: dict::

            {
                "session_token": str,
                "user_id": int,
                "created_at": str (in ISO format),
                "expires_at": str (in ISO format),
            }

        """

        session = self.user_manager.create_user_session(username=username,
                                                        password=password,
                                                        expires_at=expires_at)

        if not session:
            return None, "Invalid credentials"

        return {
            'session_token':
            session.session_token,
            'user_id':
            session.user_id,
            'created_at':
            session.created_at.isoformat(),
            'expires_at':
            session.expires_at.isoformat() if session.expires_at else None,
        }

    @action
    def authenticate_session(self, session_token):
        """
        Authenticate a session by token and return the associated user
        :return: dict.

        Format::

            {
                "user_id": int,
                "username": str,
                "created_at": str (in ISO format)
            }

        """

        user, session = self.user_manager.authenticate_user_session(
            session_token=session_token)
        if not user:
            return None, 'Invalid session token'

        return {
            'user_id': user.user_id,
            'username': user.username,
            'created_at': user.created_at.isoformat(),
        }

    @action
    def delete_session(self, session_token):
        """
        Delete a user session
        """

        return self.user_manager.delete_user_session(session_token)