Login using single signon via jab web, cleanup old stuff.

2 files changed, 80 insertions, 140 deletions

diff --git a/fbin.py b/fbin.py
index 6826bb4..a4e97e8 100755
--- a/fbin.py
+++ b/fbin.py
@@ -77,17 +77,6 @@ class Application(object):
 
 		return user
 
-	def save_user_pass(self, user, password):
-		session = db.Session()
-		try:
-			user.password = password
-			session.add(user)
-			session.commit()
-			# Avoid having to fetch user again (used by changepass)
-			session.refresh(user)
-		finally:
-			session.close()
-
 	def get_file(self, hash, update_accessed = False):
 		session = db.Session()
 		try:
@@ -146,29 +135,6 @@ class Application(object):
 			user = None
 		return user
 
-	def validate_cookie_old(self, cookie):
-		if not cookie or not 'identifier' in cookie:
-			return None
-
-		identifier = cookie['identifier'].value
-
-		if 'username' in cookie:
-			user = self.get_user_by_name(cookie['username'].value)
-			if not user:
-				return None
-			digest = hashlib.sha1(user.username + user.password).hexdigest()
-		else:
-			user = self.get_user_by_id(cookie['uid'].value)
-			if not user:
-				return None
-			digest = hashlib.sha1(str(user.id) + user.password).hexdigest()
-
-		if digest != identifier:
-			raise InvalidCookieError(user.username)
-		if not user.active:
-			raise InactiveLoginError(user.username)
-		return user
-
 	def get_file_by_file_hash(self, file_hash):
 		session = db.Session()
 		try:
@@ -341,113 +307,89 @@ class Application(object):
 	def login(self, environ, start_response, path):
 		user = self.validate_cookie(environ)
 		form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ)
-		next = form.getvalue('next')
-		if environ['REQUEST_METHOD'] != 'POST' or not 'username' in form or not 'password' in form:
-			start_response('200 OK', [('Content-Type', 'text/html')])
-			return str(templates.login(searchList = {
-				'settings': settings,
-				'user': user,
-				'error': None,
-				'next': next,
-			}))
-
-		username = form.getvalue('username')
-		password = form.getvalue('password')
-		# XXX: password_hash and the password field from the local db should probably be removed later.
-		password_hash = hashlib.sha1(password).hexdigest()
-
-		error = None
-		try:
-			token = self.jab.generate_user_token(username, password, settings.jab_identifier, settings.jab_name)
-			# If the user exists locally, both username and password must match (for migrating existing users).
-			# Otherwise, one could create a new user in jab with the same username but different password.
-			user = self.get_user(username, password_hash)
-			# Create the user if it exists in jab but not locally.
+		if not user and not 'request_token' in form and not 'verified' in form:
+			from urlparse import urljoin
+			request_token = self.jab.generate_request_token(settings.jab_identifier, settings.jab_name,
+					urljoin('%s://%s' % (environ['wsgi.url_scheme'], environ['HTTP_HOST']), environ['PATH_INFO']))
+			if isinstance(request_token, unicode):
+				request_token = request_token.encode('utf-8')
+			start_response('302 Found', [('Location', urljoin(settings.jab_web_url, 'verify/' + request_token))])
+			return []
+		if 'request_token' in form and 'verified' in form:
+			if form.getvalue('verified') == '0':
+				start_response('200 OK', [('Content-Type', 'text/html')])
+				return str(templates.login(searchList = {
+					'settings': settings,
+					'user': None,
+					'error': 'Login was declined.',
+					'loggedin': False,
+					'next': form.getvalue('next'),
+				}))
+			request_token = form.getvalue('request_token')
+			try:
+				token = self.jab.request_user_token(request_token, settings.jab_identifier, settings.jab_name)
+				jab_user = self.jab.get_user_by_token(token, settings.jab_identifier, environ['REMOTE_ADDR'])
+			except jab.client.InvalidCredentialsError:
+				start_response('200 OK', [('Content-Type', 'text/html')])
+				return str(templates.login(searchList = {
+					'settings': settings,
+					'user': None,
+					'error': 'Failed to request login: invalid token or user.',
+					'loggedin': False,
+					'next': form.getvalue('next'),
+				}))
+			# FIXME: Don't use the username as key for jab users.
+			user = self.get_user_by_name(jab_user['username'])
 			if not user:
-				user = self.add_user(username, password_hash, True)
+				user = self.add_user(jab_user['username'], None, True)
 			self.jab.set_token_data(token, settings.jab_identifier, {'user_id': user.id})
-		except jab.client.InvalidCredentialsError:
-			# Check wether the user exists in our local db, then add it via jab.
-			user = self.get_user(username, password_hash)
-			if user:
-				try:
-					self.jab.add_user(username, password, None, True)
-					token = self.jab.generate_user_token(username, password, settings.jab_identifier, settings.jab_name)
-					self.jab.set_token_data(token, settings.jab_identifier, {'user_id': user.id})
-				except jab.client.InvalidCredentialsError:
-					error = 'Login failed'
-			else:
-				error = 'Login failed'
-
-		if error:
-			start_response('200 OK', [('Content-Type', 'text/html')])
+			c = Cookie.SimpleCookie()
+			c['token'] = token
+			start_response('200 OK', [
+				('Content-Type', 'text/html'),
+				('Set-Cookie', c['token'].OutputString())
+			])
 			return str(templates.login(searchList = {
 				'settings': settings,
 				'user': user,
-				'error': error,
-				'next': next,
+				'error': None,
+				'loggedin': True,
+				'next': form.getvalue('next'),
 			}))
 
-		rememberme = 'rememberme' in form
-		forever = 'forever' in form
+		if user:
+			rememberme = 'rememberme' in form
+			forever = 'forever' in form
+
+			cookie = Cookie.SimpleCookie(environ['HTTP_COOKIE'])
+			token = cookie['token'].value
+			c = Cookie.SimpleCookie()
+			c['token'] = token
+
+			dt = datetime.datetime.utcnow() + datetime.timedelta(days = 30)
+			expires = dt.strftime('%a, %d-%b-%y %H:%M:%S GMT')
+			if rememberme:
+				c['token']['expires'] = expires
+				if forever:
+					c['forever'] = 1
+					c['forever']['expires'] = expires
+
+			# FIXME: This field is lost when we redirect to jab.
+			next = form.getvalue('next')
+			headers = [
+				('Location', next if next else (settings.virtual_root + 'u')),
+				('Set-Cookie', c['token'].OutputString())]
+			if 'forever' in c:
+				headers.append(('Set-Cookie', c['forever'].OutputString()))
+			start_response('302 Found', headers)
+			return []
 
-		c = Cookie.SimpleCookie()
-		c['token'] = token
-
-		dt = datetime.datetime.utcnow() + datetime.timedelta(days = 30)
-		expires = dt.strftime('%a, %d-%b-%y %H:%M:%S GMT')
-		if rememberme:
-			c['token']['expires'] = expires
-			if forever:
-				c['forever'] = 1
-				c['forever']['expires'] = expires
-
-		headers = [
-			('Location', next if next else (settings.virtual_root + 'u')),
-			('Set-Cookie', c['token'].OutputString())]
-		if 'forever' in c:
-			headers.append(('Set-Cookie', c['forever'].OutputString()))
-		start_response('302 Found', headers)
+		start_response('404 Not Found', [])
 		return []
 
 	def register(self, environ, start_response, path):
 		start_response('302 Found', [('Location', settings.jab_web_url + 'register')])
 		return []
-		if not settings.allow_registration:
-			start_response('403 Forbidden', [('Content-Type', 'text/plain')])
-			return ['Registrations are disabled by the administrator.']
-
-		user = self.validate_cookie(environ)
-		form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ)
-		if environ['REQUEST_METHOD'] != 'POST' or not 'username' in form or not 'password' in form or not 'password2' in form:
-			start_response('200 OK', [('Content-Type', 'text/html')])
-			return str(templates.register(searchList = {
-				'settings': settings,
-				'user': user,
-				'error': None,
-			}))
-
-		username = form.getvalue('username')
-		password = form.getvalue('password')
-		password2 = form.getvalue('password2')
-		if password != password2:
-			start_response('200 OK', [('Content-Type', 'text/html')])
-			return str(templates.register(searchList = {
-				'settings': settings,
-				'user': user,
-				'error': 'Passwords doesn\'t match',
-			}))
-
-		user = self.add_user(username, hashlib.sha1(password).hexdigest(), settings.create_active_users)
-		if not user:
-			start_response('200 OK', [('Content-Type', 'text/html')])
-			return str(templates.register(searchList = {
-				'settings': settings,
-				'user': None,
-				'error': 'Username already taken.',
-			}))
-
-		return self.redirect(environ, start_response, 'l')
 
 	def logout(self, environ, start_response, path):
 		c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None)
@@ -459,17 +401,11 @@ class Application(object):
 
 		c = Cookie.SimpleCookie()
 		expires = datetime.datetime.utcfromtimestamp(0).strftime('%a, %d-%b-%y %H:%M:%S GMT')
-		c['uid'] = 0
-		c['uid']['expires'] = expires
-		c['identifier'] = ''
-		c['identifier']['expires'] = expires
 		c['forever'] = 0
 		c['forever']['expires'] = expires
 		c['token'] = 0
 		c['token']['expires'] = expires
 		start_response('302 Found', [
-			('Set-Cookie', c['uid'].OutputString()),
-			('Set-Cookie', c['identifier'].OutputString()),
 			('Set-Cookie', c['forever'].OutputString()),
 			('Set-Cookie', c['token'].OutputString()),
 			('Location', settings.virtual_root)])
diff --git a/templates/login.tmpl b/templates/login.tmpl
index af2f955..505a885 100644
--- a/templates/login.tmpl
+++ b/templates/login.tmpl
@@ -4,17 +4,21 @@
 #def content
 #set error = $error or ''
 		<div class="error">$error</div>
+#if $loggedin
+		<p>You are now logged in as $user.username.
+		To change your session settings, please use the form below.
+		Or <a href="${settings.virtual_root}u">return to the upload page</a>.
+		</p>
+#end if
+#if $user
 		<form method="post" action="${settings.virtual_root}l">
 #if next
 			<input type="hidden" name="next" value="$next" />
 #end if
-			<p>username</p>
-			<p><input type="text" id="username" name="username" /></p>
-			<p>password</p>
-			<p><input type="password" id="password" name="password" /></p>
-			<p><input type="checkbox" id="rememberme" name="rememberme" checked="checked" />
+			<p><input type="checkbox" id="rememberme" name="rememberme" />
 			<label for="rememberme"> remember me</label></p>
 			<p><input type="checkbox" id="forever" name="forever" /><label for="forever"> .. forever</label></p>
-			<p><input type="submit" value="Login" /></p>
+			<p><input type="submit" value="Update" /></p>
 		</form>
+#end if
 #end def