/
auth.py
81 lines (63 loc) · 2.39 KB
/
auth.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
import hashlib
import string
from random import SystemRandom
random = SystemRandom()
from mongoengine import Document, StringField
from trembling.session import SESSION_COOKIE_NAME
from trembling import Redirect
SALT_LENGTH = 23
SALT_CHARACTERS = string.ascii_letters + string.digits
AUTH_SESSION_KEY = "auth_user_id"
LOGIN_URL = "/account/login.html"
class User(Document):
username = StringField(unique=True, required=True)
password_hash = StringField()
def set_password(self, password):
salt = "".join([random.choice(SALT_CHARACTERS) for x in xrange(SALT_LENGTH)])
# FIXME: Is this secure enough?
hasher = hashlib.sha512()
hasher.update(salt)
hasher.update(password)
self.password_hash = "%s$%s" % (salt, hasher.hexdigest())
def check_password(self, password):
salt, hashed = self.password_hash.split("$")
hasher = hashlib.sha512()
hasher.update(salt)
hasher.update(password)
return hasher.hexdigest() == hashed
def login(request, username, password):
'''Given a request, username, and password, authenticate the user and add
the name to the session.
:return True if the user is successfully authenticated, False otherwise'''
# FIXME: Currently assumes no other user is logged in
user = User.objects(username=username)
if not user:
return False
else:
user = user[0]
if user.check_password(password):
request.session[AUTH_SESSION_KEY] = username
return True
return False
def logout(request):
'''Ensure that no user session data is attached to the request.'''
key = request.session[SESSION_COOKIE_NAME]
request.session = {SESSION_COOKIE_NAME: key}
def login_required(request, login_url=None):
'''if a user is not logged in, redirect to the login url.
Assumes that inbound has already been called on the request.'''
if not request.authenticated:
if login_url is None:
login_url = LOGIN_URL
raise Redirect(login_url)
else:
return True
def inbound(request):
'''Attach a User object to every request if the user id is logged in'''
request.user = None
request.authenticated = False
if 'auth_user_id' in request.session:
user = User.objects(username=request.session[AUTH_SESSION_KEY])
if user:
request.user = user[0]
request.authenticated = True