Merge remote-tracking branch 'cweb/master'

6 files changed, 712 insertions, 0 deletions

diff --git a/mediagoblin/auth/__init__.py b/mediagoblin/auth/__init__.py
new file mode 100644
index 00000000..621845ba
--- /dev/null
+++ b/mediagoblin/auth/__init__.py
@@ -0,0 +1,15 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
diff --git a/mediagoblin/auth/forms.py b/mediagoblin/auth/forms.py
new file mode 100644
index 00000000..0a391d67
--- /dev/null
+++ b/mediagoblin/auth/forms.py
@@ -0,0 +1,66 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import wtforms
+
+from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
+from mediagoblin.auth.tools import normalize_user_or_email_field
+
+
+class RegistrationForm(wtforms.Form):
+    username = wtforms.TextField(
+        _('Username'),
+        [wtforms.validators.Required(),
+         normalize_user_or_email_field(allow_email=False)])
+    password = wtforms.PasswordField(
+        _('Password'),
+        [wtforms.validators.Required(),
+         wtforms.validators.Length(min=5, max=1024)])
+    email = wtforms.TextField(
+        _('Email address'),
+        [wtforms.validators.Required(),
+         normalize_user_or_email_field(allow_user=False)])
+
+
+class LoginForm(wtforms.Form):
+    username = wtforms.TextField(
+        _('Username or Email'),
+        [wtforms.validators.Required(),
+         normalize_user_or_email_field()])
+    password = wtforms.PasswordField(
+        _('Password'),
+        [wtforms.validators.Required(),
+         wtforms.validators.Length(min=5, max=1024)])
+
+
+class ForgotPassForm(wtforms.Form):
+    username = wtforms.TextField(
+        _('Username or email'),
+        [wtforms.validators.Required(),
+         normalize_user_or_email_field()])
+
+
+class ChangePassForm(wtforms.Form):
+    password = wtforms.PasswordField(
+        'Password',
+        [wtforms.validators.Required(),
+         wtforms.validators.Length(min=5, max=1024)])
+    userid = wtforms.HiddenField(
+        '',
+        [wtforms.validators.Required()])
+    token = wtforms.HiddenField(
+        '',
+        [wtforms.validators.Required()])
diff --git a/mediagoblin/auth/lib.py b/mediagoblin/auth/lib.py
new file mode 100644
index 00000000..bfc36b28
--- /dev/null
+++ b/mediagoblin/auth/lib.py
@@ -0,0 +1,120 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import random
+
+import bcrypt
+
+from mediagoblin.tools.mail import send_email
+from mediagoblin.tools.template import render_template
+from mediagoblin import mg_globals
+
+
+def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
+    """
+    Check to see if this password matches.
+
+    Args:
+    - raw_pass: user submitted password to check for authenticity.
+    - stored_hash: The hash of the raw password (and possibly extra
+      salt) to check against
+    - extra_salt: (optional) If this password is with stored with a
+      non-database extra salt (probably in the config file) for extra
+      security, factor this into the check.
+
+    Returns:
+      True or False depending on success.
+    """
+    if extra_salt:
+        raw_pass = u"%s:%s" % (extra_salt, raw_pass)
+
+    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash)
+
+    # Reduce risk of timing attacks by hashing again with a random
+    # number (thx to zooko on this advice, which I hopefully
+    # incorporated right.)
+    #
+    # See also:
+    rand_salt = bcrypt.gensalt(5)
+    randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
+    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
+
+    return randplus_stored_hash == randplus_hashed_pass
+
+
+def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
+    """
+    Generate a salt for this new password.
+
+    Args:
+    - raw_pass: user submitted password
+    - extra_salt: (optional) If this password is with stored with a
+      non-database extra salt
+    """
+    if extra_salt:
+        raw_pass = u"%s:%s" % (extra_salt, raw_pass)
+
+    return unicode(
+        bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()))
+
+
+def fake_login_attempt():
+    """
+    Pretend we're trying to login.
+
+    Nothing actually happens here, we're just trying to take up some
+    time, approximately the same amount of time as
+    bcrypt_check_password, so as to avoid figuring out what users are
+    on the system by intentionally faking logins a bunch of times.
+    """
+    rand_salt = bcrypt.gensalt(5)
+
+    hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
+
+    randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
+    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
+
+    randplus_stored_hash == randplus_hashed_pass
+
+
+EMAIL_FP_VERIFICATION_TEMPLATE = (
+    u"http://{host}{uri}?"
+    u"userid={userid}&token={fp_verification_key}")
+
+
+def send_fp_verification_email(user, request):
+    """
+    Send the verification email to users to change their password.
+
+    Args:
+    - user: a user object
+    - request: the request
+    """
+    rendered_email = render_template(
+        request, 'mediagoblin/auth/fp_verification_email.txt',
+        {'username': user.username,
+         'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
+                host=request.host,
+                uri=request.urlgen('mediagoblin.auth.verify_forgot_password'),
+                userid=unicode(user.id),
+                fp_verification_key=user.fp_verification_key)})
+
+    # TODO: There is no error handling in place
+    send_email(
+        mg_globals.app_config['email_sender_address'],
+        [user.email],
+        'GNU MediaGoblin - Change forgotten password!',
+        rendered_email)
diff --git a/mediagoblin/auth/routing.py b/mediagoblin/auth/routing.py
new file mode 100644
index 00000000..2a6abb47
--- /dev/null
+++ b/mediagoblin/auth/routing.py
@@ -0,0 +1,33 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+auth_routes = [
+    ('mediagoblin.auth.register', '/register/',
+     'mediagoblin.auth.views:register'),
+    ('mediagoblin.auth.login', '/login/',
+     'mediagoblin.auth.views:login'),
+    ('mediagoblin.auth.logout', '/logout/',
+     'mediagoblin.auth.views:logout'),
+    ('mediagoblin.auth.verify_email', '/verify_email/',
+     'mediagoblin.auth.views:verify_email'),
+    ('mediagoblin.auth.resend_verification', '/resend_verification/',
+     'mediagoblin.auth.views:resend_activation'),
+    ('mediagoblin.auth.forgot_password', '/forgot_password/',
+     'mediagoblin.auth.views:forgot_password'),
+    ('mediagoblin.auth.verify_forgot_password',
+     '/forgot_password/verify/',
+     'mediagoblin.auth.views:verify_forgot_password')]
diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py
new file mode 100644
index 00000000..db6b6e37
--- /dev/null
+++ b/mediagoblin/auth/tools.py
@@ -0,0 +1,159 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import uuid
+import logging
+
+import wtforms
+from sqlalchemy import or_
+
+from mediagoblin import mg_globals
+from mediagoblin.auth import lib as auth_lib
+from mediagoblin.db.models import User
+from mediagoblin.tools.mail import (normalize_email, send_email,
+                                    email_debug_message)
+from mediagoblin.tools.template import render_template
+from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
+
+_log = logging.getLogger(__name__)
+
+
+def normalize_user_or_email_field(allow_email=True, allow_user=True):
+    """
+    Check if we were passed a field that matches a username and/or email
+    pattern.
+
+    This is useful for fields that can take either a username or email
+    address. Use the parameters if you want to only allow a username for
+    instance"""
+    message = _(u'Invalid User name or email address.')
+    nomail_msg = _(u"This field does not take email addresses.")
+    nouser_msg = _(u"This field requires an email address.")
+
+    def _normalize_field(form, field):
+        email = u'@' in field.data
+        if email:  # normalize email address casing
+            if not allow_email:
+                raise wtforms.ValidationError(nomail_msg)
+            wtforms.validators.Email()(form, field)
+            field.data = normalize_email(field.data)
+        else:  # lower case user names
+            if not allow_user:
+                raise wtforms.ValidationError(nouser_msg)
+            wtforms.validators.Length(min=3, max=30)(form, field)
+            wtforms.validators.Regexp(r'^\w+$')(form, field)
+            field.data = field.data.lower()
+        if field.data is None:  # should not happen, but be cautious anyway
+            raise wtforms.ValidationError(message)
+    return _normalize_field
+
+
+EMAIL_VERIFICATION_TEMPLATE = (
+    u"http://{host}{uri}?"
+    u"userid={userid}&token={verification_key}")
+
+
+def send_verification_email(user, request):
+    """
+    Send the verification email to users to activate their accounts.
+
+    Args:
+    - user: a user object
+    - request: the request
+    """
+    rendered_email = render_template(
+        request, 'mediagoblin/auth/verification_email.txt',
+        {'username': user.username,
+         'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
+                host=request.host,
+                uri=request.urlgen('mediagoblin.auth.verify_email'),
+                userid=unicode(user.id),
+                verification_key=user.verification_key)})
+
+    # TODO: There is no error handling in place
+    send_email(
+        mg_globals.app_config['email_sender_address'],
+        [user.email],
+        # TODO
+        # Due to the distributed nature of GNU MediaGoblin, we should
+        # find a way to send some additional information about the
+        # specific GNU MediaGoblin instance in the subject line. For
+        # example "GNU MediaGoblin @ Wandborg - [...]".
+        'GNU MediaGoblin - Verify your email!',
+        rendered_email)
+
+
+def basic_extra_validation(register_form, *args):
+    users_with_username = User.query.filter_by(
+        username=register_form.data['username']).count()
+    users_with_email = User.query.filter_by(
+        email=register_form.data['email']).count()
+
+    extra_validation_passes = True
+
+    if users_with_username:
+        register_form.username.errors.append(
+            _(u'Sorry, a user with that name already exists.'))
+        extra_validation_passes = False
+    if users_with_email:
+        register_form.email.errors.append(
+            _(u'Sorry, a user with that email address already exists.'))
+        extra_validation_passes = False
+
+    return extra_validation_passes
+
+
+def register_user(request, register_form):
+    """ Handle user registration """
+    extra_validation_passes = basic_extra_validation(register_form)
+
+    if extra_validation_passes:
+        # Create the user
+        user = User()
+        user.username = register_form.data['username']
+        user.email = register_form.data['email']
+        user.pw_hash = auth_lib.bcrypt_gen_password_hash(
+            register_form.password.data)
+        user.verification_key = unicode(uuid.uuid4())
+        user.save()
+
+        # log the user in
+        request.session['user_id'] = unicode(user.id)
+        request.session.save()
+
+        # send verification email
+        email_debug_message(request)
+        send_verification_email(user, request)
+
+        return user
+
+    return None
+
+
+def check_login_simple(username, password, username_might_be_email=False):
+    search = (User.username == username)
+    if username_might_be_email and ('@' in username):
+        search = or_(search, User.email == username)
+    user = User.query.filter(search).first()
+    if not user:
+        _log.info("User %r not found", username)
+        auth_lib.fake_login_attempt()
+        return None
+    if not auth_lib.bcrypt_check_password(password, user.pw_hash):
+        _log.warn("Wrong password for %r", username)
+        return None
+    _log.info("Logging %r in", username)
+    return user
diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
new file mode 100644
index 00000000..bb7bda77
--- /dev/null
+++ b/mediagoblin/auth/views.py
@@ -0,0 +1,319 @@
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import uuid
+import datetime
+
+from mediagoblin import messages, mg_globals
+from mediagoblin.db.models import User
+from mediagoblin.tools.response import render_to_response, redirect, render_404
+from mediagoblin.tools.translate import pass_to_ugettext as _
+from mediagoblin.tools.mail import email_debug_message
+from mediagoblin.auth import lib as auth_lib
+from mediagoblin.auth import forms as auth_forms
+from mediagoblin.auth.lib import send_fp_verification_email
+from mediagoblin.auth.tools import (send_verification_email, register_user,
+                                    check_login_simple)
+
+
+def register(request):
+    """The registration view.
+
+    Note that usernames will always be lowercased. Email domains are lowercased while
+    the first part remains case-sensitive.
+    """
+    # Redirects to indexpage if registrations are disabled
+    if not mg_globals.app_config["allow_registration"]:
+        messages.add_message(
+            request,
+            messages.WARNING,
+            _('Sorry, registration is disabled on this instance.'))
+        return redirect(request, "index")
+
+    register_form = auth_forms.RegistrationForm(request.form)
+
+    if request.method == 'POST' and register_form.validate():
+        # TODO: Make sure the user doesn't exist already
+        user = register_user(request, register_form)
+
+        if user:
+            # redirect the user to their homepage... there will be a
+            # message waiting for them to verify their email
+            return redirect(
+                request, 'mediagoblin.user_pages.user_home',
+                user=user.username)
+
+    return render_to_response(
+        request,
+        'mediagoblin/auth/register.html',
+        {'register_form': register_form})
+
+
+def login(request):
+    """
+    MediaGoblin login view.
+
+    If you provide the POST with 'next', it'll redirect to that view.
+    """
+    login_form = auth_forms.LoginForm(request.form)
+
+    login_failed = False
+
+    if request.method == 'POST':
+
+        username = login_form.data['username']
+
+        if login_form.validate():
+            user = check_login_simple(username, login_form.password.data, True)
+
+            if user:
+                # set up login in session
+                request.session['user_id'] = unicode(user.id)
+                request.session.save()
+
+                if request.form.get('next'):
+                    return redirect(request, location=request.form['next'])
+                else:
+                    return redirect(request, "index")
+
+            login_failed = True
+
+    return render_to_response(
+        request,
+        'mediagoblin/auth/login.html',
+        {'login_form': login_form,
+         'next': request.GET.get('next') or request.form.get('next'),
+         'login_failed': login_failed,
+         'allow_registration': mg_globals.app_config["allow_registration"]})
+
+
+def logout(request):
+    # Maybe deleting the user_id parameter would be enough?
+    request.session.delete()
+
+    return redirect(request, "index")
+
+
+def verify_email(request):
+    """
+    Email verification view
+
+    validates GET parameters against database and unlocks the user account, if
+    you are lucky :)
+    """
+    # If we don't have userid and token parameters, we can't do anything; 404
+    if not 'userid' in request.GET or not 'token' in request.GET:
+        return render_404(request)
+
+    user = User.query.filter_by(id=request.args['userid']).first()
+
+    if user and user.verification_key == unicode(request.GET['token']):
+        user.status = u'active'
+        user.email_verified = True
+        user.verification_key = None
+
+        user.save()
+
+        messages.add_message(
+            request,
+            messages.SUCCESS,
+            _("Your email address has been verified. "
+              "You may now login, edit your profile, and submit images!"))
+    else:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _('The verification key or user id is incorrect'))
+
+    return redirect(
+        request, 'mediagoblin.user_pages.user_home',
+        user=user.username)
+
+
+def resend_activation(request):
+    """
+    The reactivation view
+
+    Resend the activation email.
+    """
+
+    if request.user is None:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _('You must be logged in so we know who to send the email to!'))
+
+        return redirect(request, 'mediagoblin.auth.login')
+
+    if request.user.email_verified:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _("You've already verified your email address!"))
+
+        return redirect(request, "mediagoblin.user_pages.user_home", user=request.user['username'])
+
+    request.user.verification_key = unicode(uuid.uuid4())
+    request.user.save()
+
+    email_debug_message(request)
+    send_verification_email(request.user, request)
+
+    messages.add_message(
+        request,
+        messages.INFO,
+        _('Resent your verification email.'))
+    return redirect(
+        request, 'mediagoblin.user_pages.user_home',
+        user=request.user.username)
+
+
+def forgot_password(request):
+    """
+    Forgot password view
+
+    Sends an email with an url to renew forgotten password.
+    Use GET querystring parameter 'username' to pre-populate the input field
+    """
+    fp_form = auth_forms.ForgotPassForm(request.form,
+                                        username=request.args.get('username'))
+
+    if not (request.method == 'POST' and fp_form.validate()):
+        # Either GET request, or invalid form submitted. Display the template
+        return render_to_response(request,
+            'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form})
+
+    # If we are here: method == POST and form is valid. username casing
+    # has been sanitized. Store if a user was found by email. We should
+    # not reveal if the operation was successful then as we don't want to
+    # leak if an email address exists in the system.
+    found_by_email = '@' in fp_form.username.data
+
+    if found_by_email:
+        user = User.query.filter_by(
+            email = fp_form.username.data).first()
+        # Don't reveal success in case the lookup happened by email address.
+        success_message=_("If that email address (case sensitive!) is "
+                          "registered an email has been sent with instructions "
+                          "on how to change your password.")
+
+    else: # found by username
+        user = User.query.filter_by(
+            username = fp_form.username.data).first()
+
+        if user is None:
+            messages.add_message(request,
+                                 messages.WARNING,
+                                 _("Couldn't find someone with that username."))
+            return redirect(request, 'mediagoblin.auth.forgot_password')
+
+        success_message=_("An email has been sent with instructions "
+                          "on how to change your password.")
+
+    if user and not(user.email_verified and user.status == 'active'):
+        # Don't send reminder because user is inactive or has no verified email
+        messages.add_message(request,
+            messages.WARNING,
+            _("Could not send password recovery email as your username is in"
+              "active or your account's email address has not been verified."))
+
+        return redirect(request, 'mediagoblin.user_pages.user_home',
+                        user=user.username)
+
+    # SUCCESS. Send reminder and return to login page
+    if user:
+        user.fp_verification_key = unicode(uuid.uuid4())
+        user.fp_token_expire = datetime.datetime.now() + \
+                               datetime.timedelta(days=10)
+        user.save()
+
+        email_debug_message(request)
+        send_fp_verification_email(user, request)
+
+    messages.add_message(request, messages.INFO, success_message)
+    return redirect(request, 'mediagoblin.auth.login')
+
+
+def verify_forgot_password(request):
+    """
+    Check the forgot-password verification and possibly let the user
+    change their password because of it.
+    """
+    # get form data variables, and specifically check for presence of token
+    formdata = _process_for_token(request)
+    if not formdata['has_userid_and_token']:
+        return render_404(request)
+
+    formdata_token = formdata['vars']['token']
+    formdata_userid = formdata['vars']['userid']
+    formdata_vars = formdata['vars']
+
+    # check if it's a valid user id
+    user = User.query.filter_by(id=formdata_userid).first()
+    if not user:
+        return render_404(request)
+
+    # check if we have a real user and correct token
+    if ((user and user.fp_verification_key and
+         user.fp_verification_key == unicode(formdata_token) and
+         datetime.datetime.now() < user.fp_token_expire
+         and user.email_verified and user.status == 'active')):
+
+        cp_form = auth_forms.ChangePassForm(formdata_vars)
+
+        if request.method == 'POST' and cp_form.validate():
+            user.pw_hash = auth_lib.bcrypt_gen_password_hash(
+                cp_form.password.data)
+            user.fp_verification_key = None
+            user.fp_token_expire = None
+            user.save()
+
+            messages.add_message(
+                request,
+                messages.INFO,
+                _("You can now log in using your new password."))
+            return redirect(request, 'mediagoblin.auth.login')
+        else:
+            return render_to_response(
+                request,
+                'mediagoblin/auth/change_fp.html',
+                {'cp_form': cp_form})
+
+    # in case there is a valid id but no user with that id in the db
+    # or the token expired
+    else:
+        return render_404(request)
+
+
+def _process_for_token(request):
+    """
+    Checks for tokens in formdata without prior knowledge of request method
+
+    For now, returns whether the userid and token formdata variables exist, and
+    the formdata variables in a hash. Perhaps an object is warranted?
+    """
+    # retrieve the formdata variables
+    if request.method == 'GET':
+        formdata_vars = request.GET
+    else:
+        formdata_vars = request.form
+
+    formdata = {
+        'vars': formdata_vars,
+        'has_userid_and_token':
+            'userid' in formdata_vars and 'token' in formdata_vars}
+
+    return formdata