canaille-globuzma/canaille/core/endpoints/auth.py

from flask import Blueprint
from flask import abort
from flask import current_app
from flask import flash
from flask import redirect
from flask import request
from flask import session
from flask import url_for

from canaille.app import build_hash
from canaille.app.flask import current_user
from canaille.app.flask import login_user
from canaille.app.flask import logout_user
from canaille.app.flask import smtp_needed
from canaille.app.i18n import gettext as _
from canaille.app.themes import render_template
from canaille.backends import BaseBackend

from ..mails import send_password_initialization_mail
from ..mails import send_password_reset_mail
from .forms import FirstLoginForm
from .forms import ForgottenPasswordForm
from .forms import LoginForm
from .forms import PasswordForm
from .forms import PasswordResetForm

bp = Blueprint("auth", __name__)


@bp.route("/login", methods=("GET", "POST"))
def login():
    if current_user():
        return redirect(
            url_for("core.account.profile_edition", edited_user=current_user())
        )

    form = LoginForm(request.form or None)
    form.render_field_macro_file = "partial/login_field.html"
    form["login"].render_kw["placeholder"] = BaseBackend.get().login_placeholder()

    if not request.form or form.form_control():
        return render_template("login.html", form=form)

    user = BaseBackend.get().get_user_from_login(form.login.data)
    if user and not user.has_password():
        return redirect(url_for("core.auth.firstlogin", user=user))

    if not form.validate():
        logout_user()
        flash(_("Login failed, please check your information"), "error")
        return render_template("login.html", form=form)

    session["attempt_login"] = form.login.data
    return redirect(url_for("core.auth.password"))


@bp.route("/password", methods=("GET", "POST"))
def password():
    if current_user():
        return redirect(
            url_for("core.account.profile_edition", edited_user=current_user())
        )

    if "attempt_login" not in session:
        flash(_("Cannot remember the login you attempted to sign in with"), "warning")
        return redirect(url_for("core.auth.login"))

    form = PasswordForm(request.form or None)
    form.render_field_macro_file = "partial/login_field.html"

    if not request.form or form.form_control():
        return render_template(
            "password.html", form=form, username=session["attempt_login"]
        )

    user = BaseBackend.get().get_user_from_login(session["attempt_login"])
    if user and not user.has_password():
        return redirect(url_for("core.auth.firstlogin", user=user))

    if not form.validate() or not user:
        logout_user()
        flash(_("Login failed, please check your information"), "error")
        return render_template(
            "password.html", form=form, username=session["attempt_login"]
        )

    success, message = BaseBackend.get().check_user_password(user, form.password.data)
    request_ip = request.remote_addr or "unknown IP"
    if not success:
        logout_user()
        current_app.logger.info(
            f'Failed login attempt for {session["attempt_login"]} from {request_ip}'
        )
        flash(message or _("Login failed, please check your information"), "error")
        return render_template(
            "password.html", form=form, username=session["attempt_login"]
        )

    current_app.logger.info(
        f'Succeed login attempt for {session["attempt_login"]} from {request_ip}'
    )
    del session["attempt_login"]
    login_user(user)
    flash(
        _("Connection successful. Welcome %(user)s", user=user.formatted_name),
        "success",
    )
    return redirect(session.pop("redirect-after-login", url_for("core.account.index")))


@bp.route("/logout")
def logout():
    user = current_user()

    if user:
        request_ip = request.remote_addr or "unknown IP"
        current_app.logger.info(f"Logout {user.identifier} from {request_ip}")

        flash(
            _(
                "You have been disconnected. See you next time %(user)s",
                user=user.formatted_name,
            ),
            "success",
        )
        logout_user()
    return redirect("/")


@bp.route("/firstlogin/<user:user>", methods=("GET", "POST"))
def firstlogin(user):
    if user.has_password():
        abort(404)

    form = FirstLoginForm(request.form or None)
    if not request.form:
        return render_template("firstlogin.html", form=form, user=user)

    form.validate()

    statuses = [send_password_initialization_mail(user, email) for email in user.emails]
    success = all(statuses)
    if success:
        flash(
            _(
                "A password initialization link has been sent at your email address. "
                "You should receive it within a few minutes."
            ),
            "success",
        )
    else:
        flash(_("Could not send the password initialization email"), "error")

    return render_template("firstlogin.html", form=form)


@bp.route("/reset", methods=["GET", "POST"])
@smtp_needed()
def forgotten():
    if not current_app.config["CANAILLE"]["ENABLE_PASSWORD_RECOVERY"]:
        abort(404)

    form = ForgottenPasswordForm(request.form)
    if not request.form:
        return render_template("forgotten-password.html", form=form)

    if not form.validate():
        flash(_("Could not send the password reset link."), "error")
        return render_template("forgotten-password.html", form=form)

    user = BaseBackend.get().get_user_from_login(form.login.data)
    success_message = _(
        "A password reset link has been sent at your email address. "
        "You should receive it within a few minutes."
    )
    if current_app.config["CANAILLE"]["HIDE_INVALID_LOGINS"] and (
        not user or not user.can_edit_self
    ):
        flash(success_message, "success")
        return render_template("forgotten-password.html", form=form)

    if not user.can_edit_self:
        flash(
            _(
                "The user '%(user)s' does not have permissions to update their password. "
                "We cannot send a password reset email.",
                user=user.formatted_name,
            ),
            "error",
        )
        return render_template("forgotten-password.html", form=form)

    statuses = [send_password_reset_mail(user, email) for email in user.emails]
    success = all(statuses)

    if success:
        flash(success_message, "success")
    else:
        flash(
            _("We encountered an issue while we sent the password recovery email."),
            "error",
        )

    return render_template("forgotten-password.html", form=form)


@bp.route("/reset/<user:user>/<hash>", methods=["GET", "POST"])
def reset(user, hash):
    if not current_app.config["CANAILLE"]["ENABLE_PASSWORD_RECOVERY"]:
        abort(404)

    form = PasswordResetForm(request.form)
    hashes = {
        build_hash(
            user.identifier,
            email,
            user.password if user.has_password() else "",
        )
        for email in user.emails
    }
    if not user or hash not in hashes:
        flash(
            _("The password reset link that brought you here was invalid."),
            "error",
        )
        return redirect(url_for("core.account.index"))

    if request.form and form.validate():
        BaseBackend.get().set_user_password(user, form.password.data)
        login_user(user)

        flash(_("Your password has been updated successfully"), "success")
        return redirect(
            session.pop(
                "redirect-after-login",
                url_for("core.account.profile_edition", edited_user=user),
            )
        )

    return render_template("reset-password.html", form=form, user=user, hash=hash)
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from flask import Blueprint`
			`from flask import abort`
			`from flask import current_app`
			`from flask import flash`
			`from flask import redirect`
			`from flask import request`
			`from flask import session`
			`from flask import url_for`

refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`from canaille.app import build_hash`
			`from canaille.app.flask import current_user`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`from canaille.app.flask import login_user`
			`from canaille.app.flask import logout_user`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`from canaille.app.flask import smtp_needed`
feat: flask-babel and pytz are now part of the front extras 2023-09-01 08:46:56 +00:00			`from canaille.app.i18n import gettext as _`
feat: split installation in different extras packages 2023-08-16 15:14:11 +00:00			`from canaille.app.themes import render_template`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`from canaille.backends import BaseBackend`

refactor: gather endpoints in a 'endpoints' directory 2023-12-25 23:23:47 +00:00			`from ..mails import send_password_initialization_mail`
			`from ..mails import send_password_reset_mail`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`from .forms import FirstLoginForm`
			`from .forms import ForgottenPasswordForm`
			`from .forms import LoginForm`
			`from .forms import PasswordForm`
			`from .forms import PasswordResetForm`

			`bp = Blueprint("auth", __name__)`


			`@bp.route("/login", methods=("GET", "POST"))`
			`def login():`
			`if current_user():`
			`return redirect(`
			`url_for("core.account.profile_edition", edited_user=current_user())`
			`)`

			`form = LoginForm(request.form or None)`
			`form.render_field_macro_file = "partial/login_field.html"`
			`form["login"].render_kw["placeholder"] = BaseBackend.get().login_placeholder()`

			`if not request.form or form.form_control():`
			`return render_template("login.html", form=form)`

refactor: move User.get_from_login method to Backend 2024-04-07 17:56:52 +00:00			`user = BaseBackend.get().get_user_from_login(form.login.data)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`if user and not user.has_password():`
			`return redirect(url_for("core.auth.firstlogin", user=user))`

			`if not form.validate():`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`logout_user()`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`flash(_("Login failed, please check your information"), "error")`
			`return render_template("login.html", form=form)`

			`session["attempt_login"] = form.login.data`
			`return redirect(url_for("core.auth.password"))`


			`@bp.route("/password", methods=("GET", "POST"))`
			`def password():`
feat: additional messages on password endpoint errors when attempt_login is not found on the session, add a warning to be displayed on the login page after redirection 2024-04-09 07:20:38 +00:00			`if current_user():`
			`return redirect(`
			`url_for("core.account.profile_edition", edited_user=current_user())`
			`)`

refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`if "attempt_login" not in session:`
feat: additional messages on password endpoint errors when attempt_login is not found on the session, add a warning to be displayed on the login page after redirection 2024-04-09 07:20:38 +00:00			`flash(_("Cannot remember the login you attempted to sign in with"), "warning")`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`return redirect(url_for("core.auth.login"))`

			`form = PasswordForm(request.form or None)`
			`form.render_field_macro_file = "partial/login_field.html"`

			`if not request.form or form.form_control():`
			`return render_template(`
			`"password.html", form=form, username=session["attempt_login"]`
			`)`

refactor: move User.get_from_login method to Backend 2024-04-07 17:56:52 +00:00			`user = BaseBackend.get().get_user_from_login(session["attempt_login"])`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`if user and not user.has_password():`
			`return redirect(url_for("core.auth.firstlogin", user=user))`

			`if not form.validate() or not user:`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`logout_user()`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`flash(_("Login failed, please check your information"), "error")`
			`return render_template(`
			`"password.html", form=form, username=session["attempt_login"]`
			`)`

refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`success, message = BaseBackend.get().check_user_password(user, form.password.data)`
feat: sign in/out events are logged in #177 2024-04-09 08:04:26 +00:00			`request_ip = request.remote_addr or "unknown IP"`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`if not success:`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`logout_user()`
feat: sign in/out events are logged in #177 2024-04-09 08:04:26 +00:00			`current_app.logger.info(`
			`f'Failed login attempt for {session["attempt_login"]} from {request_ip}'`
			`)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`flash(message or _("Login failed, please check your information"), "error")`
			`return render_template(`
			`"password.html", form=form, username=session["attempt_login"]`
			`)`

feat: sign in/out events are logged in #177 2024-04-09 08:04:26 +00:00			`current_app.logger.info(`
			`f'Succeed login attempt for {session["attempt_login"]} from {request_ip}'`
			`)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`del session["attempt_login"]`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`login_user(user)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`flash(`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`_("Connection successful. Welcome %(user)s", user=user.formatted_name),`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`"success",`
			`)`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`return redirect(session.pop("redirect-after-login", url_for("core.account.index")))`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00

			`@bp.route("/logout")`
			`def logout():`
			`user = current_user()`

			`if user:`
feat: sign in/out events are logged in #177 2024-04-09 08:04:26 +00:00			`request_ip = request.remote_addr or "unknown IP"`
			`current_app.logger.info(f"Logout {user.identifier} from {request_ip}")`

refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`flash(`
			`_(`
			`"You have been disconnected. See you next time %(user)s",`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`user=user.formatted_name,`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`),`
			`"success",`
			`)`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`logout_user()`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`return redirect("/")`


			`@bp.route("/firstlogin/<user:user>", methods=("GET", "POST"))`
			`def firstlogin(user):`
			`if user.has_password():`
			`abort(404)`

			`form = FirstLoginForm(request.form or None)`
			`if not request.form:`
			`return render_template("firstlogin.html", form=form, user=user)`

			`form.validate()`

fix: password and initalization emails were only sent to the preferred user email address 2023-11-28 16:59:50 +00:00			`statuses = [send_password_initialization_mail(user, email) for email in user.emails]`
			`success = all(statuses)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`if success:`
			`flash(`
			`_(`
			`"A password initialization link has been sent at your email address. "`
			`"You should receive it within a few minutes."`
			`),`
			`"success",`
			`)`
			`else:`
			`flash(_("Could not send the password initialization email"), "error")`

			`return render_template("firstlogin.html", form=form)`


			`@bp.route("/reset", methods=["GET", "POST"])`
			`@smtp_needed()`
			`def forgotten():`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`if not current_app.config["CANAILLE"]["ENABLE_PASSWORD_RECOVERY"]:`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`abort(404)`

			`form = ForgottenPasswordForm(request.form)`
			`if not request.form:`
			`return render_template("forgotten-password.html", form=form)`

			`if not form.validate():`
			`flash(_("Could not send the password reset link."), "error")`
			`return render_template("forgotten-password.html", form=form)`

refactor: move User.get_from_login method to Backend 2024-04-07 17:56:52 +00:00			`user = BaseBackend.get().get_user_from_login(form.login.data)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`success_message = _(`
			`"A password reset link has been sent at your email address. "`
			`"You should receive it within a few minutes."`
			`)`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`if current_app.config["CANAILLE"]["HIDE_INVALID_LOGINS"] and (`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`not user or not user.can_edit_self`
			`):`
			`flash(success_message, "success")`
			`return render_template("forgotten-password.html", form=form)`

			`if not user.can_edit_self:`
			`flash(`
			`_(`
			`"The user '%(user)s' does not have permissions to update their password. "`
			`"We cannot send a password reset email.",`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`user=user.formatted_name,`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`),`
			`"error",`
			`)`
			`return render_template("forgotten-password.html", form=form)`

fix: password and initalization emails were only sent to the preferred user email address 2023-11-28 16:59:50 +00:00			`statuses = [send_password_reset_mail(user, email) for email in user.emails]`
			`success = all(statuses)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00
			`if success:`
			`flash(success_message, "success")`
			`else:`
			`flash(`
			`_("We encountered an issue while we sent the password recovery email."),`
			`"error",`
			`)`

			`return render_template("forgotten-password.html", form=form)`


			`@bp.route("/reset/<user:user>/<hash>", methods=["GET", "POST"])`
			`def reset(user, hash):`
feat: use pydantic to validate the configuration 2023-12-18 17:06:03 +00:00			`if not current_app.config["CANAILLE"]["ENABLE_PASSWORD_RECOVERY"]:`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`abort(404)`

			`form = PasswordResetForm(request.form)`
			`hashes = {`
			`build_hash(`
			`user.identifier,`
			`email,`
fix: only the first password letter was used 2023-11-28 14:51:14 +00:00			`user.password if user.has_password() else "",`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00			`)`
			`for email in user.emails`
			`}`
			`if not user or hash not in hashes:`
			`flash(`
			`_("The password reset link that brought you here was invalid."),`
			`"error",`
			`)`
			`return redirect(url_for("core.account.index"))`

			`if request.form and form.validate():`
refactor: move User.check_password and User.set_password methods to Backend 2024-04-07 18:12:13 +00:00			`BaseBackend.get().set_user_password(user, form.password.data)`
refactor: User.login and User.logout methods moved to app.flask module 2023-08-23 12:56:56 +00:00			`login_user(user)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00
			`flash(_("Your password has been updated successfully"), "success")`
fix: redirection after password reset 2023-12-15 15:12:33 +00:00			`return redirect(`
			`session.pop(`
			`"redirect-after-login",`
			`url_for("core.account.profile_edition", edited_user=user),`
			`)`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`)`
refactor: extract auth.py from account.py 2023-08-14 14:15:41 +00:00
			`return render_template("reset-password.html", form=form, user=user, hash=hash)`