def process_request(self, request): if self._is_enabled(request): if not request.session.get('test_cookie_secret'): request.session['test_cookie_secret'] = str( RandomPassword().get(ascii=True)) request.session.save() if not request.COOKIES.get('satctoken'): UserAuthAttempt.clean() UserAuthAttempt.store(request)
def login_confirmation(request, template_name='secureauth/confirmation.html', authentication_form=ConfirmAuthenticationForm, extra_context=None, current_app=None ): # pylint: disable=R0913 if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() data = get_data(request) if extra_context is None and data.get('extra_context'): extra_context = data.get('extra_context') if hasattr(request, 'user') and request.user.is_authenticated(): return HttpResponseRedirect(data.get('redirect_to', '/')) elif request.method == "POST": form = authentication_form(data, request.POST) if form.is_valid(): user = form.get_user() if user and data.get('user_pk') == user.pk: auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if UserAuthLogging.is_enabled(request): UserAuthActivity.check_location(request) UserAuthActivity.log_auth( request, form.cleaned_data.get('auth_type')) UserAuthNotification.notify(request) UserAuthAttempt.remove(request) request.session['ip'] = get_ip(request) return HttpResponseRedirect(data.get('redirect_to')) else: return HttpResponseBadRequest() elif CHECK_ATTEMPT is True: UserAuthAttempt.clean() UserAuthAttempt.store(request) else: form = authentication_form(data) request.session.set_test_cookie() current_site = get_current_site(request) context = { 'form': form, 'site': current_site, 'site_name': current_site.name, 'data': request.GET.get('data'), } if extra_context is not None: context.update(extra_context) if django.VERSION < (1, 8): return TemplateResponse( request, template_name, context, current_app=current_app) else: return TemplateResponse( request, template_name, context)
def login_confirmation(request, template_name='secureauth/confirmation.html', authentication_form=ConfirmAuthenticationForm, extra_context=None, current_app=None): # pylint: disable=R0913 if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() data = get_data(request) if extra_context is None and data.get('extra_context'): extra_context = data.get('extra_context') if hasattr(request, 'user') and request.user.is_authenticated(): return HttpResponseRedirect(data.get('redirect_to', '/')) elif request.method == "POST": form = authentication_form(data, request.POST) if form.is_valid(): user = form.get_user() if user and data.get('user_pk') == user.pk: auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if UserAuthLogging.is_enabled(request): UserAuthActivity.check_location(request) UserAuthActivity.log_auth( request, form.cleaned_data.get('auth_type')) UserAuthNotification.notify(request) UserAuthAttempt.remove(request) request.session['ip'] = get_ip(request) return HttpResponseRedirect(data.get('redirect_to')) else: return HttpResponseBadRequest() elif CHECK_ATTEMPT is True: UserAuthAttempt.clean() UserAuthAttempt.store(request) else: form = authentication_form(data) request.session.set_test_cookie() current_site = get_current_site(request) context = { 'form': form, 'site': current_site, 'site_name': current_site.name, 'data': request.GET.get('data'), } if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context, current_app=current_app)
def __init__(self, request, *args, **kwargs): from secureauth.defaults import CAPTCHA_ATTEMPT, CAPTCHA_ENABLED test_cookie_enabled = kwargs.pop('test_cookie_enabled', True) super(BaseAuthForm, self).__init__(request, *args, **kwargs) if CAPTCHA_ENABLED is True: if UserAuthAttempt.get_attempts(request) > CAPTCHA_ATTEMPT: self.fields['captcha'] = CaptchaField() if test_cookie_enabled is False: self.request = None
def login_confirmation( request, template_name="secureauth/confirmation.html", authentication_form=ConfirmAuthenticationForm, extra_context=None, current_app=None, ): if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() data = _get_data(request) if extra_context is None and data.get("extra_context"): extra_context = data.get("extra_context") if hasattr(request, "user") and request.user.is_authenticated(): return HttpResponseRedirect(data.get("redirect_to", "/")) elif request.method == "POST": form = authentication_form(data, request.POST) if form.is_valid(): user = form.get_user() if user and data.get("user_pk") == user.pk: auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if UserAuthLogging.is_enabled(request): UserAuthActivity.check_location(request) UserAuthActivity.log_auth(request, form.cleaned_data.get("auth_type")) UserAuthNotification.notify(request) UserAuthAttempt.remove(request) request.session["ip"] = get_ip(request) return HttpResponseRedirect(data.get("redirect_to")) else: return HttpResponseBadRequest() elif CHECK_ATTEMPT is True: UserAuthAttempt.clean() UserAuthAttempt.store(request) else: form = authentication_form(data) request.session.set_test_cookie() current_site = get_current_site(request) context = {"form": form, "site": current_site, "site_name": current_site.name, "data": request.GET.get("data")} if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context, current_app=current_app)
def process_response(self, request, response): if not self._is_enabled(request): return response if UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() if not request.COOKIES.get('satctoken'): iv = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_IV key = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_KEY moo = AESModeOfOperation() encrypted = moo.encrypt( request.session['test_cookie_secret'], 2, map(ord, key), moo.aes.keySize["SIZE_128"], map(ord, iv) ) sec_uni = u''.join(map(unichr, encrypted[2])) return render( request, 'secureauth/test_cookie.html', { 'test_cookie_enc_key': key, 'test_cookie_enc_iv': iv, 'test_cookie_enc_set': quote(sec_uni.encode("utf-8")), 'test_cookie_next_url': request.get_full_path(), }) elif response.status_code == 200: from_cookie = request.COOKIES.get('satctoken').decode('hex') from_session = request.session.get('test_cookie_secret') if from_session is None: self._clean(request, response) elif from_cookie != from_session: response.content = render_template( 'secureauth/session_expired.html') self._clean(request, response) logout(request) return response return response
def process_response(self, request, response): if not self._is_enabled(request): return response if UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() if not request.COOKIES.get('satctoken'): iv = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_IV key = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_KEY moo = AESModeOfOperation() encrypted = moo.encrypt(request.session['test_cookie_secret'], 2, map(ord, key), moo.aes.keySize["SIZE_128"], map(ord, iv)) sec_uni = u''.join(map(unichr, encrypted[2])) return render( request, 'secureauth/test_cookie.html', { 'test_cookie_enc_key': key, 'test_cookie_enc_iv': iv, 'test_cookie_enc_set': quote(sec_uni.encode("utf-8")), 'test_cookie_next_url': request.get_full_path(), }) elif response.status_code == 200: from_cookie = request.COOKIES.get('satctoken').decode('hex') from_session = request.session.get('test_cookie_secret') if from_session is None: self._clean(request, response) elif from_cookie != from_session: response.content = render_template( 'secureauth/session_expired.html') self._clean(request, response) logout(request) return response return response
def login(request, template_name='secureauth/login.html', redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=BaseAuthForm, current_app=None, extra_context=None, redirect_to='' ): # pylint: disable=R0913 args = [redirect_field_name, redirect_to] redirect_to = request.GET.get(*args) or request.POST.get(*args) if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() if request.method == "POST": form = authentication_form( request, data=request.POST, test_cookie_enabled=False) if form.is_valid(): if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL if '/' not in redirect_to and '.' not in redirect_to: redirect_to = reverse(settings.LOGIN_REDIRECT_URL) user = form.get_user() if UserAuthIPRange.is_blocked(request, user): return render(request, 'secureauth/blocked_ip.html') if SMS_FORCE or len(get_available_auth_methods(user)) > 1: data = { 'credentials': form.cleaned_data, 'user_pk': user.pk, 'ip': get_ip(request), 'redirect_to': redirect_to, 'extra_context': extra_context, } data = Sign().sign(data) return HttpResponseRedirect( '%s?data=%s' % (reverse('auth_confirmation'), data)) else: auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if UserAuthLogging.is_enabled(request): UserAuthActivity.check_location(request) UserAuthActivity.log_auth(request) UserAuthAttempt.remove(request) request.session['ip'] = get_ip(request) return HttpResponseRedirect(redirect_to) elif CHECK_ATTEMPT is True: UserAuthAttempt.clean() UserAuthAttempt.store(request) else: form = authentication_form(request) request.session.set_test_cookie() current_site = get_current_site(request) context = { 'form': form, redirect_field_name: redirect_to, 'site': current_site, 'site_name': current_site.name, } if extra_context is not None: context.update(extra_context) if django.VERSION < (1, 8): return TemplateResponse( request, template_name, context, current_app=current_app) else: return TemplateResponse( request, template_name, context)
def save(self): request = RequestFactory().get('/') request.META['REMOTE_ADDR'] = self.cleaned_data.get('ip') UserAuthAttempt.remove(request)
def login( request, template_name="secureauth/login.html", redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=BaseAuthForm, current_app=None, extra_context=None, redirect_to="", ): redirect_to = request.REQUEST.get(redirect_field_name, redirect_to) if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() if request.method == "POST": form = authentication_form(request, data=request.POST, test_cookie_enabled=False) if form.is_valid(): if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL if "/" not in redirect_to and "." not in redirect_to: redirect_to = reverse(settings.LOGIN_REDIRECT_URL) user = form.get_user() if UserAuthIPRange.is_blocked(request, user): return render(request, "secureauth/blocked_ip.html") if SMS_FORCE or len(get_available_auth_methods(user)) > 1: data = { "credentials": form.cleaned_data, "user_pk": user.pk, "ip": get_ip(request), "redirect_to": redirect_to, "extra_context": extra_context, } data = Sign().sign(data) return HttpResponseRedirect("%s?data=%s" % (reverse("auth_confirmation"), data)) else: auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if UserAuthLogging.is_enabled(request): UserAuthActivity.check_location(request) UserAuthActivity.log_auth(request) UserAuthAttempt.remove(request) request.session["ip"] = get_ip(request) return HttpResponseRedirect(redirect_to) elif CHECK_ATTEMPT is True: UserAuthAttempt.clean() UserAuthAttempt.store(request) else: form = authentication_form(request) request.session.set_test_cookie() current_site = get_current_site(request) context = {"form": form, redirect_field_name: redirect_to, "site": current_site, "site_name": current_site.name} if extra_context is not None: context.update(extra_context) return TemplateResponse(request, template_name, context, current_app=current_app)
def login(request, template_name='secureauth/login.html', redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=BaseAuthForm, current_app=None, extra_context=None, redirect_to=''): # pylint: disable=R0913 args = [redirect_field_name, redirect_to] redirect_to = request.GET.get(*args) or request.POST.get(*args) if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request): return HttpResponseBadRequest() if request.method == "POST": form = authentication_form(request, data=request.POST, test_cookie_enabled=False) if form.is_valid(): if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL if '/' not in redirect_to and '.' not in redirect_to: redirect_to = reverse(settings.LOGIN_REDIRECT_URL) user = form.get_user() if UserAuthIPRange.is_blocked(request, user): return render(request, 'secureauth/blocked_ip.html') if SMS_FORCE or len(get_available_auth_methods(user)) > 1: data = { 'credentials': form.cleaned_data, 'user_pk': user.pk, 'ip': get_ip(request), 'redirect_to': redirect_to, 'extra_context': extra_context, } data = Sign().sign(data) return HttpResponseRedirect( '%s?data=%s' % (reverse('auth_confirmation'), data)) else: auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() if UserAuthLogging.is_enabled(request): UserAuthActivity.check_location(request) UserAuthActivity.log_auth(request) UserAuthAttempt.remove(request) request.session['ip'] = get_ip(request) return HttpResponseRedirect(redirect_to) elif CHECK_ATTEMPT is True: UserAuthAttempt.clean() UserAuthAttempt.store(request) else: form = authentication_form(request) request.session.set_test_cookie() current_site = get_current_site(request) context = { 'form': form, redirect_field_name: redirect_to, 'site': current_site, 'site_name': current_site.name, } if extra_context is not None: context.update(extra_context) if django.VERSION < (1, 8): return TemplateResponse(request, template_name, context, current_app=current_app) else: return TemplateResponse(request, template_name, context)