zulip/humbug/backends.py

from django.contrib.auth.models import User
from django.conf import settings
from zephyr.lib.cache import cache_with_key

@cache_with_key(lambda user_id: 'tornado_user:%d' % (user_id,))
def get_tornado_user(user_id):
    try:
        return User.objects.select_related().get(id=user_id)
    except User.DoesNotExist:
        return None

class EmailAuthBackend(object):
    """
    Email Authentication Backend

    Allows a user to sign in using an email/password pair rather than
    a username/password pair.
    """

    def authenticate(self, username=None, password=None):
        """ Authenticate a user based on email address as the user name. """
        if username is None or password is None:
            # Return immediately.  Otherwise we will look for a SQL row with
            # NULL username.  While that's probably harmless, it's needless
            # exposure.
            return None

        try:
            user = User.objects.get(email__iexact=username)
            if user.check_password(password):
                return user
        except User.DoesNotExist:
            return None

    def get_user(self, user_id):
        """ Get a User object from the user_id. """
        if settings.RUNNING_INSIDE_TORNADO:
            # Get the User from a cache because we aren't accessing
            # any mutable fields from Tornado (just the id)
            return get_tornado_user(user_id)
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None
Remove unused imports (imported from commit eb576627ff72e57fee0e3a4c357f51ad74cd6c86) 2012-10-25 06:23:55 +02:00			`from django.contrib.auth.models import User`
tornado: Get User and UserProfile objects from a memcached. This commit has the effect of eliminating all of the non-UserActivity database queries from the Tornado process -- at least in the uncached case. This is safe to do, if a bit fragile, since our Tornado code only accesses these objects (as opposed to their IDs) in a few places that are all fine with old data, and I don't expect us to add any new ones soon: * UserActivity logging, which I plan to move out of Tornado entirely * Checking whether we're authenticated in our decorators (which could be simplified -- the actual security check is just whether the Django session object has a particular field) * Checking the user realm for whether we should sync to the client notices about their Zephyr mirror being up to date, which is quite static and I think we can move out of this code path. But implementation constraints around mapping the user_ids to user_profile_ids mean that it makes sense to get the actual objects for now. This code is not what I want to do long-term. I expect we'll be able to clean up the dual User/UserProfile nonsense once we integrate the upcoming Django 1.5 release, with its support for pluggable User models, and after that I change, I expect it'll be fairly easy to make the Tornado code only work with the user ID, not the actual objects. (imported from commit 82e25b62fd0e3af7c86040600c63a4deec7bec06) 2013-01-09 22:45:23 +01:00			`from django.conf import settings`
			`from zephyr.lib.cache import cache_with_key`

			`@cache_with_key(lambda user_id: 'tornado_user:%d' % (user_id,))`
			`def get_tornado_user(user_id):`
			`try:`
			`return User.objects.select_related().get(id=user_id)`
			`except User.DoesNotExist:`
			`return None`
Authenticate by email. Approach from http://www.micahcarrick.com/django-email-authentication.html. (imported from commit 796b8e08d8e1f9769cd3cf8ee61d3724ac3847b7) 2012-09-21 16:10:36 +02:00
			`class EmailAuthBackend(object):`
			`"""`
			`Email Authentication Backend`

			`Allows a user to sign in using an email/password pair rather than`
			`a username/password pair.`
			`"""`

			`def authenticate(self, username=None, password=None):`
			`""" Authenticate a user based on email address as the user name. """`
authenticate: Reject None for username or password, without a DB query (imported from commit dd76b174a806f9bf4a47f07f124321a025561183) 2012-10-29 19:17:03 +01:00			`if username is None or password is None:`
			`# Return immediately. Otherwise we will look for a SQL row with`
			`# NULL username. While that's probably harmless, it's needless`
			`# exposure.`
			`return None`

Authenticate by email. Approach from http://www.micahcarrick.com/django-email-authentication.html. (imported from commit 796b8e08d8e1f9769cd3cf8ee61d3724ac3847b7) 2012-09-21 16:10:36 +02:00			`try:`
Allow case-insensitive email addresses when doing authentication (imported from commit b52e39c7f706a2107b5d86e8e18293a46ed9e6ff) 2012-12-04 20:15:02 +01:00			`user = User.objects.get(email__iexact=username)`
Authenticate by email. Approach from http://www.micahcarrick.com/django-email-authentication.html. (imported from commit 796b8e08d8e1f9769cd3cf8ee61d3724ac3847b7) 2012-09-21 16:10:36 +02:00			`if user.check_password(password):`
			`return user`
			`except User.DoesNotExist:`
			`return None`

			`def get_user(self, user_id):`
			`""" Get a User object from the user_id. """`
tornado: Get User and UserProfile objects from a memcached. This commit has the effect of eliminating all of the non-UserActivity database queries from the Tornado process -- at least in the uncached case. This is safe to do, if a bit fragile, since our Tornado code only accesses these objects (as opposed to their IDs) in a few places that are all fine with old data, and I don't expect us to add any new ones soon: * UserActivity logging, which I plan to move out of Tornado entirely * Checking whether we're authenticated in our decorators (which could be simplified -- the actual security check is just whether the Django session object has a particular field) * Checking the user realm for whether we should sync to the client notices about their Zephyr mirror being up to date, which is quite static and I think we can move out of this code path. But implementation constraints around mapping the user_ids to user_profile_ids mean that it makes sense to get the actual objects for now. This code is not what I want to do long-term. I expect we'll be able to clean up the dual User/UserProfile nonsense once we integrate the upcoming Django 1.5 release, with its support for pluggable User models, and after that I change, I expect it'll be fairly easy to make the Tornado code only work with the user ID, not the actual objects. (imported from commit 82e25b62fd0e3af7c86040600c63a4deec7bec06) 2013-01-09 22:45:23 +01:00			`if settings.RUNNING_INSIDE_TORNADO:`
			`# Get the User from a cache because we aren't accessing`
			`# any mutable fields from Tornado (just the id)`
			`return get_tornado_user(user_id)`
Authenticate by email. Approach from http://www.micahcarrick.com/django-email-authentication.html. (imported from commit 796b8e08d8e1f9769cd3cf8ee61d3724ac3847b7) 2012-09-21 16:10:36 +02:00			`try:`
			`return User.objects.get(pk=user_id)`
			`except User.DoesNotExist:`
			`return None`