From 75fc93686d0763ced6a5769e99e570a4c8fd3273 Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Sat, 25 May 2013 07:59:03 -0700 Subject: [PATCH] created a check_login_simple function cherry-picked from rodney757, fixed few conflicts due to out of order cherry-picking. Thanks to rodney757 for making my idea even better. --- mediagoblin/auth/tools.py | 23 +++++++++++++++++++++ mediagoblin/auth/views.py | 17 ++++----------- mediagoblin/db/mixin.py | 8 ------- mediagoblin/plugins/httpapiauth/__init__.py | 7 ++++--- mediagoblin/plugins/piwigo/views.py | 12 +++-------- 5 files changed, 34 insertions(+), 33 deletions(-) diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index 52095d8a..bb7d2683 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -14,13 +14,20 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +import logging + import wtforms +from sqlalchemy import or_ from mediagoblin import mg_globals +from mediagoblin.auth import lib as auth_lib +from mediagoblin.db.models import User from mediagoblin.tools.mail import normalize_email, send_email from mediagoblin.tools.template import render_template from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ +_log = logging.getLogger(__name__) + def normalize_user_or_email_field(allow_email=True, allow_user=True): """ @@ -85,3 +92,19 @@ def send_verification_email(user, request): # example "GNU MediaGoblin @ Wandborg - [...]". 'GNU MediaGoblin - Verify your email!', rendered_email) + + +def check_login_simple(username, password, username_might_be_email=False): + search = (User.username == username) + if username_might_be_email and ('@' in username): + search = or_(search, User.email == username) + user = User.query.filter(search).first() + if not user: + _log.info("User %r not found", username) + auth_lib.fake_login_attempt() + return None + if not auth_lib.bcrypt_check_password(password, user.pw_hash): + _log.warn("Wrong password for %r", username) + return None + _log.info("Logging %r in", username) + return user diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 6a8e9a4c..2485e79e 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -25,8 +25,8 @@ from mediagoblin.tools.mail import email_debug_message from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.lib import send_fp_verification_email -from mediagoblin.auth.tools import send_verification_email -from sqlalchemy import or_ +from mediagoblin.auth.tools import (send_verification_email, + check_login_simple) def register(request): @@ -106,14 +106,9 @@ def login(request): username = login_form.data['username'] if login_form.validate(): - user = User.query.filter( - or_( - User.username == username, - User.email == username, + user = check_login_simple(username, login_form.password.data, True) - )).first() - - if user and user.check_login(login_form.password.data): + if user: # set up login in session request.session['user_id'] = unicode(user.id) request.session.save() @@ -123,10 +118,6 @@ def login(request): else: return redirect(request, "index") - # Some failure during login occured if we are here! - # Prevent detecting who's on this system by testing login - # attempt timings - auth_lib.fake_login_attempt() login_failed = True return render_to_response( diff --git a/mediagoblin/db/mixin.py b/mediagoblin/db/mixin.py index e7f66fa1..9f566e36 100644 --- a/mediagoblin/db/mixin.py +++ b/mediagoblin/db/mixin.py @@ -34,7 +34,6 @@ import datetime from werkzeug.utils import cached_property from mediagoblin import mg_globals -from mediagoblin.auth import lib as auth_lib from mediagoblin.media_types import get_media_managers, FileTypeNotSupported from mediagoblin.tools import common, licenses from mediagoblin.tools.text import cleaned_markdown_conversion @@ -42,13 +41,6 @@ from mediagoblin.tools.url import slugify class UserMixin(object): - def check_login(self, password): - """ - See if a user can login with this password - """ - return auth_lib.bcrypt_check_password( - password, self.pw_hash) - @property def bio_html(self): return cleaned_markdown_conversion(self.bio) diff --git a/mediagoblin/plugins/httpapiauth/__init__.py b/mediagoblin/plugins/httpapiauth/__init__.py index 99b6a4b0..2b2d593c 100644 --- a/mediagoblin/plugins/httpapiauth/__init__.py +++ b/mediagoblin/plugins/httpapiauth/__init__.py @@ -18,6 +18,7 @@ import logging from werkzeug.exceptions import Unauthorized +from mediagoblin.auth.tools import check_login_simple from mediagoblin.plugins.api.tools import Auth _log = logging.getLogger(__name__) @@ -39,10 +40,10 @@ class HTTPAuth(Auth): if not request.authorization: return False - user = request.db.User.query.filter_by( - username=unicode(request.authorization['username'])).first() + user = check_login_simple(unicode(request.authorization['username']), + request.authorization['password']) - if user.check_login(request.authorization['password']): + if user: request.user = user return True else: diff --git a/mediagoblin/plugins/piwigo/views.py b/mediagoblin/plugins/piwigo/views.py index 78668ed4..ca723189 100644 --- a/mediagoblin/plugins/piwigo/views.py +++ b/mediagoblin/plugins/piwigo/views.py @@ -23,7 +23,7 @@ from werkzeug.exceptions import MethodNotAllowed, BadRequest, NotImplemented from werkzeug.wrappers import BaseResponse from mediagoblin.meddleware.csrf import csrf_exempt -from mediagoblin.auth.lib import fake_login_attempt +from mediagoblin.auth.tools import check_login_simple from mediagoblin.media_types import sniff_media from mediagoblin.submit.lib import check_file_field, prepare_queue_task, \ run_process_media, new_upload_entry @@ -43,15 +43,9 @@ _log = logging.getLogger(__name__) def pwg_login(request): username = request.form.get("username") password = request.form.get("password") - user = request.db.User.query.filter_by(username=username).first() + user = check_login_simple(username, password) if not user: - _log.info("User %r not found", username) - fake_login_attempt() return PwgError(999, 'Invalid username/password') - if not user.check_login(password): - _log.warn("Wrong password for %r", username) - return PwgError(999, 'Invalid username/password') - _log.info("Logging %r in", username) request.session["user_id"] = user.id request.session.save() return True @@ -126,7 +120,7 @@ def pwg_images_addSimple(request): dump = [] for f in form: dump.append("%s=%r" % (f.name, f.data)) - _log.info("addSimple: %r %s %r", request.form, " ".join(dump), + _log.info("addSimple: %r %s %r", request.form, " ".join(dump), request.files) if not check_file_field(request, 'image'): -- 2.25.1