from flask import abort, Flask, redirect, request, render_template
from os import urandom, environ
from hydra_client import HydraAdmin
import hydra_client
from db import User, BackendConnectionError
from forms import LoginForm
import logging
HYDRA_ADMIN_URL = environ['HYDRA_ADMIN_URL']
HYDRA = HydraAdmin(HYDRA_ADMIN_URL)
app = Flask(__name__)
app.config['SECRET_KEY'] = urandom(16)
app.debug = True if "FLASK_ENV" in environ and environ["FLASK_ENV"] == "development" else False
app.logger.setLevel(logging.INFO)
@app.route('/login', methods=['GET', 'POST'])
def login():
"""Provides login form and handles login attempt
Args:
login_form: contains login data submitted by a user (POST)
challenge: id that identifies the request from oauth client. passed by hydra
Returns:
Error page if no challenge id is present
or Login Form if user hasn't authenticated
or redirect to callback url provided by hydra if login was successful
"""
login_form = LoginForm()
redirect_to = None
# Retrieve the challenge id from the request. Depending on the method it is saved in the
# form (POST) or in a GET variable.
if request.method == 'GET':
challenge = request.args.get("login_challenge")
if not challenge:
return abort(400)
elif login_form.validate_on_submit():
challenge = login_form.challenge.data
# Now that we have the challenge id, we can request the challenge object from the hydra
# admin API
try:
login_request = HYDRA.login_request(challenge)
except hydra_client.exceptions.NotFound:
app.logger.error("Not Found. Login request not found. challenge={0}".format(challenge))
abort(404)
except hydra_client.exceptions.HTTPError:
app.logger.error("Conflict. Login request has been used already. challenge={0}".format(challenge))
abort(503)
# We need to decide here whether we want to accept or decline the login request.
# if a login form was submitted, we need to confirm that the userdata, the agent
# send us via POST is valid
if login_form.validate_on_submit():
try:
user = User(login_form.username.data)
except BackendConnectionError as error:
app.logger.error(
"Retrieving user object from GraphQL server failed {0}".format(error))
return redirect(login_request.reject(
"Login denied",
error_description="Login request was denied due to an internal server error"))
if user.authenticate(login_form.password.data):
redirect_to = login_request.accept(
user.username,
remember=login_form.remember.data,
# Remember session for 12h
remember_for=60*60*12)
app.logger.info("{0} logged in successfully".format(user.username))
else:
redirect_to = login_request.reject(
"Login denied",
error_description="Invalid username or password")
app.logger.info("{0} failed to login".format(user.username))
return redirect(redirect_to)
# Skip, if true, let's us know that Hydra has already successfully authenticated
# the user. we don't need to check anything and we can accept the request right away.
elif login_request.skip:
skip = request.args.get("skip")
logout = request.args.get("logout")
if skip:
app.logger.info("{0} is already logged in. Skip authentication".format(login_request.subject))
return redirect(login_request.accept(login_request.subject))
elif logout:
login_form.challenge.data = challenge
HYDRA.invalidate_login_sessions(login_request.subject);
return redirect(login_request.reject(
"Login cancelled",
error_description="Login was cancelled and user session was terminated"))
else:
return render_template('skip.html', challenge=challenge, logo=login_request.client.logo_uri, application_name=login_request.client.client_name, username=login_request.subject)
# If Skip is not true and the user has not submitted any data via a form, we need
# to display a login form for the user to type in their username and password.
# as a reference we save the challenge id in a hidden field of the form.
else:
login_form.challenge.data = challenge
return render_template('login.html', login_form=login_form, logo=login_request.client.logo_uri, application_name=login_request.client.client_name)
if __name__ == '__main__':
app.run()