From 880fd1324d61732cfc1371abb7f9a46b5a6092ac Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 4 Nov 2019 09:34:23 +0000 Subject: [PATCH] people: Simplify SSO process for Discourse Signed-off-by: Michael Tremer --- src/web/people.py | 59 ++++++++++++----------------------------------- 1 file changed, 15 insertions(+), 44 deletions(-) diff --git a/src/web/people.py b/src/web/people.py index 7f49cdfd..d7a8675d 100644 --- a/src/web/people.py +++ b/src/web/people.py @@ -298,47 +298,45 @@ class UserPasswdHandler(auth.CacheMixin, base.BaseHandler): class SSODiscourse(auth.CacheMixin, base.BaseHandler): - def _get_discourse_params(self): + @base.ratelimit(minutes=24*60, requests=100) + @tornado.web.authenticated + def get(self): # Fetch Discourse's parameters sso = self.get_argument("sso") sig = self.get_argument("sig") # Decode payload try: - return self.accounts.decode_discourse_payload(sso, sig) + params = self.accounts.decode_discourse_payload(sso, sig) # Raise bad request if the signature is invalid except ValueError: raise tornado.web.HTTPError(400) - def _redirect_user_to_discourse(self, account, nonce, return_sso_url): - """ - Redirects the user back to Discourse passing some - attributes of the user account to Discourse - """ + # Redirect back if user is already logged in args = { - "nonce" : nonce, - "external_id" : account.uid, + "nonce" : params.get("nonce"), + "external_id" : self.current_user.uid, # Pass email address - "email" : account.email, + "email" : self.current_user.email, "require_activation" : "false", # More details about the user - "username" : account.uid, - "name" : "%s" % account, - "bio" : account.description or "", + "username" : self.current_user.uid, + "name" : "%s" % self.current_user, + "bio" : self.current_user.description or "", # Avatar - "avatar_url" : account.avatar_url(), + "avatar_url" : self.current_user.avatar_url(), "avatar_force_update" : "true", # Send a welcome message "suppress_welcome_message" : "false", # Group memberships - "admin" : "true" if account.is_admin() else "false", - "moderator" : "true" if account.is_moderator() else "false", + "admin" : "true" if self.current_user.is_admin() else "false", + "moderator" : "true" if self.current_user.is_moderator() else "false", } # Format payload and sign it @@ -351,34 +349,7 @@ class SSODiscourse(auth.CacheMixin, base.BaseHandler): }) # Redirect user - self.redirect("%s?%s" % (return_sso_url, qs)) - - @base.ratelimit(minutes=24*60, requests=100) - def get(self): - params = self._get_discourse_params() - - # Redirect back if user is already logged in - if self.current_user: - return self._redirect_user_to_discourse(self.current_user, **params) - - # Otherwise the user needs to authenticate - self.render("auth/login.html", next=None) - - @base.ratelimit(minutes=24*60, requests=100) - def post(self): - params = self._get_discourse_params() - - # Get credentials - username = self.get_argument("username") - password = self.get_argument("password") - - # Check credentials - account = self.accounts.auth(username, password) - if not account: - raise tornado.web.HTTPError(401, "Unknown user or invalid password: %s" % username) - - # If the user has been authenticated, we will redirect to Discourse - self._redirect_user_to_discourse(account, **params) + self.redirect("%s?%s" % (params.get("return_sso_url"), qs)) class NewAccountsModule(ui_modules.UIModule): -- 2.47.3