Use jab id instead of username as user key.

2 files changed, 24 insertions, 35 deletions

diff --git a/db.py b/db.py
index fc2db63..dd24204 100644
--- a/db.py
+++ b/db.py
@@ -15,15 +15,12 @@ class User(Base):
 
 	id = Column(Integer, primary_key = True)
 	username = Column(String, unique = True, index = True)
-	password = Column(String)
-	last_login = Column(DateTime)
-	active = Column(Boolean, nullable = False)
+	jab_id = Column(String(12), unique = True, index = True)
 	files = relation('File', backref = 'user', order_by = 'File.date.desc()')
 
-	def __init__(self, username, password, active):
+	def __init__(self, username, jab_id):
 		self.username = username
-		self.password = password
-		self.active = active
+		self.jab_id = jab_id
 
 class File(Base):
 	__tablename__ = 'files'
diff --git a/fbin.py b/fbin.py
index b4ccdae..7339a26 100755
--- a/fbin.py
+++ b/fbin.py
@@ -33,21 +33,26 @@ class FileUploadFieldStorage(cgi.FieldStorage):
 		return tempfile.NamedTemporaryFile(prefix = 'upload_', dir = settings.file_directory, delete = False)
 
 class Application(object):
-	def get_user(self, username, password):
+	def get_or_create_user(self, username, jab_id):
 		session = db.Session()
 		try:
-			user = session.query(db.User).filter(db.and_(db.User.username == username, db.User.password == password)).one()
+			return session.query(db.User).filter(db.User.jab_id == jab_id).one()
 		except db.NoResultFound:
-			return None
+			try:
+				user = db.User(username, jab_id)
+				session.add(user)
+				session.commit()
+				session.refresh(user)
+				return user
+			except db.IntegrityError:
+				return None
 		finally:
 			session.close()
 
-		return user
-
-	def get_user_by_name(self, username):
+	def get_user_by_jab_id(self, jab_id):
 		session = db.Session()
 		try:
-			return session.query(db.User).filter(db.User.username == username).one()
+			return session.query(db.User).filter(db.User.jab_id == jab_id).one()
 		except db.NoResultFound:
 			return None
 		finally:
@@ -62,21 +67,6 @@ class Application(object):
 		finally:
 			session.close()
 
-	def add_user(self, username, password, active):
-		session = db.Session()
-		try:
-			user = db.User(username, password, active)
-			session.add(user)
-			session.commit()
-			# Refresh so we can fetch the id.
-			session.refresh(user)
-		except db.IntegrityError:
-			return None
-		finally:
-			session.close()
-
-		return user
-
 	def get_file(self, hash, update_accessed = False):
 		session = db.Session()
 		try:
@@ -338,10 +328,10 @@ class Application(object):
 					'loggedin': False,
 					'next': form.getvalue('next'),
 				}))]
-			# FIXME: Don't use the username as key for jab users.
-			user = self.get_user_by_name(jab_user['username'])
+			user = self.get_or_create_user(jab_user['username'], jab_user['_id'])
 			if not user:
-				user = self.add_user(jab_user['username'], None, True)
+				start_response('500 Internal Server Error', [])
+				return []
 			self.jab.set_token_data(token, settings.jab_identifier, {'user_id': user.id})
 			c = Cookie.SimpleCookie()
 			c['token'] = token
@@ -538,11 +528,13 @@ class Application(object):
 			]
 			data['status'] = True
 		elif method == 'get_token':
-			user = self.get_user(form['username'].value, hashlib.sha1(form['password'].value).hexdigest())
-			if not user:
-				return error('Invalid credentials')
 			try:
-				token = self.jab.generate_user_token(form['username'].value, form['password'].value, settings.jab_identifier, '%s (API)' % settings.jab_name, {'user_id': user.id})
+				token = self.jab.generate_user_token(form['username'].value, form['password'].value, settings.jab_identifier, '%s (API)' % settings.jab_name)
+				jab_user = self.jab.get_user_by_token(token, settings.jab_identifier, environ['REMOTE_ADDR'])
+				user = self.get_or_create_user(jab_user['username'], jab_user['_id'])
+				if not user:
+					return error('Error fetching user data')
+				self.jab.set_token_data(token, settings.jab_identifier, {'user_id': user.id})
 			except:
 				return error('Invalid credentials')
 			data['token'] = token