diff options
author | Sam | 2013-10-11 14:44:45 -0500 |
---|---|---|
committer | Sam | 2013-10-11 14:44:45 -0500 |
commit | 38ae30a5fb46753a361e1c7454871430d7097c3b (patch) | |
tree | 5f77ee8331a9c652b0fddf059d2dcdede6cb25f9 /wqflask/wqflask | |
parent | a55a1b941864a9574b8177349b8c9c750f379c72 (diff) | |
download | genenetwork2-38ae30a5fb46753a361e1c7454871430d7097c3b.tar.gz |
Small changes around logging in
Diffstat (limited to 'wqflask/wqflask')
-rw-r--r-- | wqflask/wqflask/templates/base.html | 6 | ||||
-rw-r--r-- | wqflask/wqflask/user_manager.py | 61 |
2 files changed, 54 insertions, 13 deletions
diff --git a/wqflask/wqflask/templates/base.html b/wqflask/wqflask/templates/base.html index 077e4705..8efba6a7 100644 --- a/wqflask/wqflask/templates/base.html +++ b/wqflask/wqflask/templates/base.html @@ -99,10 +99,10 @@ <a href="/links">Links</a> </li> <li class=""> - {% if "g.identity.name"=="anon" %} - <a id="login_out" class="modalize" href="/n/register">Sign in</a> + {% if g.user_session.logged_in %} + <a id="login_out" href="/n/logout">Sign out</a> {% else %} - <a id="login_out" href="/n/logout">Sign out</a> + <a id="login_in" href="/n/login">Sign in</a> {% endif %} </li> </ul> diff --git a/wqflask/wqflask/user_manager.py b/wqflask/wqflask/user_manager.py index 7c1761ba..a2dff7f2 100644 --- a/wqflask/wqflask/user_manager.py +++ b/wqflask/wqflask/user_manager.py @@ -23,7 +23,8 @@ from redis import StrictRedis Redis = StrictRedis() -from flask import Flask, g, render_template, url_for, request, make_response, redirect, flash +from flask import (Flask, g, render_template, url_for, request, make_response, + redirect, flash) from wqflask import app @@ -49,6 +50,37 @@ def timestamp(): + +class UserSession(object): + cookie_name = 'session_id' + + def __init__(self): + cookie = request.cookies.get(self.cookie_name) + if not cookie: + self.logged_in = False + return + else: + session_id, separator, session_id_signature = cookie.partition(':') + assert len(session_id) == 36, "Is session_id a uuid?" + assert separator == ":", "Expected a : here" + assert session_id_signature == actual_hmac_creation(session_id), "Uh-oh, someone tampering with the cookie?" + self.redis_key = "session_id:" + session_id + print("self.redis_key is:", self.redis_key) + self.session_id = session_id + self.record = Redis.hgetall(self.redis_key) + print("record is:", self.record) + self.logged_in = True + + + def delete_session(self): + # And more importantly delete the redis record + Redis.delete(self.cookie_name) + print("At end of delete_session") + +@app.before_request +def before_request(): + g.user_session = UserSession() + class UsersManager(object): def __init__(self): self.users = model.User.query.all() @@ -173,7 +205,6 @@ class RegisterUser(object): class Password(object): def __init__(self, unencrypted_password, salt, iterations, keylength, hashfunc): - print("in Password __init__ locals are:", locals()) hashfunc = getattr(hashlib, hashfunc) print("hashfunc is:", hashfunc) # On our computer it takes around 1.4 seconds in 2013 @@ -229,6 +260,7 @@ def login(): #session_id = "session_id:{}".format(login_rec.session_id) session_id_signature = actual_hmac_creation(login_rec.session_id) session_id_signed = login_rec.session_id + ":" + session_id_signature + print("session_id_signed:", session_id_signed) session = dict(login_time = time.time(), user_id = user.id, @@ -236,10 +268,12 @@ def login(): flash("Thank you for logging in.", "alert-success") - Redis.hmset("session_id:" + login_rec.session_id, session) + key = "session_id:" + login_rec.session_id + print("Key when signing:", key) + Redis.hmset(key, session) - response = make_response(redirect('/')) - response.set_cookie('session_id', session_id_signed) + response = make_response(redirect(url_for('index_page'))) + response.set_cookie(UserSession.cookie_name, session_id_signed) else: login_rec.successful = False flash("Invalid email-address or password. Please try again.", "alert-error") @@ -247,9 +281,16 @@ def login(): db_session.add(login_rec) db_session.commit() return response - - def logout(): - pass + +@app.route("/n/logout") +def logout(): + print("Logging out...") + UserSession().delete_session() + flash("You are now logged out. We hope you come back soon!") + response = make_response(redirect(url_for('index_page'))) + # Delete the cookie + response.set_cookie(UserSession.cookie_name, '', expires=0) + return response ################################# Sign and unsign ##################################### @@ -283,12 +324,12 @@ def verify_url_hmac(url): assert hm == hmac, "Unexpected url (stage 3)" -def actual_hmac_creation(url): +def actual_hmac_creation(stringy): """Helper function to create the actual hmac""" secret = app.config['SECRET_HMAC_CODE'] - hmaced = hmac.new(secret, url, hashlib.sha1) + hmaced = hmac.new(secret, stringy, hashlib.sha1) hm = hmaced.hexdigest() # "Conventional wisdom is that you don't lose much in terms of security if you throw away up to half of the output." # http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html |