Refactor login provider

0d57810b · Mark · e48dc5d4 · 0d57810b
Verified Commit 0d57810b authored 5 years ago by Mark
--- a/login_provider/app.py
+++ b/login_provider/app.py
@@ -39,13 +39,10 @@ def login():
    elif login_form.validate_on_submit():
        challenge = login_form.challenge.data

+    # Now that we have the challenge id, we can request the challenge object from the hydra
+    # admin API
    try:
        login_request = HYDRA.login_request(challenge)
-        if login_request.skip:
-            # Skip, if true, let's us know that Hydra has successfully authenticated the user
-            # we should not show any UI and accept the request right away
-            app.logger.info("{0} is already logged in. Skip authentication".format(login_request.subject))
-            return redirect(login_request(challenge).accept(login_request.subject))
    except hydra_client.exceptions.NotFound:
        app.logger.error("Not Found. Login request not found. challenge={0}".format(challenge))
        abort(404)
@@ -53,6 +50,9 @@ def login():
        app.logger.error("Conflict. Login request has been used already. challenge={0}".format(challenge))
        abort(503)

+    # We need to decide here whether we want to accept or decline the login request.
+    # if a login form was submitted, we need to confirm that the userdata, the agent
+    # send us via POST is valid
    if login_form.validate_on_submit():
        try:
            user = User(login_form.username.data)
@@ -71,6 +71,16 @@ def login():
                error_description="Invalid username or password")
            app.logger.info("{0} failed to login".format(user.username))
        return redirect(redirect_to)
+
+    # Skip, if true, let's us know that Hydra has already successfully authenticated
+    # the user. we don't need to check anything and we can accept the request right away.
+    elif login_request.skip:
+        app.logger.info("{0} is already logged in. Skip authentication".format(login_request.subject))
+        return redirect(login_request(challenge).accept(login_request.subject))
+
+    # If Skip is not true and the user has not submitted any data via a form, we need
+    # to display a login form for the user to type in their username and password.
+    # as a reference we save the challenge id in a hidden field of the form.
    else:
        login_form.challenge.data = challenge
        return render_template('login.html', login_form=login_form)