2016-10-12 04:50:38 +02:00
|
|
|
|
|
|
|
from django.conf import settings
|
2017-04-07 08:21:29 +02:00
|
|
|
from django.core.exceptions import ValidationError
|
|
|
|
from django.core.validators import validate_email
|
2017-08-25 01:11:30 +02:00
|
|
|
from django.contrib.auth import authenticate, get_backends
|
2016-10-12 04:50:38 +02:00
|
|
|
from django.contrib.auth.views import login as django_login_page, \
|
|
|
|
logout_then_login as django_logout_then_login
|
2017-11-18 03:30:07 +01:00
|
|
|
from django.contrib.auth.views import password_reset as django_password_reset
|
2018-01-30 06:05:25 +01:00
|
|
|
from django.urls import reverse
|
2017-08-25 00:58:34 +02:00
|
|
|
from zerver.decorator import authenticated_json_post_view, require_post, \
|
2017-11-03 22:26:31 +01:00
|
|
|
process_client, do_login, log_view_func
|
2017-01-10 10:44:56 +01:00
|
|
|
from django.http import HttpRequest, HttpResponse, HttpResponseRedirect, \
|
|
|
|
HttpResponseNotFound
|
2016-10-12 04:50:38 +02:00
|
|
|
from django.middleware.csrf import get_token
|
2017-03-16 14:10:39 +01:00
|
|
|
from django.shortcuts import redirect, render
|
2016-10-12 04:50:38 +02:00
|
|
|
from django.views.decorators.csrf import csrf_exempt
|
2017-05-04 01:13:40 +02:00
|
|
|
from django.views.decorators.http import require_GET
|
2016-10-12 04:50:38 +02:00
|
|
|
from django.utils.translation import ugettext as _
|
2018-03-12 12:25:50 +01:00
|
|
|
from django.utils.http import is_safe_url
|
2016-10-14 14:12:16 +02:00
|
|
|
from django.core import signing
|
2017-11-05 05:30:31 +01:00
|
|
|
import urllib
|
2017-03-03 19:01:52 +01:00
|
|
|
from typing import Any, Dict, List, Optional, Tuple, Text
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-07-08 04:38:13 +02:00
|
|
|
from confirmation.models import Confirmation, create_confirmation_link
|
2017-10-27 00:27:59 +02:00
|
|
|
from zerver.context_processors import zulip_default_context, get_realm_from_request
|
2016-12-20 10:41:46 +01:00
|
|
|
from zerver.forms import HomepageForm, OurAuthenticationForm, \
|
2017-11-18 03:30:07 +01:00
|
|
|
WRONG_SUBDOMAIN_ERROR, ZulipPasswordResetForm
|
2017-03-19 20:01:01 +01:00
|
|
|
from zerver.lib.mobile_auth_otp import is_valid_otp, otp_encrypt_api_key
|
2018-02-12 23:34:59 +01:00
|
|
|
from zerver.lib.push_notifications import push_notifications_enabled
|
2016-10-12 04:50:38 +02:00
|
|
|
from zerver.lib.request import REQ, has_request_variables, JsonableError
|
|
|
|
from zerver.lib.response import json_success, json_error
|
2017-10-19 07:21:57 +02:00
|
|
|
from zerver.lib.subdomains import get_subdomain, is_subdomain_root_or_alias
|
2017-04-07 08:21:29 +02:00
|
|
|
from zerver.lib.validator import validate_login_email
|
2017-08-15 00:13:58 +02:00
|
|
|
from zerver.models import PreregistrationUser, UserProfile, remote_user_to_email, Realm, \
|
|
|
|
get_realm
|
2017-06-15 07:15:57 +02:00
|
|
|
from zerver.signals import email_on_new_login
|
2017-04-27 23:34:44 +02:00
|
|
|
from zproject.backends import password_auth_enabled, dev_auth_enabled, \
|
2017-09-22 10:58:12 +02:00
|
|
|
github_auth_enabled, google_auth_enabled, ldap_auth_enabled, \
|
2018-02-06 23:36:56 +01:00
|
|
|
ZulipLDAPConfigurationError, ZulipLDAPAuthBackend, email_auth_enabled, \
|
|
|
|
remote_auth_enabled
|
2017-02-27 08:30:26 +01:00
|
|
|
from version import ZULIP_VERSION
|
2016-10-12 04:50:38 +02:00
|
|
|
|
|
|
|
import hashlib
|
|
|
|
import hmac
|
|
|
|
import jwt
|
|
|
|
import logging
|
|
|
|
import requests
|
|
|
|
import time
|
2016-10-14 14:12:16 +02:00
|
|
|
import ujson
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2018-03-12 12:25:50 +01:00
|
|
|
def get_safe_redirect_to(url: Text, redirect_host: Text) -> Text:
|
|
|
|
is_url_safe = is_safe_url(url=url, host=redirect_host)
|
|
|
|
if is_url_safe:
|
|
|
|
return urllib.parse.urljoin(redirect_host, url)
|
|
|
|
else:
|
|
|
|
return redirect_host
|
|
|
|
|
2017-12-20 21:02:04 +01:00
|
|
|
def create_preregistration_user(email: Text, request: HttpRequest, realm_creation: bool=False,
|
|
|
|
password_required: bool=True) -> HttpResponse:
|
2017-11-08 22:02:59 +01:00
|
|
|
realm = None
|
|
|
|
if not realm_creation:
|
|
|
|
realm = get_realm(get_subdomain(request))
|
2017-10-27 00:27:59 +02:00
|
|
|
return PreregistrationUser.objects.create(email=email,
|
|
|
|
realm_creation=realm_creation,
|
2017-11-08 22:02:59 +01:00
|
|
|
password_required=password_required,
|
|
|
|
realm=realm)
|
2017-10-27 00:27:59 +02:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def maybe_send_to_registration(request: HttpRequest, email: Text, full_name: Text='',
|
|
|
|
password_required: bool=True) -> HttpResponse:
|
2017-09-27 03:34:58 +02:00
|
|
|
|
|
|
|
realm = get_realm_from_request(request)
|
|
|
|
from_multiuse_invite = False
|
|
|
|
multiuse_obj = None
|
|
|
|
streams_to_subscribe = None
|
|
|
|
multiuse_object_key = request.session.get("multiuse_object_key", None)
|
|
|
|
if multiuse_object_key is not None:
|
|
|
|
from_multiuse_invite = True
|
|
|
|
multiuse_obj = Confirmation.objects.get(confirmation_key=multiuse_object_key).content_object
|
|
|
|
realm = multiuse_obj.realm
|
|
|
|
streams_to_subscribe = multiuse_obj.streams.all()
|
|
|
|
|
|
|
|
form = HomepageForm({'email': email}, realm=realm, from_multiuse_invite=from_multiuse_invite)
|
2016-10-12 04:50:38 +02:00
|
|
|
request.verified_email = None
|
|
|
|
if form.is_valid():
|
|
|
|
# Construct a PreregistrationUser object and send the user over to
|
|
|
|
# the confirmation view.
|
|
|
|
prereg_user = None
|
|
|
|
if settings.ONLY_SSO:
|
|
|
|
try:
|
2017-11-28 00:28:46 +01:00
|
|
|
prereg_user = PreregistrationUser.objects.filter(
|
|
|
|
email__iexact=email, realm=realm).latest("invited_at")
|
2016-10-12 04:50:38 +02:00
|
|
|
except PreregistrationUser.DoesNotExist:
|
2017-08-04 08:09:25 +02:00
|
|
|
prereg_user = create_preregistration_user(email, request,
|
|
|
|
password_required=password_required)
|
2016-10-12 04:50:38 +02:00
|
|
|
else:
|
2017-08-04 08:09:25 +02:00
|
|
|
prereg_user = create_preregistration_user(email, request,
|
|
|
|
password_required=password_required)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-09-27 03:34:58 +02:00
|
|
|
if multiuse_object_key is not None:
|
|
|
|
del request.session["multiuse_object_key"]
|
|
|
|
request.session.modified = True
|
|
|
|
if streams_to_subscribe is not None:
|
2018-01-31 08:22:07 +01:00
|
|
|
prereg_user.streams.set(streams_to_subscribe)
|
2017-09-27 03:34:58 +02:00
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
return redirect("".join((
|
2017-07-08 04:38:13 +02:00
|
|
|
create_confirmation_link(prereg_user, request.get_host(), Confirmation.USER_REGISTRATION),
|
2016-10-12 04:50:38 +02:00
|
|
|
'?full_name=',
|
|
|
|
# urllib does not handle Unicode, so coerece to encoded byte string
|
|
|
|
# Explanation: http://stackoverflow.com/a/5605354/90777
|
|
|
|
urllib.parse.quote_plus(full_name.encode('utf8')))))
|
|
|
|
else:
|
|
|
|
url = reverse('register')
|
2017-03-16 14:10:39 +01:00
|
|
|
return render(request,
|
|
|
|
'zerver/accounts_home.html',
|
2017-09-27 03:34:58 +02:00
|
|
|
context={'form': form, 'current_url': lambda: url,
|
|
|
|
'from_multiuse_invite': from_multiuse_invite},
|
2017-03-16 14:10:39 +01:00
|
|
|
)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def redirect_to_subdomain_login_url() -> HttpResponseRedirect:
|
2016-10-12 04:50:38 +02:00
|
|
|
login_url = reverse('django.contrib.auth.views.login')
|
|
|
|
redirect_url = login_url + '?subdomain=1'
|
|
|
|
return HttpResponseRedirect(redirect_url)
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def redirect_to_config_error(error_type: str) -> HttpResponseRedirect:
|
2017-08-07 17:38:25 +02:00
|
|
|
return HttpResponseRedirect("/config-error/%s" % (error_type,))
|
|
|
|
|
2017-12-20 21:02:04 +01:00
|
|
|
def login_or_register_remote_user(request: HttpRequest, remote_username: Optional[Text],
|
|
|
|
user_profile: Optional[UserProfile], full_name: Text='',
|
|
|
|
invalid_subdomain: bool=False, mobile_flow_otp: Optional[str]=None,
|
2018-03-12 12:54:50 +01:00
|
|
|
is_signup: bool=False,
|
|
|
|
redirect_to: Text='') -> HttpResponse:
|
2017-05-05 19:19:02 +02:00
|
|
|
if user_profile is None or user_profile.is_mirror_dummy:
|
2017-05-05 19:50:33 +02:00
|
|
|
# Since execution has reached here, we have verified the user
|
|
|
|
# controls an email address (remote_username) but there's no
|
|
|
|
# associated Zulip user account.
|
|
|
|
if is_signup:
|
|
|
|
# If they're trying to sign up, send them over to the PreregistrationUser flow.
|
2017-08-04 08:09:25 +02:00
|
|
|
return maybe_send_to_registration(request, remote_user_to_email(remote_username),
|
|
|
|
full_name, password_required=False)
|
2017-05-05 19:50:33 +02:00
|
|
|
|
|
|
|
# Otherwise, we send them to a special page that asks if they
|
|
|
|
# want to register or provided the wrong email and want to go back.
|
|
|
|
try:
|
|
|
|
validate_email(remote_username)
|
|
|
|
invalid_email = False
|
|
|
|
except ValidationError:
|
|
|
|
# If email address is invalid, we can't send the user
|
|
|
|
# PreregistrationUser flow.
|
|
|
|
invalid_email = True
|
|
|
|
context = {'full_name': full_name,
|
|
|
|
'email': remote_username,
|
|
|
|
'invalid_email': invalid_email}
|
|
|
|
return render(request,
|
|
|
|
'zerver/confirm_continue_registration.html',
|
|
|
|
context=context)
|
2017-05-05 19:19:02 +02:00
|
|
|
|
auth: Try switching to register even if user exists on another realm.
For example, this means that if a user already has an account on one
realm and they try to make an account on another by hitting "Sign in
with Google" (rather than following the little "Register" link to a
"Sign up with Google" button instead), they'll get to make an account
instead of getting an error.
Until very recently, if the user existed on another realm, any attempt
to register with that email address had to fail in the end, so this
logic gave the user a useful error message early. We introduced it in
c23aaa178 "GitHub: Show error on login page for wrong subdomain"
back in 2016-10 for that purpose. No longer! We now support reusing
an email on multiple realms, so we let the user proceed instead.
This function's interface is kind of confusing, but I believe when its
callers use it properly, `invalid_subdomain` should only ever be true
when `user_profile` is None -- in which case the revised
`invalid_subdomain` condition in this commit can never actually fire,
and the `invalid_subdomain` parameter no longer has any effect. (At
least some unit tests call this function improperly in that respect.)
I've kept this commit to a minimal change, but it would be a good
followup to go through the call sites, verify that, eliminate the use
of `invalid_subdomain`, then remove it from the function entirely.
2017-11-28 06:26:41 +01:00
|
|
|
if invalid_subdomain:
|
|
|
|
# Show login page with an error message
|
|
|
|
return redirect_to_subdomain_login_url()
|
|
|
|
|
2017-05-05 19:19:02 +02:00
|
|
|
if mobile_flow_otp is not None:
|
2017-03-19 20:01:01 +01:00
|
|
|
# For the mobile Oauth flow, we send the API key and other
|
|
|
|
# necessary details in a redirect to a zulip:// URI scheme.
|
2017-05-05 19:19:02 +02:00
|
|
|
params = {
|
|
|
|
'otp_encrypted_api_key': otp_encrypt_api_key(user_profile, mobile_flow_otp),
|
|
|
|
'email': remote_username,
|
|
|
|
'realm': user_profile.realm.uri,
|
|
|
|
}
|
|
|
|
# We can't use HttpResponseRedirect, since it only allows HTTP(S) URLs
|
|
|
|
response = HttpResponse(status=302)
|
|
|
|
response['Location'] = 'zulip://login?' + urllib.parse.urlencode(params)
|
2017-06-16 06:50:48 +02:00
|
|
|
# Maybe sending 'user_logged_in' signal is the better approach:
|
|
|
|
# user_logged_in.send(sender=user_profile.__class__, request=request, user=user_profile)
|
|
|
|
# Not doing this only because over here we don't add the user information
|
|
|
|
# in the session. If the signal receiver assumes that we do then that
|
|
|
|
# would cause problems.
|
|
|
|
email_on_new_login(sender=user_profile.__class__, request=request, user=user_profile)
|
2017-08-25 00:58:34 +02:00
|
|
|
|
|
|
|
# Mark this request as having a logged-in user for our server logs.
|
|
|
|
process_client(request, user_profile)
|
|
|
|
request._email = user_profile.email
|
|
|
|
|
2017-05-05 19:19:02 +02:00
|
|
|
return response
|
2017-03-19 20:01:01 +01:00
|
|
|
|
2017-08-25 01:11:30 +02:00
|
|
|
do_login(request, user_profile)
|
2018-03-12 12:54:50 +01:00
|
|
|
|
|
|
|
redirect_to = get_safe_redirect_to(redirect_to, user_profile.realm.uri)
|
|
|
|
return HttpResponseRedirect(redirect_to)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-11-03 22:26:31 +01:00
|
|
|
@log_view_func
|
2018-02-06 23:29:57 +01:00
|
|
|
@has_request_variables
|
|
|
|
def remote_user_sso(request: HttpRequest,
|
|
|
|
mobile_flow_otp: Optional[str]=REQ(default=None)) -> HttpResponse:
|
2016-10-12 04:50:38 +02:00
|
|
|
try:
|
|
|
|
remote_user = request.META["REMOTE_USER"]
|
|
|
|
except KeyError:
|
2018-02-06 23:29:57 +01:00
|
|
|
# TODO: Arguably the JsonableError values here should be
|
|
|
|
# full-page HTML configuration errors instead.
|
2016-10-12 04:50:38 +02:00
|
|
|
raise JsonableError(_("No REMOTE_USER set."))
|
|
|
|
|
2017-04-07 08:21:29 +02:00
|
|
|
# Django invokes authenticate methods by matching arguments, and this
|
|
|
|
# authentication flow will not invoke LDAP authentication because of
|
|
|
|
# this condition of Django so no need to check if LDAP backend is
|
|
|
|
# enabled.
|
|
|
|
validate_login_email(remote_user_to_email(remote_user))
|
|
|
|
|
2018-02-06 23:29:57 +01:00
|
|
|
# Here we support the mobile flow for REMOTE_USER_BACKEND; we
|
|
|
|
# validate the data format and then pass it through to
|
|
|
|
# login_or_register_remote_user if appropriate.
|
|
|
|
if mobile_flow_otp is not None:
|
|
|
|
if not is_valid_otp(mobile_flow_otp):
|
|
|
|
raise JsonableError(_("Invalid OTP"))
|
|
|
|
|
2017-11-17 23:14:08 +01:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
realm = get_realm(subdomain)
|
|
|
|
# Since RemoteUserBackend will return None if Realm is None, we
|
|
|
|
# don't need to check whether `get_realm` returned None.
|
|
|
|
user_profile = authenticate(remote_user=remote_user, realm=realm)
|
2018-02-24 22:38:48 +01:00
|
|
|
|
|
|
|
redirect_to = request.GET.get('next', '')
|
|
|
|
|
2018-02-06 23:29:57 +01:00
|
|
|
return login_or_register_remote_user(request, remote_user, user_profile,
|
2018-02-24 22:38:48 +01:00
|
|
|
mobile_flow_otp=mobile_flow_otp,
|
|
|
|
redirect_to=redirect_to)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
|
|
|
@csrf_exempt
|
2017-11-03 22:26:31 +01:00
|
|
|
@log_view_func
|
2017-11-27 09:28:57 +01:00
|
|
|
def remote_user_jwt(request: HttpRequest) -> HttpResponse:
|
2016-10-24 11:12:45 +02:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
try:
|
|
|
|
auth_key = settings.JWT_AUTH_KEYS[subdomain]
|
|
|
|
except KeyError:
|
|
|
|
raise JsonableError(_("Auth key for this subdomain not found."))
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
try:
|
|
|
|
json_web_token = request.POST["json_web_token"]
|
2016-10-24 11:12:45 +02:00
|
|
|
options = {'verify_signature': True}
|
|
|
|
payload = jwt.decode(json_web_token, auth_key, options=options)
|
2016-10-12 04:50:38 +02:00
|
|
|
except KeyError:
|
|
|
|
raise JsonableError(_("No JSON web token passed in request"))
|
2016-10-24 11:12:45 +02:00
|
|
|
except jwt.InvalidTokenError:
|
2016-10-12 04:50:38 +02:00
|
|
|
raise JsonableError(_("Bad JSON web token"))
|
|
|
|
|
|
|
|
remote_user = payload.get("user", None)
|
|
|
|
if remote_user is None:
|
|
|
|
raise JsonableError(_("No user specified in JSON web token claims"))
|
2017-10-03 02:35:41 +02:00
|
|
|
email_domain = payload.get('realm', None)
|
|
|
|
if email_domain is None:
|
2018-03-08 02:05:50 +01:00
|
|
|
raise JsonableError(_("No organization specified in JSON web token claims"))
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-10-03 02:35:41 +02:00
|
|
|
email = "%s@%s" % (remote_user, email_domain)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-10-03 02:34:58 +02:00
|
|
|
realm = get_realm(subdomain)
|
|
|
|
if realm is None:
|
|
|
|
raise JsonableError(_("Wrong subdomain"))
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
try:
|
|
|
|
# We do all the authentication we need here (otherwise we'd have to
|
|
|
|
# duplicate work), but we need to call authenticate with some backend so
|
|
|
|
# that the request.backend attribute gets set.
|
2017-05-17 22:09:33 +02:00
|
|
|
return_data = {} # type: Dict[str, bool]
|
2016-10-12 04:50:38 +02:00
|
|
|
user_profile = authenticate(username=email,
|
2017-10-03 02:29:20 +02:00
|
|
|
realm=realm,
|
2016-10-12 04:50:38 +02:00
|
|
|
return_data=return_data,
|
|
|
|
use_dummy_backend=True)
|
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
user_profile = None
|
|
|
|
|
|
|
|
return login_or_register_remote_user(request, email, user_profile, remote_user)
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def google_oauth2_csrf(request: HttpRequest, value: str) -> str:
|
2016-11-07 11:16:40 +01:00
|
|
|
# In Django 1.10, get_token returns a salted token which changes
|
2017-11-09 16:26:38 +01:00
|
|
|
# every time get_token is called.
|
2017-03-25 20:44:14 +01:00
|
|
|
from django.middleware.csrf import _unsalt_cipher_token
|
|
|
|
token = _unsalt_cipher_token(get_token(request))
|
2016-11-07 11:16:40 +01:00
|
|
|
return hmac.new(token.encode('utf-8'), value.encode("utf-8"), hashlib.sha256).hexdigest()
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def reverse_on_root(viewname: str, args: List[str]=None, kwargs: Dict[str, str]=None) -> str:
|
2017-10-27 03:17:12 +02:00
|
|
|
return settings.ROOT_DOMAIN_URI + reverse(viewname, args=args, kwargs=kwargs)
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def oauth_redirect_to_root(request: HttpRequest, url: Text, is_signup: bool=False) -> HttpResponse:
|
2017-10-27 03:17:12 +02:00
|
|
|
main_site_uri = settings.ROOT_DOMAIN_URI + url
|
2017-03-19 20:01:01 +01:00
|
|
|
params = {
|
|
|
|
'subdomain': get_subdomain(request),
|
|
|
|
'is_signup': '1' if is_signup else '0',
|
|
|
|
}
|
|
|
|
|
|
|
|
# mobile_flow_otp is a one-time pad provided by the app that we
|
|
|
|
# can use to encrypt the API key when passing back to the app.
|
|
|
|
mobile_flow_otp = request.GET.get('mobile_flow_otp')
|
|
|
|
if mobile_flow_otp is not None:
|
|
|
|
if not is_valid_otp(mobile_flow_otp):
|
|
|
|
raise JsonableError(_("Invalid OTP"))
|
|
|
|
params['mobile_flow_otp'] = mobile_flow_otp
|
|
|
|
|
2018-03-12 12:54:50 +01:00
|
|
|
next = request.GET.get('next')
|
|
|
|
if next:
|
|
|
|
params['next'] = next
|
|
|
|
|
2016-10-14 14:12:16 +02:00
|
|
|
return redirect(main_site_uri + '?' + urllib.parse.urlencode(params))
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def start_google_oauth2(request: HttpRequest) -> HttpResponse:
|
2017-10-27 03:19:09 +02:00
|
|
|
url = reverse('zerver.views.auth.send_oauth_request_to_google')
|
|
|
|
|
|
|
|
if not (settings.GOOGLE_OAUTH2_CLIENT_ID and settings.GOOGLE_OAUTH2_CLIENT_SECRET):
|
|
|
|
return redirect_to_config_error("google")
|
|
|
|
|
|
|
|
is_signup = bool(request.GET.get('is_signup'))
|
|
|
|
return oauth_redirect_to_root(request, url, is_signup=is_signup)
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def start_social_login(request: HttpRequest, backend: Text) -> HttpResponse:
|
2016-12-01 13:10:59 +01:00
|
|
|
backend_url = reverse('social:begin', args=[backend])
|
2017-11-05 03:14:28 +01:00
|
|
|
if (backend == "github") and not (settings.SOCIAL_AUTH_GITHUB_KEY and
|
|
|
|
settings.SOCIAL_AUTH_GITHUB_SECRET):
|
2017-08-07 17:38:25 +02:00
|
|
|
return redirect_to_config_error("github")
|
|
|
|
|
2017-10-27 03:19:09 +02:00
|
|
|
return oauth_redirect_to_root(request, backend_url)
|
2016-12-01 13:10:59 +01:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def start_social_signup(request: HttpRequest, backend: Text) -> HttpResponse:
|
2017-04-18 11:50:44 +02:00
|
|
|
backend_url = reverse('social:begin', args=[backend])
|
2017-10-27 03:19:09 +02:00
|
|
|
return oauth_redirect_to_root(request, backend_url, is_signup=True)
|
2017-04-18 11:50:44 +02:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def send_oauth_request_to_google(request: HttpRequest) -> HttpResponse:
|
2016-10-14 14:12:16 +02:00
|
|
|
subdomain = request.GET.get('subdomain', '')
|
2017-08-04 09:19:32 +02:00
|
|
|
is_signup = request.GET.get('is_signup', '')
|
2018-03-12 12:54:50 +01:00
|
|
|
next = request.GET.get('next', '')
|
2017-03-19 20:01:01 +01:00
|
|
|
mobile_flow_otp = request.GET.get('mobile_flow_otp', '0')
|
|
|
|
|
2017-10-02 08:32:09 +02:00
|
|
|
if ((settings.ROOT_DOMAIN_LANDING_PAGE and subdomain == '') or
|
|
|
|
not Realm.objects.filter(string_id=subdomain).exists()):
|
|
|
|
return redirect_to_subdomain_login_url()
|
2016-10-14 14:12:16 +02:00
|
|
|
|
|
|
|
google_uri = 'https://accounts.google.com/o/oauth2/auth?'
|
2016-10-12 04:50:38 +02:00
|
|
|
cur_time = str(int(time.time()))
|
2018-03-12 12:54:50 +01:00
|
|
|
csrf_state = '%s:%s:%s:%s:%s' % (cur_time, subdomain, mobile_flow_otp, is_signup, next)
|
2017-04-27 23:46:25 +02:00
|
|
|
|
|
|
|
# Now compute the CSRF hash with the other parameters as an input
|
|
|
|
csrf_state += ":%s" % (google_oauth2_csrf(request, csrf_state),)
|
2016-10-14 14:12:16 +02:00
|
|
|
|
2017-04-27 23:48:50 +02:00
|
|
|
params = {
|
2016-10-12 04:50:38 +02:00
|
|
|
'response_type': 'code',
|
|
|
|
'client_id': settings.GOOGLE_OAUTH2_CLIENT_ID,
|
2017-10-27 03:17:12 +02:00
|
|
|
'redirect_uri': reverse_on_root('zerver.views.auth.finish_google_oauth2'),
|
2016-10-12 04:50:38 +02:00
|
|
|
'scope': 'profile email',
|
|
|
|
'state': csrf_state,
|
|
|
|
}
|
2017-04-27 23:48:50 +02:00
|
|
|
return redirect(google_uri + urllib.parse.urlencode(params))
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-11-03 22:26:31 +01:00
|
|
|
@log_view_func
|
2017-11-27 09:28:57 +01:00
|
|
|
def finish_google_oauth2(request: HttpRequest) -> HttpResponse:
|
2016-10-12 04:50:38 +02:00
|
|
|
error = request.GET.get('error')
|
|
|
|
if error == 'access_denied':
|
|
|
|
return redirect('/')
|
|
|
|
elif error is not None:
|
|
|
|
logging.warning('Error from google oauth2 login: %s' % (request.GET.get("error"),))
|
|
|
|
return HttpResponse(status=400)
|
|
|
|
|
|
|
|
csrf_state = request.GET.get('state')
|
2018-03-12 12:54:50 +01:00
|
|
|
if csrf_state is None or len(csrf_state.split(':')) != 6:
|
2016-10-12 04:50:38 +02:00
|
|
|
logging.warning('Missing Google oauth2 CSRF state')
|
|
|
|
return HttpResponse(status=400)
|
|
|
|
|
2017-04-27 23:46:25 +02:00
|
|
|
(csrf_data, hmac_value) = csrf_state.rsplit(':', 1)
|
|
|
|
if hmac_value != google_oauth2_csrf(request, csrf_data):
|
2016-10-12 04:50:38 +02:00
|
|
|
logging.warning('Google oauth2 CSRF error')
|
|
|
|
return HttpResponse(status=400)
|
2018-03-12 12:54:50 +01:00
|
|
|
cur_time, subdomain, mobile_flow_otp, is_signup, next = csrf_data.split(':')
|
2017-03-19 20:01:01 +01:00
|
|
|
if mobile_flow_otp == '0':
|
|
|
|
mobile_flow_otp = None
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-08-04 09:19:32 +02:00
|
|
|
is_signup = bool(is_signup == '1')
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
resp = requests.post(
|
|
|
|
'https://www.googleapis.com/oauth2/v3/token',
|
|
|
|
data={
|
|
|
|
'code': request.GET.get('code'),
|
|
|
|
'client_id': settings.GOOGLE_OAUTH2_CLIENT_ID,
|
|
|
|
'client_secret': settings.GOOGLE_OAUTH2_CLIENT_SECRET,
|
2017-10-27 03:17:12 +02:00
|
|
|
'redirect_uri': reverse_on_root('zerver.views.auth.finish_google_oauth2'),
|
2016-10-12 04:50:38 +02:00
|
|
|
'grant_type': 'authorization_code',
|
|
|
|
},
|
|
|
|
)
|
|
|
|
if resp.status_code == 400:
|
|
|
|
logging.warning('User error converting Google oauth2 login to token: %s' % (resp.text,))
|
|
|
|
return HttpResponse(status=400)
|
|
|
|
elif resp.status_code != 200:
|
|
|
|
logging.error('Could not convert google oauth2 code to access_token: %s' % (resp.text,))
|
|
|
|
return HttpResponse(status=400)
|
|
|
|
access_token = resp.json()['access_token']
|
|
|
|
|
|
|
|
resp = requests.get(
|
|
|
|
'https://www.googleapis.com/plus/v1/people/me',
|
|
|
|
params={'access_token': access_token}
|
|
|
|
)
|
|
|
|
if resp.status_code == 400:
|
|
|
|
logging.warning('Google login failed making info API call: %s' % (resp.text,))
|
|
|
|
return HttpResponse(status=400)
|
|
|
|
elif resp.status_code != 200:
|
|
|
|
logging.error('Google login failed making API call: %s' % (resp.text,))
|
|
|
|
return HttpResponse(status=400)
|
|
|
|
body = resp.json()
|
|
|
|
|
|
|
|
try:
|
|
|
|
full_name = body['name']['formatted']
|
|
|
|
except KeyError:
|
2017-11-09 16:26:38 +01:00
|
|
|
# Only google+ users have a formatted name. I am ignoring i18n here.
|
2017-11-04 05:23:22 +01:00
|
|
|
full_name = '{} {}'.format(
|
2016-10-12 04:50:38 +02:00
|
|
|
body['name']['givenName'], body['name']['familyName']
|
|
|
|
)
|
|
|
|
for email in body['emails']:
|
|
|
|
if email['type'] == 'account':
|
|
|
|
break
|
|
|
|
else:
|
|
|
|
logging.error('Google oauth2 account email not found: %s' % (body,))
|
|
|
|
return HttpResponse(status=400)
|
2016-10-14 14:12:16 +02:00
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
email_address = email['value']
|
2017-03-19 20:01:01 +01:00
|
|
|
|
2017-10-03 02:25:35 +02:00
|
|
|
try:
|
|
|
|
realm = Realm.objects.get(string_id=subdomain)
|
|
|
|
except Realm.DoesNotExist: # nocoverage
|
|
|
|
return redirect_to_subdomain_login_url()
|
|
|
|
|
|
|
|
if mobile_flow_otp is not None:
|
2016-10-14 14:12:16 +02:00
|
|
|
# When request was not initiated from subdomain.
|
2017-10-03 02:24:27 +02:00
|
|
|
user_profile, return_data = authenticate_remote_user(realm, email_address)
|
2016-10-14 14:12:16 +02:00
|
|
|
invalid_subdomain = bool(return_data.get('invalid_subdomain'))
|
|
|
|
return login_or_register_remote_user(request, email_address, user_profile,
|
2017-03-19 20:01:01 +01:00
|
|
|
full_name, invalid_subdomain,
|
2017-08-04 09:19:32 +02:00
|
|
|
mobile_flow_otp=mobile_flow_otp,
|
2018-03-12 12:54:50 +01:00
|
|
|
is_signup=is_signup,
|
|
|
|
redirect_to=next)
|
2016-10-14 14:12:16 +02:00
|
|
|
|
2017-08-04 09:19:32 +02:00
|
|
|
return redirect_and_log_into_subdomain(
|
2018-03-12 12:54:50 +01:00
|
|
|
realm, full_name, email_address, is_signup=is_signup, redirect_to=next)
|
2016-10-14 14:12:16 +02:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def authenticate_remote_user(realm: Realm, email_address: str) -> Tuple[UserProfile, Dict[str, Any]]:
|
2017-05-17 22:09:33 +02:00
|
|
|
return_data = {} # type: Dict[str, bool]
|
2017-04-18 08:34:29 +02:00
|
|
|
if email_address is None:
|
|
|
|
# No need to authenticate if email address is None. We already
|
|
|
|
# know that user_profile would be None as well. In fact, if we
|
|
|
|
# call authenticate in this case, we might get an exception from
|
|
|
|
# ZulipDummyBackend which doesn't accept a None as a username.
|
|
|
|
logging.warning("Email address was None while trying to authenticate "
|
|
|
|
"remote user.")
|
|
|
|
return None, return_data
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
user_profile = authenticate(username=email_address,
|
2017-10-03 02:29:20 +02:00
|
|
|
realm=realm,
|
2016-10-12 04:50:38 +02:00
|
|
|
use_dummy_backend=True,
|
|
|
|
return_data=return_data)
|
2016-10-14 14:12:16 +02:00
|
|
|
return user_profile, return_data
|
|
|
|
|
2017-10-27 02:45:38 +02:00
|
|
|
_subdomain_token_salt = 'zerver.views.auth.log_into_subdomain'
|
|
|
|
|
2017-11-03 22:26:31 +01:00
|
|
|
@log_view_func
|
2017-11-27 09:28:57 +01:00
|
|
|
def log_into_subdomain(request: HttpRequest, token: Text) -> HttpResponse:
|
2016-10-14 14:12:16 +02:00
|
|
|
try:
|
2017-10-27 02:45:38 +02:00
|
|
|
data = signing.loads(token, salt=_subdomain_token_salt, max_age=15)
|
|
|
|
except signing.SignatureExpired as e:
|
|
|
|
logging.warning('Subdomain cookie: {}'.format(e))
|
2016-10-14 14:12:16 +02:00
|
|
|
return HttpResponse(status=400)
|
|
|
|
except signing.BadSignature:
|
2017-10-27 02:45:38 +02:00
|
|
|
logging.warning('Subdomain cookie: Bad signature.')
|
2016-10-14 14:12:16 +02:00
|
|
|
return HttpResponse(status=400)
|
|
|
|
|
2017-10-03 02:24:27 +02:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
if data['subdomain'] != subdomain:
|
2017-09-27 06:54:55 +02:00
|
|
|
logging.warning('Login attempt on invalid subdomain')
|
2016-10-14 14:12:16 +02:00
|
|
|
return HttpResponse(status=400)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2016-10-14 14:12:16 +02:00
|
|
|
email_address = data['email']
|
|
|
|
full_name = data['name']
|
2017-05-05 19:54:36 +02:00
|
|
|
is_signup = data['is_signup']
|
2018-03-12 12:54:50 +01:00
|
|
|
redirect_to = data['next']
|
2017-05-10 09:00:47 +02:00
|
|
|
if is_signup:
|
|
|
|
# If we are signing up, user_profile should be None. In case
|
|
|
|
# email_address already exists, user will get an error message.
|
|
|
|
user_profile = None
|
|
|
|
return_data = {} # type: Dict[str, Any]
|
|
|
|
else:
|
2017-10-03 02:24:27 +02:00
|
|
|
# We can be reasonably confident that this subdomain actually
|
|
|
|
# has a corresponding realm, since it was referenced in a
|
|
|
|
# signed cookie. But we probably should add some error
|
|
|
|
# handling for the case where the realm disappeared in the
|
|
|
|
# meantime.
|
|
|
|
realm = get_realm(subdomain)
|
|
|
|
user_profile, return_data = authenticate_remote_user(realm, email_address)
|
2016-10-12 04:50:38 +02:00
|
|
|
invalid_subdomain = bool(return_data.get('invalid_subdomain'))
|
2016-10-14 14:12:16 +02:00
|
|
|
return login_or_register_remote_user(request, email_address, user_profile,
|
2017-05-05 19:54:36 +02:00
|
|
|
full_name, invalid_subdomain=invalid_subdomain,
|
2018-03-12 12:54:50 +01:00
|
|
|
is_signup=is_signup, redirect_to=redirect_to)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-12-20 21:02:04 +01:00
|
|
|
def redirect_and_log_into_subdomain(realm: Realm, full_name: Text, email_address: Text,
|
2018-03-12 12:54:50 +01:00
|
|
|
is_signup: bool=False, redirect_to: Text='') -> HttpResponse:
|
2017-10-27 00:27:59 +02:00
|
|
|
data = {'name': full_name, 'email': email_address, 'subdomain': realm.subdomain,
|
2018-03-12 12:54:50 +01:00
|
|
|
'is_signup': is_signup, 'next': redirect_to}
|
2017-10-27 02:45:38 +02:00
|
|
|
token = signing.dumps(data, salt=_subdomain_token_salt)
|
|
|
|
subdomain_login_uri = (realm.uri
|
|
|
|
+ reverse('zerver.views.auth.log_into_subdomain', args=[token]))
|
|
|
|
return redirect(subdomain_login_uri)
|
2017-10-27 00:27:59 +02:00
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def get_dev_users(realm: Optional[Realm]=None, extra_users_count: int=10) -> List[UserProfile]:
|
2017-02-04 20:16:46 +01:00
|
|
|
# Development environments usually have only a few users, but
|
|
|
|
# it still makes sense to limit how many extra users we render to
|
|
|
|
# support performance testing with DevAuthBackend.
|
2017-08-15 00:13:58 +02:00
|
|
|
if realm is not None:
|
|
|
|
users_query = UserProfile.objects.select_related().filter(is_bot=False, is_active=True, realm=realm)
|
|
|
|
else:
|
|
|
|
users_query = UserProfile.objects.select_related().filter(is_bot=False, is_active=True)
|
|
|
|
|
2017-02-04 20:16:46 +01:00
|
|
|
shakespearian_users = users_query.exclude(email__startswith='extrauser').order_by('email')
|
|
|
|
extra_users = users_query.filter(email__startswith='extrauser').order_by('email')
|
|
|
|
# Limit the number of extra users we offer by default
|
|
|
|
extra_users = extra_users[0:extra_users_count]
|
|
|
|
users = list(shakespearian_users) + list(extra_users)
|
|
|
|
return users
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def redirect_to_misconfigured_ldap_notice(error_type: int) -> HttpResponse:
|
2017-09-22 10:58:12 +02:00
|
|
|
if error_type == ZulipLDAPAuthBackend.REALM_IS_NONE_ERROR:
|
|
|
|
url = reverse('ldap_error_realm_is_none')
|
|
|
|
else:
|
|
|
|
raise AssertionError("Invalid error type")
|
|
|
|
|
|
|
|
return HttpResponseRedirect(url)
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def show_deactivation_notice(request: HttpRequest) -> HttpResponse:
|
2017-10-27 00:27:59 +02:00
|
|
|
realm = get_realm_from_request(request)
|
|
|
|
if realm and realm.deactivated:
|
|
|
|
return render(request, "zerver/deactivated.html",
|
|
|
|
context={"deactivated_domain_name": realm.name})
|
|
|
|
|
|
|
|
return HttpResponseRedirect(reverse('zerver.views.auth.login_page'))
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def redirect_to_deactivation_notice() -> HttpResponse:
|
2017-10-27 00:27:59 +02:00
|
|
|
return HttpResponseRedirect(reverse('zerver.views.auth.show_deactivation_notice'))
|
|
|
|
|
2017-11-29 00:17:33 +01:00
|
|
|
def add_dev_login_context(realm: Realm, context: Dict[str, Any]) -> None:
|
|
|
|
users = get_dev_users(realm)
|
|
|
|
context['current_realm'] = realm
|
|
|
|
context['all_realms'] = Realm.objects.all()
|
|
|
|
|
|
|
|
context['direct_admins'] = [u for u in users if u.is_realm_admin]
|
|
|
|
context['direct_users'] = [u for u in users if not u.is_realm_admin]
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def login_page(request: HttpRequest, **kwargs: Any) -> HttpResponse:
|
2017-05-18 11:42:19 +02:00
|
|
|
if request.user.is_authenticated:
|
2017-10-06 01:19:11 +02:00
|
|
|
return HttpResponseRedirect(request.user.realm.uri)
|
2017-08-25 04:32:16 +02:00
|
|
|
if is_subdomain_root_or_alias(request) and settings.ROOT_DOMAIN_LANDING_PAGE:
|
2017-08-28 23:27:16 +02:00
|
|
|
redirect_url = reverse('zerver.views.registration.find_account')
|
2017-01-10 10:44:56 +01:00
|
|
|
return HttpResponseRedirect(redirect_url)
|
|
|
|
|
2017-08-24 09:58:44 +02:00
|
|
|
realm = get_realm_from_request(request)
|
|
|
|
if realm and realm.deactivated:
|
|
|
|
return redirect_to_deactivation_notice()
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
extra_context = kwargs.pop('extra_context', {})
|
|
|
|
if dev_auth_enabled():
|
2017-08-15 00:13:58 +02:00
|
|
|
if 'new_realm' in request.POST:
|
|
|
|
realm = get_realm(request.POST['new_realm'])
|
|
|
|
else:
|
|
|
|
realm = get_realm_from_request(request)
|
|
|
|
|
2017-11-29 00:17:33 +01:00
|
|
|
add_dev_login_context(realm, extra_context)
|
2017-10-23 20:33:56 +02:00
|
|
|
if realm and 'new_realm' in request.POST:
|
|
|
|
# If we're switching realms, redirect to that realm, but
|
|
|
|
# only if it actually exists.
|
2017-08-15 00:13:58 +02:00
|
|
|
return HttpResponseRedirect(realm.uri)
|
|
|
|
|
2018-02-23 09:02:13 +01:00
|
|
|
if 'username' in request.POST:
|
|
|
|
extra_context['email'] = request.POST['username']
|
|
|
|
|
2017-09-22 10:58:12 +02:00
|
|
|
try:
|
|
|
|
template_response = django_login_page(
|
|
|
|
request, authentication_form=OurAuthenticationForm,
|
|
|
|
extra_context=extra_context, **kwargs)
|
|
|
|
except ZulipLDAPConfigurationError as e:
|
|
|
|
assert len(e.args) > 1
|
|
|
|
return redirect_to_misconfigured_ldap_notice(e.args[1])
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
try:
|
|
|
|
template_response.context_data['email'] = request.GET['email']
|
|
|
|
except KeyError:
|
|
|
|
pass
|
|
|
|
|
2017-08-28 08:13:15 +02:00
|
|
|
try:
|
|
|
|
already_registered = request.GET['already_registered']
|
|
|
|
template_response.context_data['already_registered'] = already_registered
|
|
|
|
except KeyError:
|
|
|
|
pass
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
try:
|
|
|
|
template_response.context_data['subdomain'] = request.GET['subdomain']
|
|
|
|
template_response.context_data['wrong_subdomain_error'] = WRONG_SUBDOMAIN_ERROR
|
|
|
|
except KeyError:
|
|
|
|
pass
|
|
|
|
|
|
|
|
return template_response
|
|
|
|
|
2017-10-11 17:30:04 +02:00
|
|
|
@csrf_exempt
|
2017-11-27 09:28:57 +01:00
|
|
|
def dev_direct_login(request: HttpRequest, **kwargs: Any) -> HttpResponse:
|
2017-11-05 03:14:28 +01:00
|
|
|
# This function allows logging in without a password and should only be called
|
|
|
|
# in development environments. It may be called if the DevAuthBackend is included
|
|
|
|
# in settings.AUTHENTICATION_BACKENDS
|
2016-10-12 04:50:38 +02:00
|
|
|
if (not dev_auth_enabled()) or settings.PRODUCTION:
|
2017-11-05 03:14:28 +01:00
|
|
|
# This check is probably not required, since authenticate would fail without
|
|
|
|
# an enabled DevAuthBackend.
|
2018-02-21 06:31:53 +01:00
|
|
|
return HttpResponseRedirect(reverse('dev_not_supported'))
|
2016-10-12 04:50:38 +02:00
|
|
|
email = request.POST['direct_email']
|
2017-11-21 21:13:46 +01:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
realm = get_realm(subdomain)
|
2017-11-21 21:19:20 +01:00
|
|
|
user_profile = authenticate(dev_auth_username=email, realm=realm)
|
2016-10-12 04:50:38 +02:00
|
|
|
if user_profile is None:
|
2018-02-21 06:31:53 +01:00
|
|
|
return HttpResponseRedirect(reverse('dev_not_supported'))
|
2017-08-25 01:11:30 +02:00
|
|
|
do_login(request, user_profile)
|
2018-03-12 12:25:50 +01:00
|
|
|
|
|
|
|
next = request.GET.get('next', '')
|
|
|
|
redirect_to = get_safe_redirect_to(next, user_profile.realm.uri)
|
|
|
|
return HttpResponseRedirect(redirect_to)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
|
|
|
@csrf_exempt
|
|
|
|
@require_post
|
|
|
|
@has_request_variables
|
2017-11-27 09:28:57 +01:00
|
|
|
def api_dev_fetch_api_key(request: HttpRequest, username: str=REQ()) -> HttpResponse:
|
2016-10-12 04:50:38 +02:00
|
|
|
"""This function allows logging in without a password on the Zulip
|
|
|
|
mobile apps when connecting to a Zulip development environment. It
|
|
|
|
requires DevAuthBackend to be included in settings.AUTHENTICATION_BACKENDS.
|
|
|
|
"""
|
|
|
|
if not dev_auth_enabled() or settings.PRODUCTION:
|
|
|
|
return json_error(_("Dev environment not enabled."))
|
2017-04-07 08:21:29 +02:00
|
|
|
|
|
|
|
# Django invokes authenticate methods by matching arguments, and this
|
|
|
|
# authentication flow will not invoke LDAP authentication because of
|
|
|
|
# this condition of Django so no need to check if LDAP backend is
|
|
|
|
# enabled.
|
|
|
|
validate_login_email(username)
|
|
|
|
|
2017-11-21 21:13:46 +01:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
realm = get_realm(subdomain)
|
|
|
|
|
2017-05-17 22:09:33 +02:00
|
|
|
return_data = {} # type: Dict[str, bool]
|
2017-11-21 21:13:46 +01:00
|
|
|
user_profile = authenticate(dev_auth_username=username,
|
2017-11-21 21:19:20 +01:00
|
|
|
realm=realm,
|
2016-10-12 04:50:38 +02:00
|
|
|
return_data=return_data)
|
2017-01-24 06:11:18 +01:00
|
|
|
if return_data.get("inactive_realm"):
|
2018-03-08 01:30:34 +01:00
|
|
|
return json_error(_("This organization has been deactivated."),
|
2016-10-12 04:50:38 +02:00
|
|
|
data={"reason": "realm deactivated"}, status=403)
|
2017-01-24 06:11:18 +01:00
|
|
|
if return_data.get("inactive_user"):
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_error(_("Your account has been disabled."),
|
|
|
|
data={"reason": "user disable"}, status=403)
|
2017-05-22 01:34:21 +02:00
|
|
|
if user_profile is None:
|
|
|
|
return json_error(_("This user is not registered."),
|
|
|
|
data={"reason": "unregistered"}, status=403)
|
2017-08-25 01:11:30 +02:00
|
|
|
do_login(request, user_profile)
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_success({"api_key": user_profile.api_key, "email": user_profile.email})
|
|
|
|
|
|
|
|
@csrf_exempt
|
2018-04-05 21:16:56 +02:00
|
|
|
def api_dev_list_users(request: HttpRequest) -> HttpResponse:
|
2016-10-12 04:50:38 +02:00
|
|
|
if not dev_auth_enabled() or settings.PRODUCTION:
|
|
|
|
return json_error(_("Dev environment not enabled."))
|
2017-02-04 20:16:46 +01:00
|
|
|
users = get_dev_users()
|
2018-04-05 21:16:56 +02:00
|
|
|
return json_success(dict(direct_admins=[dict(email=u.email, realm_uri=u.realm.uri)
|
|
|
|
for u in users if u.is_realm_admin],
|
|
|
|
direct_users=[dict(email=u.email, realm_uri=u.realm.uri)
|
|
|
|
for u in users if not u.is_realm_admin]))
|
2016-10-12 04:50:38 +02:00
|
|
|
|
|
|
|
@csrf_exempt
|
|
|
|
@require_post
|
|
|
|
@has_request_variables
|
2017-11-27 09:28:57 +01:00
|
|
|
def api_fetch_api_key(request: HttpRequest, username: str=REQ(), password: str=REQ()) -> HttpResponse:
|
2017-05-17 22:09:33 +02:00
|
|
|
return_data = {} # type: Dict[str, bool]
|
2017-11-17 23:56:45 +01:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
realm = get_realm(subdomain)
|
2016-10-12 04:50:38 +02:00
|
|
|
if username == "google-oauth2-token":
|
2017-11-21 21:29:09 +01:00
|
|
|
# This code path is auth for the legacy Android app
|
2016-10-12 04:50:38 +02:00
|
|
|
user_profile = authenticate(google_oauth2_token=password,
|
2017-11-21 21:23:07 +01:00
|
|
|
realm=realm,
|
2016-10-12 04:50:38 +02:00
|
|
|
return_data=return_data)
|
|
|
|
else:
|
2017-04-07 08:21:29 +02:00
|
|
|
if not ldap_auth_enabled(realm=get_realm_from_request(request)):
|
|
|
|
# In case we don't authenticate against LDAP, check for a valid
|
|
|
|
# email. LDAP backend can authenticate against a non-email.
|
|
|
|
validate_login_email(username)
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
user_profile = authenticate(username=username,
|
|
|
|
password=password,
|
2017-11-17 23:56:45 +01:00
|
|
|
realm=realm,
|
2016-10-12 04:50:38 +02:00
|
|
|
return_data=return_data)
|
2017-01-24 06:11:18 +01:00
|
|
|
if return_data.get("inactive_user"):
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_error(_("Your account has been disabled."),
|
|
|
|
data={"reason": "user disable"}, status=403)
|
2017-01-24 06:11:18 +01:00
|
|
|
if return_data.get("inactive_realm"):
|
2018-03-08 01:30:34 +01:00
|
|
|
return json_error(_("This organization has been deactivated."),
|
2016-10-12 04:50:38 +02:00
|
|
|
data={"reason": "realm deactivated"}, status=403)
|
2017-01-24 06:11:18 +01:00
|
|
|
if return_data.get("password_auth_disabled"):
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_error(_("Password auth is disabled in your team."),
|
|
|
|
data={"reason": "password auth disabled"}, status=403)
|
|
|
|
if user_profile is None:
|
2017-01-24 06:11:18 +01:00
|
|
|
if return_data.get("valid_attestation"):
|
2017-11-05 03:14:28 +01:00
|
|
|
# We can leak that the user is unregistered iff
|
|
|
|
# they present a valid authentication string for the user.
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_error(_("This user is not registered; do so from a browser."),
|
|
|
|
data={"reason": "unregistered"}, status=403)
|
|
|
|
return json_error(_("Your username or password is incorrect."),
|
|
|
|
data={"reason": "incorrect_creds"}, status=403)
|
2017-06-15 07:15:57 +02:00
|
|
|
|
|
|
|
# Maybe sending 'user_logged_in' signal is the better approach:
|
|
|
|
# user_logged_in.send(sender=user_profile.__class__, request=request, user=user_profile)
|
|
|
|
# Not doing this only because over here we don't add the user information
|
|
|
|
# in the session. If the signal receiver assumes that we do then that
|
|
|
|
# would cause problems.
|
|
|
|
email_on_new_login(sender=user_profile.__class__, request=request, user=user_profile)
|
2017-08-25 00:58:34 +02:00
|
|
|
|
|
|
|
# Mark this request as having a logged-in user for our server logs.
|
|
|
|
process_client(request, user_profile)
|
|
|
|
request._email = user_profile.email
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_success({"api_key": user_profile.api_key, "email": user_profile.email})
|
|
|
|
|
2017-11-27 09:28:57 +01:00
|
|
|
def get_auth_backends_data(request: HttpRequest) -> Dict[str, Any]:
|
2017-03-10 06:29:09 +01:00
|
|
|
"""Returns which authentication methods are enabled on the server"""
|
2017-10-02 08:32:09 +02:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
try:
|
|
|
|
realm = Realm.objects.get(string_id=subdomain)
|
|
|
|
except Realm.DoesNotExist:
|
|
|
|
# If not the root subdomain, this is an error
|
2017-10-20 02:56:49 +02:00
|
|
|
if subdomain != Realm.SUBDOMAIN_FOR_ROOT_DOMAIN:
|
2017-10-02 08:32:09 +02:00
|
|
|
raise JsonableError(_("Invalid subdomain"))
|
|
|
|
# With the root subdomain, it's an error or not depending
|
|
|
|
# whether ROOT_DOMAIN_LANDING_PAGE (which indicates whether
|
|
|
|
# there are some realms without subdomains on this server)
|
|
|
|
# is set.
|
|
|
|
if settings.ROOT_DOMAIN_LANDING_PAGE:
|
|
|
|
raise JsonableError(_("Subdomain required"))
|
|
|
|
else:
|
|
|
|
realm = None
|
2017-10-24 20:59:11 +02:00
|
|
|
return {
|
|
|
|
"password": password_auth_enabled(realm),
|
|
|
|
"dev": dev_auth_enabled(realm),
|
|
|
|
"email": email_auth_enabled(realm),
|
|
|
|
"github": github_auth_enabled(realm),
|
|
|
|
"google": google_auth_enabled(realm),
|
2018-02-06 23:36:56 +01:00
|
|
|
"remoteuser": remote_auth_enabled(realm),
|
2017-10-24 20:59:11 +02:00
|
|
|
"ldap": ldap_auth_enabled(realm),
|
|
|
|
}
|
2017-05-04 01:13:40 +02:00
|
|
|
|
|
|
|
@csrf_exempt
|
2017-11-27 09:28:57 +01:00
|
|
|
def api_get_auth_backends(request: HttpRequest) -> HttpResponse:
|
2017-05-04 01:13:56 +02:00
|
|
|
"""Deprecated route; this is to be replaced by api_get_server_settings"""
|
2017-05-04 01:13:40 +02:00
|
|
|
auth_backends = get_auth_backends_data(request)
|
|
|
|
auth_backends['zulip_version'] = ZULIP_VERSION
|
|
|
|
return json_success(auth_backends)
|
2016-10-12 04:50:38 +02:00
|
|
|
|
2017-05-04 01:13:56 +02:00
|
|
|
@require_GET
|
|
|
|
@csrf_exempt
|
2017-11-27 09:28:57 +01:00
|
|
|
def api_get_server_settings(request: HttpRequest) -> HttpResponse:
|
2017-05-04 01:13:56 +02:00
|
|
|
result = dict(
|
|
|
|
authentication_methods=get_auth_backends_data(request),
|
|
|
|
zulip_version=ZULIP_VERSION,
|
2018-02-12 23:34:59 +01:00
|
|
|
push_notifications_enabled=push_notifications_enabled(),
|
2017-05-04 01:13:56 +02:00
|
|
|
)
|
|
|
|
context = zulip_default_context(request)
|
|
|
|
# IMPORTANT NOTE:
|
|
|
|
# realm_name, realm_icon, etc. are not guaranteed to appear in the response.
|
|
|
|
# * If they do, that means the server URL has only one realm on it
|
|
|
|
# * If they don't, the server has multiple realms, and it's not clear which is
|
|
|
|
# the requested realm, so we can't send back these data.
|
2017-09-15 19:13:48 +02:00
|
|
|
for settings_item in [
|
|
|
|
"email_auth_enabled",
|
|
|
|
"require_email_format_usernames",
|
|
|
|
"realm_uri",
|
|
|
|
"realm_name",
|
|
|
|
"realm_icon",
|
|
|
|
"realm_description"]:
|
2017-05-04 01:13:56 +02:00
|
|
|
if context[settings_item] is not None:
|
|
|
|
result[settings_item] = context[settings_item]
|
|
|
|
return json_success(result)
|
|
|
|
|
2016-10-12 04:50:38 +02:00
|
|
|
@has_request_variables
|
2017-11-27 09:28:57 +01:00
|
|
|
def json_fetch_api_key(request: HttpRequest, user_profile: UserProfile,
|
|
|
|
password: str=REQ(default='')) -> HttpResponse:
|
2017-11-17 23:56:45 +01:00
|
|
|
subdomain = get_subdomain(request)
|
|
|
|
realm = get_realm(subdomain)
|
2016-10-12 04:50:38 +02:00
|
|
|
if password_auth_enabled(user_profile.realm):
|
|
|
|
if not authenticate(username=user_profile.email, password=password,
|
2017-11-17 23:56:45 +01:00
|
|
|
realm=realm):
|
2016-10-12 04:50:38 +02:00
|
|
|
return json_error(_("Your username or password is incorrect."))
|
|
|
|
return json_success({"api_key": user_profile.api_key})
|
|
|
|
|
|
|
|
@csrf_exempt
|
2017-11-27 09:28:57 +01:00
|
|
|
def api_fetch_google_client_id(request: HttpRequest) -> HttpResponse:
|
2016-10-12 04:50:38 +02:00
|
|
|
if not settings.GOOGLE_CLIENT_ID:
|
|
|
|
return json_error(_("GOOGLE_CLIENT_ID is not configured"), status=400)
|
|
|
|
return json_success({"google_client_id": settings.GOOGLE_CLIENT_ID})
|
|
|
|
|
|
|
|
@require_post
|
2017-11-27 09:28:57 +01:00
|
|
|
def logout_then_login(request: HttpRequest, **kwargs: Any) -> HttpResponse:
|
2016-10-12 04:50:38 +02:00
|
|
|
return django_logout_then_login(request, kwargs)
|
2017-11-18 03:30:07 +01:00
|
|
|
|
|
|
|
def password_reset(request: HttpRequest, **kwargs: Any) -> HttpResponse:
|
|
|
|
realm = get_realm(get_subdomain(request))
|
|
|
|
|
|
|
|
if realm is None:
|
|
|
|
# If trying to get to password reset on a subdomain that
|
|
|
|
# doesn't exist, just go to find_account.
|
|
|
|
redirect_url = reverse('zerver.views.registration.find_account')
|
|
|
|
return HttpResponseRedirect(redirect_url)
|
|
|
|
|
|
|
|
return django_password_reset(request,
|
|
|
|
template_name='zerver/reset.html',
|
|
|
|
password_reset_form=ZulipPasswordResetForm,
|
|
|
|
post_reset_redirect='/accounts/password/reset/done/')
|