def get_user(request):
"""Lookup a user session"""
profile = {}
sess_id = request.cookies.get("session_id")
if sess_id is not None:
s = sessionsmanager.get_session(sess_id=sess_id)
if s is None:
raise HTTP_401("invalid session")
u = usersmanager.search_user(login=s["login"])
if u is None:
raise HTTP_401("unknown user")
(login, details) = list(u.items())[0]
profile["login"] = login
profile["role"] = details["role"]
return profile
auth = request.get_header(name="Authorization", default=None)
if auth is None:
raise HTTP_401("authorization header not detected")
auth_result, u = sessionsmanager.do_basic_auth(auth=auth)
if not auth_result:
raise HTTP_401("authentification failed")
(login, details) = list(u.items())[0]
profile["login"] = login
profile["role"] = details["role"]
return profile
def before(self):
if self.request.method == 'OPTIONS':
return
user = None
token = self._parse_auth_header()
if token:
try:
payload = jwt_auth.decode_token(token, self.audience)
user_id = payload.get('id')
user = rpc_call('get_vk_user', user_id)
if not user:
raise HTTP_403("Access denied")
except jwt_auth.DecodeError as e:
self.logger.warning(e)
raise HTTP_401("Unable to parse authentication token")
except jwt_auth.ExpiredSignatureError:
if 'guest' not in self.audience:
raise HTTP_401("Expired token")
except jwt_auth.InvalidAudienceError:
raise HTTP_403("Incorrect claims")
except Exception as e:
self.logger.exception(e)
raise HTTP_500("Unable to parse authentication token")
elif 'guest' not in self.audience:
raise HTTP_403("Access denied")
self.user = user or {}
def post(self):
""" POST /user/get """
username = api.UserSession(self.request)
if not username: raise HTTP_401("I can't let you do that")
try:
data = api.UserGet(username)
except:
l.log_exception('api_ws.UserGet')
if 'error' in data.keys(): raise HTTP_401(data['error'])
self.response.set_header('Access-Control-Allow-Origin', '*')
return data
def post(self):
"""create session"""
# checking query request
login = self.request.data.get("login")
if login is None:
raise HTTP_400("login is expected")
password = self.request.data.get("password")
if password is None:
raise HTTP_400("password is expected")
# check user access
auth_ret, u, sess_id = sessionsmanager.do_session_auth(login=login,
password=password)
if not auth_ret:
raise HTTP_401("authentification failed")
# set sessionid on cookie
self.response.set_cookie(key="session_id", value=sess_id,
expires='', path='/', domain="")
_rsp = {
"cmd": self.request.path,
"message": "Logged in",
"session_id": sess_id,
"expires": settings.cfg["session"]["max-expiry-age"],
"role": u[login]["role"],
"api_login": login,
"api_secret": u[login]['secrets']["basic"]
}
return _rsp
def wrapped(*args, **kwargs):
check_time(database)
database.logs("connect in " + args[0].request.path + " from " + args[0].request.ip)
if check_head_token(args[0].request) == False:
database.logs("try to connect from " + args[0].request.ip + " with bad token")
raise HTTP_401("bad token")
return f(*args, **kwargs)
def post(self):
""" POST /user/setnewpassword """
username = api.UserSession(self.request)
if not username: raise HTTP_401("I can't let you do that")
old_password = self.request.data.get('old_password')
new_password = self.request.data.get('new_password')
if not old_password or not new_password:
raise HTTP_400(
'Yo dawg, you need to provide a old_password and a new_password'
)
try:
data = api.UserSetNewPassword(username, old_password, new_password)
except:
l.log_exception('api_ws.UserSetNewPassword')
if 'error' in data.keys(): raise HTTP_401(data['error'])
self.response.set_header('Access-Control-Allow-Origin', '*')
return data
def post(self):
""" POST /user/logout """
username = api.UserSession(self.request)
if not username: raise HTTP_401("I can't let you do that")
sessionId = self.request.cookies.get('session_id')
try:
data = api.UserLogout(username, sessionId)
except:
l.log_exception('api_ws.UserLogout')
self.response.set_header('Access-Control-Allow-Origin', '*')
return data
def _get_user(request):
"""
Lookup a user session or return None if one doesn't exist
"""
sess_id = request.cookies.get("session_id")
if sess_id is None:
# new in v17, checking authorization header
authorization = request.get_header(name="Authorization", default=None)
if authorization is not None:
userP = Context.instance().apiBasicAuthorization(authorization=authorization)
if userP is None:
raise HTTP_401("Invalid credentials")
else:
return userP
else:
raise HTTP_401("Authorization header not detected")
# end of new
else:
if sess_id in Context.instance().getSessions():
return Context.instance().getSessions()[sess_id]
else:
raise HTTP_401("Invalid session")
def post(self):
username = self.request.data.get("username")
password = self.request.data.get("password")
if not username or not password:
raise HTTP_400("Username and password are required")
if username != "foo" or password != "foo":
raise HTTP_401("Username or password are incorrect")
# Set a session ID for lookup in a DB or memcache
self.response.set_cookie("session_id", "1234567890abcdefg")
return {"message": "Logged in"}
def post(self):
""" POST /user/setpassword """
username = self.request.data.get('username')
password = self.request.data.get('password')
if not username or not password:
raise HTTP_400(
'Yo dawg, you need to provide a username and password')
try:
data = api.UserSetPassword(username, password)
except:
l.log_exception('api_ws.UserSetPassword')
if 'error' in data.keys(): raise HTTP_401(data['error'])
self.response.set_header('Access-Control-Allow-Origin', '*')
self.response.set_cookie("session_id", api.UserSetSession(username))
return data
def post(self):
""" POST /user/login """
username = self.request.data.get('username')
password = self.request.data.get('password')
code2fa = self.request.data.get('code2fa') if c.cfg['2fa'] else None
if not username or not password:
raise HTTP_400(
'Yo dawg, you need to provide a username and password')
if c.cfg['2fa'] and not code2fa:
raise HTTP_400('Yo dawg, you need to provide a code2fa')
try:
data = api.UserLogin(username, password, code2fa)
except:
l.log_exception('api_ws.UserCheckPassword')
if 'error' in data.keys(): raise HTTP_401(data['error'])
self.response.set_header('Access-Control-Allow-Origin', '*')
self.response.set_cookie("session_id", api.UserSetSession(username))
return data
def post(self):
username = self.request.data.get("username")
password = self.request.data.get("password")
if not username or not password:
raise HTTP_400("Please specify username and password")
# See if a user exists with those params
user = db.query(User).filter(
User.username==username,
User.password==password).first()
if not user:
raise HTTP_401("Invalid username or password")
# Create a new session
sess = UserSession(
user_id=user.id)
db.add(sess)
self.response.set_cookie("session_id", sess.session_id)
return { "message":"Logged in", "session_id":sess.session_id }
def wrapped(*args, **kwargs):
if not is_logged_in(args[0].request):
raise HTTP_401("You must be logged in to do this.")
if not is_admin(args[0].request):
raise HTTP_403("You must be an admin to do this.")
return f(*args, **kwargs)
def wrapped(*args, **kwargs):
if not get_user(args[0].request):
raise HTTP_401("I can't let you do that")
return f(*args, **kwargs)
def wrapped(*args, **kwargs):
if get_user_role(args[0].request) not in roles:
raise HTTP_401("I can't let you do that")
return f(*args, **kwargs)
