def generate_api_access_token(user, type='email'): """ Api access tokens have the following format: type.user_id.md5(user_id + fb_access_token + secret_key) """ user_id = user.user_id if type == 'email': access_token = user.email_access_token access_token_expiry = user.email_access_token_expiry secret = h.site_secret() elif type == 'facebook': access_token = user.fb_access_token access_token_expiry = user.fb_access_token_expiry secret = h.fb_secret() else: raise ApiSecurityException('Unknown access token type: %r' % type) print access_token, access_token_expiry, secret if access_token is None: raise UserNotLoggedInException() elif access_token_expiry <= int(time.time()): raise AccessTokenExpiredException(type) token = generate_security_token(user_id, access_token, secret) return '%s.%s.%s' % (type, user_id, token)
def verify_security_token(type, user, security_token): """ Verify that the security token is for the specified user and type """ access_token = None if type == 'facebook': access_token = user.fb_access_token secret = h.fb_secret() elif type == 'email': access_token = user.email_access_token secret = h.site_secret() else: raise ApiSecurityException('Unknown access token type: %r' % type) if access_token is None: raise UserNotLoggedInException() expected = generate_security_token(user.user_id, access_token, secret) return expected == security_token