diff options
Diffstat (limited to 'mediagoblin/auth')
-rw-r--r-- | mediagoblin/auth/tools.py | 21 | ||||
-rw-r--r-- | mediagoblin/auth/views.py | 17 |
2 files changed, 25 insertions, 13 deletions
diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index 16611757..db6b6e37 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -15,7 +15,10 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import uuid +import logging + import wtforms +from sqlalchemy import or_ from mediagoblin import mg_globals from mediagoblin.auth import lib as auth_lib @@ -25,6 +28,8 @@ from mediagoblin.tools.mail import (normalize_email, send_email, from mediagoblin.tools.template import render_template from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ +_log = logging.getLogger(__name__) + def normalize_user_or_email_field(allow_email=True, allow_user=True): """ @@ -136,3 +141,19 @@ def register_user(request, register_form): return user return None + + +def check_login_simple(username, password, username_might_be_email=False): + search = (User.username == username) + if username_might_be_email and ('@' in username): + search = or_(search, User.email == username) + user = User.query.filter(search).first() + if not user: + _log.info("User %r not found", username) + auth_lib.fake_login_attempt() + return None + if not auth_lib.bcrypt_check_password(password, user.pw_hash): + _log.warn("Wrong password for %r", username) + return None + _log.info("Logging %r in", username) + return user diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 574adab5..bb7bda77 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -25,8 +25,8 @@ from mediagoblin.tools.mail import email_debug_message from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.lib import send_fp_verification_email -from mediagoblin.auth.tools import send_verification_email, register_user -from sqlalchemy import or_ +from mediagoblin.auth.tools import (send_verification_email, register_user, + check_login_simple) def register(request): @@ -77,14 +77,9 @@ def login(request): username = login_form.data['username'] if login_form.validate(): - user = User.query.filter( - or_( - User.username == username, - User.email == username, + user = check_login_simple(username, login_form.password.data, True) - )).first() - - if user and user.check_login(login_form.password.data): + if user: # set up login in session request.session['user_id'] = unicode(user.id) request.session.save() @@ -94,10 +89,6 @@ def login(request): else: return redirect(request, "index") - # Some failure during login occured if we are here! - # Prevent detecting who's on this system by testing login - # attempt timings - auth_lib.fake_login_attempt() login_failed = True return render_to_response( |