src/web/auth.py

   1 #!/usr/bin/python
   2
   3 import logging
   4 import tornado.web
   5
   6 from . import base
   7
   8 class AuthenticationMixin(object):
   9         def login(self, username, password):
  10                 # Find account
  11                 account = self.backend.accounts.find_account(username)
  12                 if not account:
  13                         raise tornado.web.HTTPError(401, "Unknown user: %s" % username)
  14
  15                 # Check credentials
  16                 if not account.check_password(password):
  17                         raise tornado.web.HTTPError(401, "Invalid password for %s" % account)
  18
  19                 # User has logged in, create a session
  20                 session_id, session_expires = self.backend.accounts.create_session(
  21                         account, self.request.host)
  22
  23                 # Check if a new session was created
  24                 if not session_id:
  25                         raise tornado.web.HTTPError(500, "Could not create session")
  26
  27                 # Send session cookie to the client
  28                 self.set_cookie("session_id", session_id,
  29                         domain=self.request.host, expires=session_expires)
  30
  31         def logout(self):
  32                 session_id = self.get_cookie("session_id")
  33                 if not session_id:
  34                         return
  35
  36                 success = self.backend.accounts.destroy_session(session_id, self.request.host)
  37                 if success:
  38                         self.clear_cookie("session_id")
  39
  40
  41 class LoginHandler(AuthenticationMixin, base.BaseHandler):
  42         @base.blacklisted
  43         def get(self):
  44                 next = self.get_argument("next", None)
  45
  46                 self.render("auth/login.html", next=next)
  47
  48         @base.blacklisted
  49         def post(self):
  50                 username = self.get_argument("username")
  51                 password = self.get_argument("password")
  52
  53                 with self.db.transaction():
  54                         self.login(username, password)
  55
  56                 # Determine the page we should redirect to
  57                 next = self.get_argument("next", None)
  58
  59                 return self.redirect(next or "/")
  60
  61
  62 class LogoutHandler(AuthenticationMixin, base.BaseHandler):
  63         def get(self):
  64                 with self.db.transaction():
  65                         self.logout()
  66
  67                 # Get back to the start page
  68                 self.redirect("/")
  69
  70
  71 class RegisterHandler(base.BaseHandler):
  72         @base.blacklisted
  73         def get(self):
  74                 self.render("auth/register.html")
  75
  76         @base.blacklisted
  77         def post(self):
  78                 uid   = self.get_argument("uid")
  79                 email = self.get_argument("email")
  80
  81                 first_name = self.get_argument("first_name")
  82                 last_name  = self.get_argument("last_name")
  83
  84                 # Register account
  85                 with self.db.transaction():
  86                         self.backend.accounts.create(uid, email,
  87                                 first_name=first_name, last_name=last_name)
  88
  89                 self.render("auth/register-success.html")
  90
  91
  92 class CacheMixin(object):
  93         def prepare(self):
  94                 # Mark this as private when someone is logged in
  95                 if self.current_user:
  96                         self.add_header("Cache-Control", "private")
  97
  98                 self.add_header("Vary", "Cookie")