示例#1
0
    def process_request(self, request):
        if self._is_enabled(request):
            if not request.session.get('test_cookie_secret'):
                request.session['test_cookie_secret'] = str(
                    RandomPassword().get(ascii=True))
                request.session.save()

            if not request.COOKIES.get('satctoken'):
                UserAuthAttempt.clean()
                UserAuthAttempt.store(request)
    def process_request(self, request):
        if self._is_enabled(request):
            if not request.session.get('test_cookie_secret'):
                request.session['test_cookie_secret'] = str(
                    RandomPassword().get(ascii=True))
                request.session.save()

            if not request.COOKIES.get('satctoken'):
                UserAuthAttempt.clean()
                UserAuthAttempt.store(request)
示例#3
0
def login_confirmation(request, template_name='secureauth/confirmation.html',
                       authentication_form=ConfirmAuthenticationForm,
                       extra_context=None, current_app=None
                       ):  # pylint: disable=R0913
    if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request):
        return HttpResponseBadRequest()

    data = get_data(request)
    if extra_context is None and data.get('extra_context'):
        extra_context = data.get('extra_context')

    if hasattr(request, 'user') and request.user.is_authenticated():
        return HttpResponseRedirect(data.get('redirect_to', '/'))
    elif request.method == "POST":
        form = authentication_form(data, request.POST)
        if form.is_valid():
            user = form.get_user()

            if user and data.get('user_pk') == user.pk:
                auth_login(request, user)

                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()

                if UserAuthLogging.is_enabled(request):
                    UserAuthActivity.check_location(request)
                    UserAuthActivity.log_auth(
                        request, form.cleaned_data.get('auth_type'))

                UserAuthNotification.notify(request)
                UserAuthAttempt.remove(request)
                request.session['ip'] = get_ip(request)

                return HttpResponseRedirect(data.get('redirect_to'))
            else:
                return HttpResponseBadRequest()
        elif CHECK_ATTEMPT is True:
            UserAuthAttempt.clean()
            UserAuthAttempt.store(request)
    else:
        form = authentication_form(data)

    request.session.set_test_cookie()

    current_site = get_current_site(request)

    context = {
        'form': form,
        'site': current_site,
        'site_name': current_site.name,
        'data': request.GET.get('data'),
    }
    if extra_context is not None:
        context.update(extra_context)
    if django.VERSION < (1, 8):
        return TemplateResponse(
            request, template_name, context, current_app=current_app)
    else:
        return TemplateResponse(
            request, template_name, context)
def login_confirmation(request,
                       template_name='secureauth/confirmation.html',
                       authentication_form=ConfirmAuthenticationForm,
                       extra_context=None,
                       current_app=None):  # pylint: disable=R0913
    if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request):
        return HttpResponseBadRequest()

    data = get_data(request)
    if extra_context is None and data.get('extra_context'):
        extra_context = data.get('extra_context')

    if hasattr(request, 'user') and request.user.is_authenticated():
        return HttpResponseRedirect(data.get('redirect_to', '/'))
    elif request.method == "POST":
        form = authentication_form(data, request.POST)
        if form.is_valid():
            user = form.get_user()

            if user and data.get('user_pk') == user.pk:
                auth_login(request, user)

                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()

                if UserAuthLogging.is_enabled(request):
                    UserAuthActivity.check_location(request)
                    UserAuthActivity.log_auth(
                        request, form.cleaned_data.get('auth_type'))

                UserAuthNotification.notify(request)
                UserAuthAttempt.remove(request)
                request.session['ip'] = get_ip(request)

                return HttpResponseRedirect(data.get('redirect_to'))
            else:
                return HttpResponseBadRequest()
        elif CHECK_ATTEMPT is True:
            UserAuthAttempt.clean()
            UserAuthAttempt.store(request)
    else:
        form = authentication_form(data)

    request.session.set_test_cookie()

    current_site = get_current_site(request)

    context = {
        'form': form,
        'site': current_site,
        'site_name': current_site.name,
        'data': request.GET.get('data'),
    }
    if extra_context is not None:
        context.update(extra_context)
    return TemplateResponse(request,
                            template_name,
                            context,
                            current_app=current_app)
    def __init__(self, request, *args, **kwargs):
        from secureauth.defaults import CAPTCHA_ATTEMPT, CAPTCHA_ENABLED

        test_cookie_enabled = kwargs.pop('test_cookie_enabled', True)

        super(BaseAuthForm, self).__init__(request, *args, **kwargs)

        if CAPTCHA_ENABLED is True:
            if UserAuthAttempt.get_attempts(request) > CAPTCHA_ATTEMPT:
                self.fields['captcha'] = CaptchaField()

        if test_cookie_enabled is False:
            self.request = None
示例#6
0
    def __init__(self, request, *args, **kwargs):
        from secureauth.defaults import CAPTCHA_ATTEMPT, CAPTCHA_ENABLED

        test_cookie_enabled = kwargs.pop('test_cookie_enabled', True)

        super(BaseAuthForm, self).__init__(request, *args, **kwargs)

        if CAPTCHA_ENABLED is True:
            if UserAuthAttempt.get_attempts(request) > CAPTCHA_ATTEMPT:
                self.fields['captcha'] = CaptchaField()

        if test_cookie_enabled is False:
            self.request = None
示例#7
0
def login_confirmation(
    request,
    template_name="secureauth/confirmation.html",
    authentication_form=ConfirmAuthenticationForm,
    extra_context=None,
    current_app=None,
):
    if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request):
        return HttpResponseBadRequest()

    data = _get_data(request)
    if extra_context is None and data.get("extra_context"):
        extra_context = data.get("extra_context")

    if hasattr(request, "user") and request.user.is_authenticated():
        return HttpResponseRedirect(data.get("redirect_to", "/"))
    elif request.method == "POST":
        form = authentication_form(data, request.POST)
        if form.is_valid():
            user = form.get_user()

            if user and data.get("user_pk") == user.pk:
                auth_login(request, user)

                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()

                if UserAuthLogging.is_enabled(request):
                    UserAuthActivity.check_location(request)
                    UserAuthActivity.log_auth(request, form.cleaned_data.get("auth_type"))

                UserAuthNotification.notify(request)
                UserAuthAttempt.remove(request)
                request.session["ip"] = get_ip(request)

                return HttpResponseRedirect(data.get("redirect_to"))
            else:
                return HttpResponseBadRequest()
        elif CHECK_ATTEMPT is True:
            UserAuthAttempt.clean()
            UserAuthAttempt.store(request)
    else:
        form = authentication_form(data)

    request.session.set_test_cookie()

    current_site = get_current_site(request)

    context = {"form": form, "site": current_site, "site_name": current_site.name, "data": request.GET.get("data")}
    if extra_context is not None:
        context.update(extra_context)
    return TemplateResponse(request, template_name, context, current_app=current_app)
    def process_response(self, request, response):
        if not self._is_enabled(request):
            return response

        if UserAuthAttempt.is_banned(request):
            return HttpResponseBadRequest()

        if not request.COOKIES.get('satctoken'):
            iv = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_IV
            key = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_KEY

            moo = AESModeOfOperation()
            encrypted = moo.encrypt(
                request.session['test_cookie_secret'], 2,
                map(ord, key), moo.aes.keySize["SIZE_128"], map(ord, iv)
            )
            sec_uni = u''.join(map(unichr, encrypted[2]))

            return render(
                request, 'secureauth/test_cookie.html', {
                    'test_cookie_enc_key': key,
                    'test_cookie_enc_iv': iv,
                    'test_cookie_enc_set': quote(sec_uni.encode("utf-8")),
                    'test_cookie_next_url': request.get_full_path(),
                })
        elif response.status_code == 200:
            from_cookie = request.COOKIES.get('satctoken').decode('hex')
            from_session = request.session.get('test_cookie_secret')
            if from_session is None:
                self._clean(request, response)
            elif from_cookie != from_session:
                response.content = render_template(
                    'secureauth/session_expired.html')
                self._clean(request, response)
                logout(request)
                return response
        return response
示例#9
0
    def process_response(self, request, response):
        if not self._is_enabled(request):
            return response

        if UserAuthAttempt.is_banned(request):
            return HttpResponseBadRequest()

        if not request.COOKIES.get('satctoken'):
            iv = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_IV
            key = TEST_COOKIE_REFRESH_ENCRYPT_COOKIE_KEY

            moo = AESModeOfOperation()
            encrypted = moo.encrypt(request.session['test_cookie_secret'], 2,
                                    map(ord, key), moo.aes.keySize["SIZE_128"],
                                    map(ord, iv))
            sec_uni = u''.join(map(unichr, encrypted[2]))

            return render(
                request, 'secureauth/test_cookie.html', {
                    'test_cookie_enc_key': key,
                    'test_cookie_enc_iv': iv,
                    'test_cookie_enc_set': quote(sec_uni.encode("utf-8")),
                    'test_cookie_next_url': request.get_full_path(),
                })
        elif response.status_code == 200:
            from_cookie = request.COOKIES.get('satctoken').decode('hex')
            from_session = request.session.get('test_cookie_secret')
            if from_session is None:
                self._clean(request, response)
            elif from_cookie != from_session:
                response.content = render_template(
                    'secureauth/session_expired.html')
                self._clean(request, response)
                logout(request)
                return response
        return response
示例#10
0
def login(request, template_name='secureauth/login.html',
          redirect_field_name=REDIRECT_FIELD_NAME,
          authentication_form=BaseAuthForm,
          current_app=None, extra_context=None, redirect_to=''
          ):  # pylint: disable=R0913
    args = [redirect_field_name, redirect_to]
    redirect_to = request.GET.get(*args) or request.POST.get(*args)

    if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request):
        return HttpResponseBadRequest()

    if request.method == "POST":
        form = authentication_form(
            request, data=request.POST, test_cookie_enabled=False)
        if form.is_valid():
            if not is_safe_url(url=redirect_to, host=request.get_host()):
                redirect_to = settings.LOGIN_REDIRECT_URL
                if '/' not in redirect_to and '.' not in redirect_to:
                    redirect_to = reverse(settings.LOGIN_REDIRECT_URL)

            user = form.get_user()

            if UserAuthIPRange.is_blocked(request, user):
                return render(request, 'secureauth/blocked_ip.html')

            if SMS_FORCE or len(get_available_auth_methods(user)) > 1:
                data = {
                    'credentials': form.cleaned_data,
                    'user_pk': user.pk,
                    'ip': get_ip(request),
                    'redirect_to': redirect_to,
                    'extra_context': extra_context,
                }
                data = Sign().sign(data)
                return HttpResponseRedirect(
                    '%s?data=%s' % (reverse('auth_confirmation'), data))
            else:
                auth_login(request, user)

                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()

                if UserAuthLogging.is_enabled(request):
                    UserAuthActivity.check_location(request)
                    UserAuthActivity.log_auth(request)
                UserAuthAttempt.remove(request)
                request.session['ip'] = get_ip(request)
                return HttpResponseRedirect(redirect_to)
        elif CHECK_ATTEMPT is True:
            UserAuthAttempt.clean()
            UserAuthAttempt.store(request)
    else:
        form = authentication_form(request)

    request.session.set_test_cookie()

    current_site = get_current_site(request)

    context = {
        'form': form,
        redirect_field_name: redirect_to,
        'site': current_site,
        'site_name': current_site.name,
    }
    if extra_context is not None:
        context.update(extra_context)
    if django.VERSION < (1, 8):
        return TemplateResponse(
            request, template_name, context, current_app=current_app)
    else:
        return TemplateResponse(
            request, template_name, context)
示例#11
0
 def save(self):
     request = RequestFactory().get('/')
     request.META['REMOTE_ADDR'] = self.cleaned_data.get('ip')
     UserAuthAttempt.remove(request)
示例#12
0
 def save(self):
     request = RequestFactory().get('/')
     request.META['REMOTE_ADDR'] = self.cleaned_data.get('ip')
     UserAuthAttempt.remove(request)
示例#13
0
def login(
    request,
    template_name="secureauth/login.html",
    redirect_field_name=REDIRECT_FIELD_NAME,
    authentication_form=BaseAuthForm,
    current_app=None,
    extra_context=None,
    redirect_to="",
):
    redirect_to = request.REQUEST.get(redirect_field_name, redirect_to)

    if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request):
        return HttpResponseBadRequest()

    if request.method == "POST":
        form = authentication_form(request, data=request.POST, test_cookie_enabled=False)
        if form.is_valid():
            if not is_safe_url(url=redirect_to, host=request.get_host()):
                redirect_to = settings.LOGIN_REDIRECT_URL
                if "/" not in redirect_to and "." not in redirect_to:
                    redirect_to = reverse(settings.LOGIN_REDIRECT_URL)

            user = form.get_user()

            if UserAuthIPRange.is_blocked(request, user):
                return render(request, "secureauth/blocked_ip.html")

            if SMS_FORCE or len(get_available_auth_methods(user)) > 1:
                data = {
                    "credentials": form.cleaned_data,
                    "user_pk": user.pk,
                    "ip": get_ip(request),
                    "redirect_to": redirect_to,
                    "extra_context": extra_context,
                }
                data = Sign().sign(data)
                return HttpResponseRedirect("%s?data=%s" % (reverse("auth_confirmation"), data))
            else:
                auth_login(request, user)

                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()

                if UserAuthLogging.is_enabled(request):
                    UserAuthActivity.check_location(request)
                    UserAuthActivity.log_auth(request)
                UserAuthAttempt.remove(request)
                request.session["ip"] = get_ip(request)
                return HttpResponseRedirect(redirect_to)
        elif CHECK_ATTEMPT is True:
            UserAuthAttempt.clean()
            UserAuthAttempt.store(request)
    else:
        form = authentication_form(request)

    request.session.set_test_cookie()

    current_site = get_current_site(request)

    context = {"form": form, redirect_field_name: redirect_to, "site": current_site, "site_name": current_site.name}
    if extra_context is not None:
        context.update(extra_context)
    return TemplateResponse(request, template_name, context, current_app=current_app)
示例#14
0
def login(request,
          template_name='secureauth/login.html',
          redirect_field_name=REDIRECT_FIELD_NAME,
          authentication_form=BaseAuthForm,
          current_app=None,
          extra_context=None,
          redirect_to=''):  # pylint: disable=R0913
    args = [redirect_field_name, redirect_to]
    redirect_to = request.GET.get(*args) or request.POST.get(*args)

    if CHECK_ATTEMPT and UserAuthAttempt.is_banned(request):
        return HttpResponseBadRequest()

    if request.method == "POST":
        form = authentication_form(request,
                                   data=request.POST,
                                   test_cookie_enabled=False)
        if form.is_valid():
            if not is_safe_url(url=redirect_to, host=request.get_host()):
                redirect_to = settings.LOGIN_REDIRECT_URL
                if '/' not in redirect_to and '.' not in redirect_to:
                    redirect_to = reverse(settings.LOGIN_REDIRECT_URL)

            user = form.get_user()

            if UserAuthIPRange.is_blocked(request, user):
                return render(request, 'secureauth/blocked_ip.html')

            if SMS_FORCE or len(get_available_auth_methods(user)) > 1:
                data = {
                    'credentials': form.cleaned_data,
                    'user_pk': user.pk,
                    'ip': get_ip(request),
                    'redirect_to': redirect_to,
                    'extra_context': extra_context,
                }
                data = Sign().sign(data)
                return HttpResponseRedirect(
                    '%s?data=%s' % (reverse('auth_confirmation'), data))
            else:
                auth_login(request, user)

                if request.session.test_cookie_worked():
                    request.session.delete_test_cookie()

                if UserAuthLogging.is_enabled(request):
                    UserAuthActivity.check_location(request)
                    UserAuthActivity.log_auth(request)
                UserAuthAttempt.remove(request)
                request.session['ip'] = get_ip(request)
                return HttpResponseRedirect(redirect_to)
        elif CHECK_ATTEMPT is True:
            UserAuthAttempt.clean()
            UserAuthAttempt.store(request)
    else:
        form = authentication_form(request)

    request.session.set_test_cookie()

    current_site = get_current_site(request)

    context = {
        'form': form,
        redirect_field_name: redirect_to,
        'site': current_site,
        'site_name': current_site.name,
    }
    if extra_context is not None:
        context.update(extra_context)
    if django.VERSION < (1, 8):
        return TemplateResponse(request,
                                template_name,
                                context,
                                current_app=current_app)
    else:
        return TemplateResponse(request, template_name, context)