def render_login_local(): """ Render the login page with username/pass @see #index() @see #render_login_shib() """ if current_user.is_authenticated(): return redirect(get_role_landing_page()) uuid = session['uuid'] form = LoginForm(request.form) if request.method == 'POST' and form.validate(): email = form.email.data.strip( ) if form.email.data else "*****@*****.**" password = form.password.data.strip() if form.password.data else "" app.logger.debug("{} password: {}".format(email, password)) app.logger.debug("Checking email: {}".format(email)) user = UserEntity.query.filter_by(email=email).first() if user: app.logger.debug("Found user object: {}".format(user)) else: utils.flash_error("No such email: {}".format(email)) LogEntity.login(uuid, "No such email: {}".format(email)) return redirect(url_for('index')) password_hash = user.password_hash # @TODO: enforce the `local password` policy if '' == password_hash or \ utils.is_valid_auth(app.config['SECRET_KEY'], password_hash[0:16], password, password_hash[17:]): app.logger.info('Log login event for: {}'.format(user)) LogEntity.login(uuid, 'Successful login via email/password') login_user(user, remember=False, force=False) # Tell Flask-Principal that the identity has changed identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id())) return redirect(get_role_landing_page()) else: app.logger.info('Incorrect pass for: {}'.format(user)) LogEntity.login_error(uuid, 'Incorrect pass for: {}'.format(user)) utils.flash_error("Incorrect username/password.") # When sending a GET request render the login form return render_template('index.html', form=form, next_page=request.args.get('next'))
def shibb_return(): """ Read the Shibboleth headers returned by the IdP after the user entered the username/password. If the `eduPersonPrincipalName` (aka Eppn) for the user matches the usrEmail of an active user then let the user in, otherwise let them see the login page. @see #shibb_redirect() """ if current_user.is_authenticated(): # next_page = request.args.get('next') or get_role_landing_page() return redirect(get_role_landing_page()) # fresh login... uuid = session['uuid'] email = request.headers['Mail'] glid = request.headers['Glid'] # Gatorlink ID app.logger.debug("Checking if email: {} is registered for glid: {}".format( email, glid)) user = UserEntity.query.filter_by(email=email).first() if not user: utils.flash_error("No such user: {}".format(email)) LogEntity.login_error( uuid, "Shibboleth user {} is not registered for this " "app".format(email)) return redirect(url_for('index')) if not user.is_active(): utils.flash_error("Inactive user: {}".format(email)) LogEntity.login_error(uuid, "Inactive user {} tried to login".format(email)) return redirect(url_for('index')) if user.is_expired(): utils.flash_error("User account for {} expired on {}".format( email, user.access_expires_at)) LogEntity.login_error(uuid, "Expired user {} tried to login".format(email)) return redirect(url_for('index')) # Log it app.logger.info('Successful login via Shibboleth for: {}'.format(user)) LogEntity.login(uuid, 'Successful login via Shibboleth') login_user(user, remember=False, force=False) # Tell Flask-Principal that the identity has changed identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id())) next_page = get_role_landing_page() return redirect(next_page)
def shibb_return(): """ Read the Shibboleth headers returned by the IdP after the user entered the username/password. If the `eduPersonPrincipalName` (aka Eppn) for the user matches the usrEmail of an active user then let the user in, otherwise let them see the login page. @see #shibb_redirect() """ if current_user.is_authenticated(): # next_page = request.args.get('next') or get_role_landing_page() return redirect(get_role_landing_page()) # fresh login... uuid = session['uuid'] email = request.headers['Mail'] glid = request.headers['Glid'] # Gatorlink ID app.logger.debug("Checking if email: {} is registered for glid: {}" .format(email, glid)) user = UserEntity.query.filter_by(email=email).first() if not user: utils.flash_error("No such user: {}".format(email)) LogEntity.login_error(uuid, "Shibboleth user {} is not registered for this " "app".format(email)) return redirect(url_for('index')) if not user.is_active(): utils.flash_error("Inactive user: {}".format(email)) LogEntity.login_error(uuid, "Inactive user {} tried to login" .format(email)) return redirect(url_for('index')) if user.is_expired(): utils.flash_error("User account for {} expired on {}" .format(email, user.access_expires_at)) LogEntity.login_error(uuid, "Expired user {} tried to login" .format(email)) return redirect(url_for('index')) # Log it app.logger.info('Successful login via Shibboleth for: {}'.format(user)) LogEntity.login(uuid, 'Successful login via Shibboleth') login_user(user, remember=False, force=False) # Tell Flask-Principal that the identity has changed identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id())) next_page = get_role_landing_page() return redirect(next_page)