Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge remote-tracking branch 'upstream/master' into foursquare_auth

  • Loading branch information...
commit 7e228f1dfca01e44917655578644cf871d8d19ae 2 parents 531cd1f + d586e62
Miha Novak authored
5 piplmesh/account/backends.py
View
@@ -42,6 +42,8 @@ class FacebookBackend(MongoEngineBackend):
Facebook authentication.
"""
+ # TODO: List all profile data fields we (can) get
+
def authenticate(self, facebook_access_token, request):
# Retrieve user's profile information
# TODO: Handle error, what if request was denied?
@@ -50,6 +52,7 @@ def authenticate(self, facebook_access_token, request):
try:
user = self.user_class.objects.get(facebook_profile_data__id=facebook_profile_data.get('id'))
except self.user_class.DoesNotExist:
+ # TODO: Based on user preference, we might create a new user here, not just link with existing, if existing user is lazy user
# We reload to make sure user object is recent
user = request.user.reload()
# TODO: Is it OK to override Facebook link if it already exist with some other Facebook user?
@@ -128,6 +131,7 @@ def authenticate(self, twitter_access_token, request):
try:
user = self.user_class.objects.get(twitter_profile_data__id=twitter_profile_data.get('id'))
except self.user_class.DoesNotExist:
+ # TODO: Based on user preference, we might create a new user here, not just link with existing, if existing user is lazy user
# We reload to make sure user object is recent
user = request.user.reload()
# TODO: Is it OK to override Twitter link if it already exist with some other Twitter user?
@@ -171,6 +175,7 @@ def authenticate(self, google_access_token, request):
try:
user = self.user_class.objects.get(google_profile_data__id=google_profile_data.get('id'))
except self.user_class.DoesNotExist:
+ # TODO: Based on user preference, we might create a new user here, not just link with existing, if existing user is lazy user
# We reload to make sure user object is recent
user = request.user.reload()
# TODO: Is it OK to override Google link if it already exist with some other Google user?
17 piplmesh/account/views.py
View
@@ -44,8 +44,9 @@ class FacebookCallbackView(generic_views.RedirectView):
url = settings.FACEBOOK_LOGIN_REDIRECT
def get(self, request, *args, **kwargs):
+ # TODO: Add security measures to prevent attackers from sending a redirect to this url with a forged 'code' (you can use 'state' parameter to set a random nonce and store it into session)
+
if 'code' in request.GET:
- # TODO: Add security measures to prevent attackers from sending a redirect to this url with a forged 'code'
args = {
'client_id': settings.FACEBOOK_APP_ID,
'client_secret': settings.FACEBOOK_APP_SECRET,
@@ -65,8 +66,8 @@ def get(self, request, *args, **kwargs):
return super(FacebookCallbackView, self).get(request, *args, **kwargs)
else:
- # TODO: Message user that they have not been logged in because they cancelled the facebook app
- # TODO: Use information provided from facebook as to why the login was not successful
+ # TODO: Message user that they have not been logged in because they cancelled the Facebook app
+ # TODO: Use information provided by Facebook as to why the login was not successful
return super(FacebookCallbackView, self).get(request, *args, **kwargs)
class TwitterLoginView(generic_views.RedirectView):
@@ -77,7 +78,11 @@ class TwitterLoginView(generic_views.RedirectView):
permanent = False
def get_redirect_url(self, **kwargs):
- twitter_auth = tweepy.OAuthHandler(settings.TWITTER_CONSUMER_KEY, settings.TWITTER_CONSUMER_SECRET, self.request.build_absolute_uri(urlresolvers.reverse('twitter_callback')))
+ twitter_auth = tweepy.OAuthHandler(
+ settings.TWITTER_CONSUMER_KEY,
+ settings.TWITTER_CONSUMER_SECRET,
+ self.request.build_absolute_uri(urlresolvers.reverse('twitter_callback')),
+ )
redirect_url = twitter_auth.get_authorization_url(signin_with_twitter=True)
self.request.session['request_token'] = twitter_auth.request_token
return redirect_url
@@ -124,6 +129,8 @@ def get_redirect_url(self, **kwargs):
'scope': GOOGLE_SCOPE,
'redirect_uri': self.request.build_absolute_uri(urlresolvers.reverse('google_callback')),
'response_type': 'code',
+ 'access_type': 'online',
+ 'approval_prompt': 'auto',
}
return 'https://accounts.google.com/o/oauth2/auth?%s' % urllib.urlencode(args)
@@ -137,6 +144,8 @@ class GoogleCallbackView(generic_views.RedirectView):
url = settings.GOOGLE_LOGIN_REDIRECT
def get(self, request, *args, **kwargs):
+ # TODO: Add security measures to prevent attackers from sending a redirect to this url with a forged 'code' (you can use 'state' parameter to set a random nonce and store it into session)
+
if 'code' in request.GET:
args = {
'client_id': settings.GOOGLE_CLIENT_ID,
2  piplmesh/frontend/static/piplmesh/js/home.js
View
@@ -5,7 +5,7 @@ function User(data) {
}
function redrawUserList() {
- // TODO: Currently we just remove logged out users from the list, it would be better to fade them out
+ // TODO: Currently we just replace the whole list of users, it would be better to fade gone out, and fade new in
var keys = [];
$.each(onlineUsers, function (key, user) {
3  piplmesh/nodes/__init__.py
View
@@ -58,7 +58,8 @@ def get_node(request):
Returns ``None`` if no node could be determined.
"""
- # TODO: What if users moves from inside to outside, or outside to inside, inside existing session? How should we invalidate node?
+ # TODO: What if user moves from inside to outside, or outside to inside, inside existing session? How should we invalidate node?
+ # TODO: What if user moves between nodes, between outside locations?
node = None
try:
Please sign in to comment.
Something went wrong with that request. Please try again.