def render_app_html(request,
additional_json=None,
include_user=True,
status=200):
html = loader.render_to_string('app.html')
ui_version = re.search('static/app-(.*)\.js', html).group(1)
initial_json = {
'meta': {
'version': '{}-{}'.format(SEQR_VERSION, ui_version),
'hijakEnabled': DEBUG or False,
'googleLoginEnabled': google_auth_enabled(),
}
}
if include_user:
initial_json['user'] = _get_json_for_initial_user(request.user)
if additional_json:
initial_json.update(additional_json)
html = html.replace(
"window.initialJSON=null", "window.initialJSON=" +
json.dumps(initial_json, default=DjangoJSONEncoder().default))
if request.get_host() == 'localhost:3000':
html = re.sub(r'static/app(-.*)js', 'app.js', html)
html = re.sub(r'<link\s+href="/static/app.*css"[^>]*>', '', html)
return HttpResponse(html, content_type="text/html", status=status)
def login_view(request):
request_json = json.loads(request.body)
if not request_json.get('email'):
error = 'Email is required'
return create_json_response({'error': error}, status=400, reason=error)
if not request_json.get('password'):
error = 'Password is required'
return create_json_response({'error': error}, status=400, reason=error)
# Django's iexact filtering will improperly match unicode characters, which creates a security risk.
# Instead, query for the lower case match to allow case-insensitive matching
users = User.objects.annotate(email_lower=Lower('email')).filter(
email_lower=request_json['email'].lower())
if users.count() != 1:
error = 'Invalid credentials'
return create_json_response({'error': error}, status=401, reason=error)
user = users.first()
if google_auth_enabled() and (user_is_data_manager(user)
or user.is_superuser):
logger.warning(
"Privileged user {} is trying to login without Google authentication."
.format(user))
error = 'Privileged user must login with Google authentication.'
return create_json_response({'error': error}, status=401, reason=error)
u = authenticate(username=user.username, password=request_json['password'])
if not u:
error = 'Invalid credentials'
return create_json_response({'error': error}, status=401, reason=error)
login(request, u)
logger.info('Logged in {}'.format(u.email), extra={'user': u})
return create_json_response({'success': True})
def forgot_password(request):
if google_auth_enabled():
raise PermissionDenied('Username/ password authentication is disabled')
request_json = json.loads(request.body)
if not request_json.get('email'):
return create_json_response({}, status=400, reason='Email is required')
users = User.objects.filter(email__iexact=request_json['email'])
if users.count() != 1:
return create_json_response({},
status=400,
reason='No account found for this email')
user = users.first()
email_content = """
Hi there {full_name}--
Please click this link to reset your seqr password:
{base_url}login/set_password/{password_token}?reset=true
""".format(
full_name=user.get_full_name(),
base_url=BASE_URL,
password_token=quote(user.password, safe=''),
)
user.email_user('Reset your seqr password',
email_content,
fail_silently=False)
return create_json_response({'success': True})
def login_view(request):
if google_auth_enabled():
raise PermissionDenied('Username/ password authentication is disabled')
request_json = json.loads(request.body)
if not request_json.get('email'):
error = 'Email is required'
return create_json_response({'error': error}, status=400, reason=error)
if not request_json.get('password'):
error = 'Password is required'
return create_json_response({'error': error}, status=400, reason=error)
# Django's iexact filtering will improperly match unicode characters, which creates a security risk.
# Instead, query for the lower case match to allow case-insensitive matching
users = User.objects.annotate(email_lower=Lower('email')).filter(
email_lower=request_json['email'].lower())
if users.count() != 1:
error = 'Invalid credentials'
return create_json_response({'error': error}, status=401, reason=error)
user = users.first()
u = authenticate(username=user.username, password=request_json['password'])
if not u:
error = 'Invalid credentials'
return create_json_response({'error': error}, status=401, reason=error)
login(request, u)
logger.info('Logged in {}'.format(u.email), u)
return create_json_response({'success': True})
def set_password(request, username):
if google_auth_enabled():
raise PermissionDenied('Username/ password authentication is disabled')
user = User.objects.get(username=username)
request_json = json.loads(request.body)
user_token = unquote(request_json.get('userToken', ''))
if not user_token == user.password:
raise PermissionDenied('Not authorized to update password')
if not request_json.get('password'):
return create_json_response({},
status=400,
reason='Password is required')
user.set_password(request_json['password'])
_update_user_from_json(user, request_json, updated_fields={'password'})
logger.info('Set password for user {}'.format(user.email), user)
u = authenticate(username=username, password=request_json['password'])
login(request, u)
return create_json_response({'success': True})