From 8ad734afc677f2d8314981be08d9282d5d599c67 Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Thu, 23 May 2013 14:33:56 -0700 Subject: changed User model pw_hash field to nullable and added migrations --- mediagoblin/db/migrations.py | 11 +++++++++++ mediagoblin/db/models.py | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/mediagoblin/db/migrations.py b/mediagoblin/db/migrations.py index 2c553396..1f92417e 100644 --- a/mediagoblin/db/migrations.py +++ b/mediagoblin/db/migrations.py @@ -287,3 +287,14 @@ def unique_collections_slug(db): constraint.create() db.commit() + + +@RegisterMigration(11, MIGRATIONS) +def pw_hash_nullable(db): + """Make pw_hash column nullable""" + metadata = MetaData(bind=db.bind) + user_table = inspect_table(metadata, "core__users") + + user_table.c.pw_hash.alter(nullable=True) + + db.commit() diff --git a/mediagoblin/db/models.py b/mediagoblin/db/models.py index 2b925983..323ed4d7 100644 --- a/mediagoblin/db/models.py +++ b/mediagoblin/db/models.py @@ -61,7 +61,7 @@ class User(Base, UserMixin): # point. email = Column(Unicode, nullable=False) created = Column(DateTime, nullable=False, default=datetime.datetime.now) - pw_hash = Column(Unicode, nullable=False) + pw_hash = Column(Unicode) email_verified = Column(Boolean, default=False) status = Column(Unicode, default=u"needs_email_verification", nullable=False) # Intented to be nullable=False, but migrations would not work for it -- cgit v1.2.3 From 61bfe64b23ab7c99653f0359e3344cf7c5d161f7 Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Thu, 23 May 2013 14:56:32 -0700 Subject: removed unused import --- mediagoblin/auth/forms.py | 1 - 1 file changed, 1 deletion(-) diff --git a/mediagoblin/auth/forms.py b/mediagoblin/auth/forms.py index 599b2576..0a391d67 100644 --- a/mediagoblin/auth/forms.py +++ b/mediagoblin/auth/forms.py @@ -16,7 +16,6 @@ import wtforms -from mediagoblin.tools.mail import normalize_email from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ from mediagoblin.auth.tools import normalize_user_or_email_field -- cgit v1.2.3 From 92783bc1fd41efa228639703127523469614e9aa Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Fri, 24 May 2013 12:26:45 -0700 Subject: moved send_verification_email to auth/tools --- mediagoblin/auth/lib.py | 35 ----------------------------------- mediagoblin/auth/tools.py | 39 ++++++++++++++++++++++++++++++++++++++- mediagoblin/auth/views.py | 6 +++--- 3 files changed, 41 insertions(+), 39 deletions(-) diff --git a/mediagoblin/auth/lib.py b/mediagoblin/auth/lib.py index 8829995a..bfc36b28 100644 --- a/mediagoblin/auth/lib.py +++ b/mediagoblin/auth/lib.py @@ -90,41 +90,6 @@ def fake_login_attempt(): randplus_stored_hash == randplus_hashed_pass -EMAIL_VERIFICATION_TEMPLATE = ( - u"http://{host}{uri}?" - u"userid={userid}&token={verification_key}") - - -def send_verification_email(user, request): - """ - Send the verification email to users to activate their accounts. - - Args: - - user: a user object - - request: the request - """ - rendered_email = render_template( - request, 'mediagoblin/auth/verification_email.txt', - {'username': user.username, - 'verification_url': EMAIL_VERIFICATION_TEMPLATE.format( - host=request.host, - uri=request.urlgen('mediagoblin.auth.verify_email'), - userid=unicode(user.id), - verification_key=user.verification_key)}) - - # TODO: There is no error handling in place - send_email( - mg_globals.app_config['email_sender_address'], - [user.email], - # TODO - # Due to the distributed nature of GNU MediaGoblin, we should - # find a way to send some additional information about the - # specific GNU MediaGoblin instance in the subject line. For - # example "GNU MediaGoblin @ Wandborg - [...]". - 'GNU MediaGoblin - Verify your email!', - rendered_email) - - EMAIL_FP_VERIFICATION_TEMPLATE = ( u"http://{host}{uri}?" u"userid={userid}&token={fp_verification_key}") diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index 1b30a7d9..52095d8a 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -16,7 +16,9 @@ import wtforms -from mediagoblin.tools.mail import normalize_email +from mediagoblin import mg_globals +from mediagoblin.tools.mail import normalize_email, send_email +from mediagoblin.tools.template import render_template from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ @@ -48,3 +50,38 @@ def normalize_user_or_email_field(allow_email=True, allow_user=True): if field.data is None: # should not happen, but be cautious anyway raise wtforms.ValidationError(message) return _normalize_field + + +EMAIL_VERIFICATION_TEMPLATE = ( + u"http://{host}{uri}?" + u"userid={userid}&token={verification_key}") + + +def send_verification_email(user, request): + """ + Send the verification email to users to activate their accounts. + + Args: + - user: a user object + - request: the request + """ + rendered_email = render_template( + request, 'mediagoblin/auth/verification_email.txt', + {'username': user.username, + 'verification_url': EMAIL_VERIFICATION_TEMPLATE.format( + host=request.host, + uri=request.urlgen('mediagoblin.auth.verify_email'), + userid=unicode(user.id), + verification_key=user.verification_key)}) + + # TODO: There is no error handling in place + send_email( + mg_globals.app_config['email_sender_address'], + [user.email], + # TODO + # Due to the distributed nature of GNU MediaGoblin, we should + # find a way to send some additional information about the + # specific GNU MediaGoblin instance in the subject line. For + # example "GNU MediaGoblin @ Wandborg - [...]". + 'GNU MediaGoblin - Verify your email!', + rendered_email) diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index dc408911..94354933 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -23,8 +23,8 @@ from mediagoblin.tools.response import render_to_response, redirect, render_404 from mediagoblin.tools.translate import pass_to_ugettext as _ from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms -from mediagoblin.auth.lib import send_verification_email, \ - send_fp_verification_email +from mediagoblin.auth.lib import send_fp_verification_email +from mediagoblin.auth.tools import send_verification_email from sqlalchemy import or_ def email_debug_message(request): @@ -113,7 +113,7 @@ def login(request): login_failed = False if request.method == 'POST': - + username = login_form.data['username'] if login_form.validate(): -- cgit v1.2.3 From dd39fe6052ff41a2f64467e1019479c093bfe4da Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Fri, 24 May 2013 12:48:29 -0700 Subject: moved email_debug_message to gmg/tools/mail --- mediagoblin/auth/views.py | 13 +------------ mediagoblin/tools/mail.py | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 94354933..6a8e9a4c 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -21,24 +21,13 @@ from mediagoblin import messages, mg_globals from mediagoblin.db.models import User from mediagoblin.tools.response import render_to_response, redirect, render_404 from mediagoblin.tools.translate import pass_to_ugettext as _ +from mediagoblin.tools.mail import email_debug_message from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.lib import send_fp_verification_email from mediagoblin.auth.tools import send_verification_email from sqlalchemy import or_ -def email_debug_message(request): - """ - If the server is running in email debug mode (which is - the current default), give a debug message to the user - so that they have an idea where to find their email. - """ - if mg_globals.app_config['email_debug_mode']: - # DEBUG message, no need to translate - messages.add_message(request, messages.DEBUG, - u"This instance is running in email debug mode. " - u"The email will be on the console of the server process.") - def register(request): """The registration view. diff --git a/mediagoblin/tools/mail.py b/mediagoblin/tools/mail.py index 4fa02ce5..6886c859 100644 --- a/mediagoblin/tools/mail.py +++ b/mediagoblin/tools/mail.py @@ -16,7 +16,7 @@ import smtplib from email.MIMEText import MIMEText -from mediagoblin import mg_globals +from mediagoblin import mg_globals, messages from mediagoblin.tools import common ### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -135,3 +135,16 @@ def normalize_email(email): return None email = "@".join((em_user, em_dom.lower())) return email + + +def email_debug_message(request): + """ + If the server is running in email debug mode (which is + the current default), give a debug message to the user + so that they have an idea where to find their email. + """ + if mg_globals.app_config['email_debug_mode']: + # DEBUG message, no need to translate + messages.add_message(request, messages.DEBUG, + u"This instance is running in email debug mode. " + u"The email will be on the console of the server process.") -- cgit v1.2.3 From 310a44d57c121405a6279ad0eae2ed1f07f82b56 Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Fri, 24 May 2013 12:52:14 -0700 Subject: added a register_user function --- mediagoblin/auth/tools.py | 53 ++++++++++++++++++++++++++++++++++++++++++++++- mediagoblin/auth/views.py | 35 +++---------------------------- 2 files changed, 55 insertions(+), 33 deletions(-) diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index 52095d8a..16611757 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -14,10 +14,14 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +import uuid import wtforms from mediagoblin import mg_globals -from mediagoblin.tools.mail import normalize_email, send_email +from mediagoblin.auth import lib as auth_lib +from mediagoblin.db.models import User +from mediagoblin.tools.mail import (normalize_email, send_email, + email_debug_message) from mediagoblin.tools.template import render_template from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ @@ -85,3 +89,50 @@ def send_verification_email(user, request): # example "GNU MediaGoblin @ Wandborg - [...]". 'GNU MediaGoblin - Verify your email!', rendered_email) + + +def basic_extra_validation(register_form, *args): + users_with_username = User.query.filter_by( + username=register_form.data['username']).count() + users_with_email = User.query.filter_by( + email=register_form.data['email']).count() + + extra_validation_passes = True + + if users_with_username: + register_form.username.errors.append( + _(u'Sorry, a user with that name already exists.')) + extra_validation_passes = False + if users_with_email: + register_form.email.errors.append( + _(u'Sorry, a user with that email address already exists.')) + extra_validation_passes = False + + return extra_validation_passes + + +def register_user(request, register_form): + """ Handle user registration """ + extra_validation_passes = basic_extra_validation(register_form) + + if extra_validation_passes: + # Create the user + user = User() + user.username = register_form.data['username'] + user.email = register_form.data['email'] + user.pw_hash = auth_lib.bcrypt_gen_password_hash( + register_form.password.data) + user.verification_key = unicode(uuid.uuid4()) + user.save() + + # log the user in + request.session['user_id'] = unicode(user.id) + request.session.save() + + # send verification email + email_debug_message(request) + send_verification_email(user, request) + + return user + + return None diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 6a8e9a4c..574adab5 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -25,7 +25,7 @@ from mediagoblin.tools.mail import email_debug_message from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.lib import send_fp_verification_email -from mediagoblin.auth.tools import send_verification_email +from mediagoblin.auth.tools import send_verification_email, register_user from sqlalchemy import or_ @@ -47,38 +47,9 @@ def register(request): if request.method == 'POST' and register_form.validate(): # TODO: Make sure the user doesn't exist already - users_with_username = User.query.filter_by(username=register_form.data['username']).count() - users_with_email = User.query.filter_by(email=register_form.data['email']).count() - - extra_validation_passes = True - - if users_with_username: - register_form.username.errors.append( - _(u'Sorry, a user with that name already exists.')) - extra_validation_passes = False - if users_with_email: - register_form.email.errors.append( - _(u'Sorry, a user with that email address already exists.')) - extra_validation_passes = False - - if extra_validation_passes: - # Create the user - user = User() - user.username = register_form.data['username'] - user.email = register_form.data['email'] - user.pw_hash = auth_lib.bcrypt_gen_password_hash( - register_form.password.data) - user.verification_key = unicode(uuid.uuid4()) - user.save() - - # log the user in - request.session['user_id'] = unicode(user.id) - request.session.save() - - # send verification email - email_debug_message(request) - send_verification_email(user, request) + user = register_user(request, register_form) + if user: # redirect the user to their homepage... there will be a # message waiting for them to verify their email return redirect( -- cgit v1.2.3 From 1d321f1c7158f3bd263d64ae703311e8d8e2a22a Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Sat, 25 May 2013 07:59:03 -0700 Subject: created a check_login_simple function --- mediagoblin/auth/tools.py | 21 +++++++++++++++++++++ mediagoblin/auth/views.py | 17 ++++------------- mediagoblin/db/mixin.py | 8 -------- mediagoblin/plugins/httpapiauth/__init__.py | 7 ++++--- mediagoblin/plugins/piwigo/views.py | 12 +++--------- 5 files changed, 32 insertions(+), 33 deletions(-) diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index 16611757..db6b6e37 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -15,7 +15,10 @@ # along with this program. If not, see . import uuid +import logging + import wtforms +from sqlalchemy import or_ from mediagoblin import mg_globals from mediagoblin.auth import lib as auth_lib @@ -25,6 +28,8 @@ from mediagoblin.tools.mail import (normalize_email, send_email, from mediagoblin.tools.template import render_template from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ +_log = logging.getLogger(__name__) + def normalize_user_or_email_field(allow_email=True, allow_user=True): """ @@ -136,3 +141,19 @@ def register_user(request, register_form): return user return None + + +def check_login_simple(username, password, username_might_be_email=False): + search = (User.username == username) + if username_might_be_email and ('@' in username): + search = or_(search, User.email == username) + user = User.query.filter(search).first() + if not user: + _log.info("User %r not found", username) + auth_lib.fake_login_attempt() + return None + if not auth_lib.bcrypt_check_password(password, user.pw_hash): + _log.warn("Wrong password for %r", username) + return None + _log.info("Logging %r in", username) + return user diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 574adab5..bb7bda77 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -25,8 +25,8 @@ from mediagoblin.tools.mail import email_debug_message from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.lib import send_fp_verification_email -from mediagoblin.auth.tools import send_verification_email, register_user -from sqlalchemy import or_ +from mediagoblin.auth.tools import (send_verification_email, register_user, + check_login_simple) def register(request): @@ -77,14 +77,9 @@ def login(request): username = login_form.data['username'] if login_form.validate(): - user = User.query.filter( - or_( - User.username == username, - User.email == username, + user = check_login_simple(username, login_form.password.data, True) - )).first() - - if user and user.check_login(login_form.password.data): + if user: # set up login in session request.session['user_id'] = unicode(user.id) request.session.save() @@ -94,10 +89,6 @@ def login(request): else: return redirect(request, "index") - # Some failure during login occured if we are here! - # Prevent detecting who's on this system by testing login - # attempt timings - auth_lib.fake_login_attempt() login_failed = True return render_to_response( diff --git a/mediagoblin/db/mixin.py b/mediagoblin/db/mixin.py index e7f66fa1..9f566e36 100644 --- a/mediagoblin/db/mixin.py +++ b/mediagoblin/db/mixin.py @@ -34,7 +34,6 @@ import datetime from werkzeug.utils import cached_property from mediagoblin import mg_globals -from mediagoblin.auth import lib as auth_lib from mediagoblin.media_types import get_media_managers, FileTypeNotSupported from mediagoblin.tools import common, licenses from mediagoblin.tools.text import cleaned_markdown_conversion @@ -42,13 +41,6 @@ from mediagoblin.tools.url import slugify class UserMixin(object): - def check_login(self, password): - """ - See if a user can login with this password - """ - return auth_lib.bcrypt_check_password( - password, self.pw_hash) - @property def bio_html(self): return cleaned_markdown_conversion(self.bio) diff --git a/mediagoblin/plugins/httpapiauth/__init__.py b/mediagoblin/plugins/httpapiauth/__init__.py index 99b6a4b0..2b2d593c 100644 --- a/mediagoblin/plugins/httpapiauth/__init__.py +++ b/mediagoblin/plugins/httpapiauth/__init__.py @@ -18,6 +18,7 @@ import logging from werkzeug.exceptions import Unauthorized +from mediagoblin.auth.tools import check_login_simple from mediagoblin.plugins.api.tools import Auth _log = logging.getLogger(__name__) @@ -39,10 +40,10 @@ class HTTPAuth(Auth): if not request.authorization: return False - user = request.db.User.query.filter_by( - username=unicode(request.authorization['username'])).first() + user = check_login_simple(unicode(request.authorization['username']), + request.authorization['password']) - if user.check_login(request.authorization['password']): + if user: request.user = user return True else: diff --git a/mediagoblin/plugins/piwigo/views.py b/mediagoblin/plugins/piwigo/views.py index 78668ed4..ca723189 100644 --- a/mediagoblin/plugins/piwigo/views.py +++ b/mediagoblin/plugins/piwigo/views.py @@ -23,7 +23,7 @@ from werkzeug.exceptions import MethodNotAllowed, BadRequest, NotImplemented from werkzeug.wrappers import BaseResponse from mediagoblin.meddleware.csrf import csrf_exempt -from mediagoblin.auth.lib import fake_login_attempt +from mediagoblin.auth.tools import check_login_simple from mediagoblin.media_types import sniff_media from mediagoblin.submit.lib import check_file_field, prepare_queue_task, \ run_process_media, new_upload_entry @@ -43,15 +43,9 @@ _log = logging.getLogger(__name__) def pwg_login(request): username = request.form.get("username") password = request.form.get("password") - user = request.db.User.query.filter_by(username=username).first() + user = check_login_simple(username, password) if not user: - _log.info("User %r not found", username) - fake_login_attempt() return PwgError(999, 'Invalid username/password') - if not user.check_login(password): - _log.warn("Wrong password for %r", username) - return PwgError(999, 'Invalid username/password') - _log.info("Logging %r in", username) request.session["user_id"] = user.id request.session.save() return True @@ -126,7 +120,7 @@ def pwg_images_addSimple(request): dump = [] for f in form: dump.append("%s=%r" % (f.name, f.data)) - _log.info("addSimple: %r %s %r", request.form, " ".join(dump), + _log.info("addSimple: %r %s %r", request.form, " ".join(dump), request.files) if not check_file_field(request, 'image'): -- cgit v1.2.3