app/main/views/sign_in.py

from flask import (
    render_template,
    redirect,
    url_for,
    session,
    flash,
    request,
    abort
)

from flask.ext.login import (
    current_user,
    login_fresh,
    confirm_login
)

from app import (
    user_api_client,
    invite_api_client,
    service_api_client
)


from app.main import main
from app.main.forms import LoginForm


@main.route('/sign-in', methods=(['GET', 'POST']))
def sign_in():

    if current_user and current_user.is_authenticated():
        return redirect(url_for('main.choose_service'))

    form = LoginForm()
    if form.validate_on_submit():

        user = user_api_client.get_user_by_email_or_none(form.email_address.data)
        user = _get_and_verify_user(user, form.password.data)
        if user and user.state == 'pending':
            flash("You haven't verified your email or mobile number yet.")
            return redirect(url_for('main.sign_in'))

        if user and session.get('invited_user'):
            invited_user = session.get('invited_user')
            if user.email_address != invited_user['email_address']:
                flash("You can't accept an invite for another person.")
                session.pop('invited_user', None)
                abort(403)
            else:
                invite_api_client.accept_invite(invited_user['service'], invited_user['id'])
        if user:
            # Remember me login
            if not login_fresh() and \
               not current_user.is_anonymous() and \
               current_user.id == user.id and \
               user.is_active():
                confirm_login()
                services = service_api_client.get_services({'user_id': str(user.id)}).get('data', [])
                if (len(services) == 1):
                    return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))
                else:
                    return redirect(url_for('main.choose_service'))

            session['user_details'] = {"email": user.email_address, "id": user.id}
            if user.is_active():
                user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
                if request.args.get('next'):
                    return redirect(url_for('.two_factor', next=request.args.get('next')))
                else:
                    return redirect(url_for('.two_factor'))
        # Vague error message for login in case of user not known, locked, inactive or password not verified
        flash('Username or password is incorrect')

    return render_template('views/signin.html', form=form)


def _get_and_verify_user(user, password):
    if not user:
        return None
    elif user.is_locked():
        return None
    elif not user_api_client.verify_password(user.id, password):
        return None
    else:
        return user
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`from flask import (`
First slice full sign in flow 2016-01-21 11:33:53 +00:00			`render_template,`
			`redirect,`
			`url_for,`
			`session,`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00			`flash,`
Removed some un needed flash messages raised as bugs. In the process found a couple of edge cases of incorrect use of invitation links by other users which are now handled. 2016-03-30 16:16:34 +01:00			`request,`
			`abort`
First slice full sign in flow 2016-01-21 11:33:53 +00:00			`)`

Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`from flask.ext.login import (`
			`current_user,`
			`login_fresh,`
			`confirm_login`
			`)`
If user is logged in and visits / /sign-in or /register they will be redirected to choose service. 2016-01-22 17:24:14 +00:00
Removed some un needed flash messages raised as bugs. In the process found a couple of edge cases of incorrect use of invitation links by other users which are now handled. 2016-03-30 16:16:34 +01:00			`from app import (`
			`user_api_client,`
			`invite_api_client,`
			`service_api_client`
			`)`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00

Removed some un needed flash messages raised as bugs. In the process found a couple of edge cases of incorrect use of invitation links by other users which are now handled. 2016-03-30 16:16:34 +01:00			`from app.main import main`
109526520: Changed the code form fields to StringField When the codes were IntegerFields and the code started with zero, the zero was trimmed, resulting in a failed match. 2015-12-08 15:30:55 +00:00			`from app.main.forms import LoginForm`
108536490: Initial effort to implement log in Add endpoint for post to /sign-in Initialise role data 2015-11-27 09:47:29 +00:00

Sign in view, form and template refactored. 2016-01-05 14:30:06 +00:00			`@main.route('/sign-in', methods=(['GET', 'POST']))`
			`def sign_in():`
Removed some un needed flash messages raised as bugs. In the process found a couple of edge cases of incorrect use of invitation links by other users which are now handled. 2016-03-30 16:16:34 +01:00
If user is logged in and visits / /sign-in or /register they will be redirected to choose service. 2016-01-22 17:24:14 +00:00			`if current_user and current_user.is_authenticated():`
			`return redirect(url_for('main.choose_service'))`
Remember me functionality added and tested. Merge extra. Fixed comment. 2016-02-23 15:45:19 +00:00
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00			`form = LoginForm()`
			`if form.validate_on_submit():`
Removed some un needed flash messages raised as bugs. In the process found a couple of edge cases of incorrect use of invitation links by other users which are now handled. 2016-03-30 16:16:34 +01:00
Do not throw 404 if email address is not found on sign in. https://www.pivotaltracker.com/story/show/115947639 2016-03-21 11:48:16 +00:00			`user = user_api_client.get_user_by_email_or_none(form.email_address.data)`
Added fixes for forms to hide potential email philshing scams. 2016-01-28 16:36:36 +00:00			`user = _get_and_verify_user(user, form.password.data)`
If user is pending it means they have not verified email yet Added better checking on re use of consumed verification link. 2016-03-29 12:13:36 +01:00			`if user and user.state == 'pending':`
			`flash("You haven't verified your email or mobile number yet.")`
			`return redirect(url_for('main.sign_in'))`
Removed some un needed flash messages raised as bugs. In the process found a couple of edge cases of incorrect use of invitation links by other users which are now handled. 2016-03-30 16:16:34 +01:00
			`if user and session.get('invited_user'):`
			`invited_user = session.get('invited_user')`
			`if user.email_address != invited_user['email_address']:`
			`flash("You can't accept an invite for another person.")`
			`session.pop('invited_user', None)`
			`abort(403)`
			`else:`
			`invite_api_client.accept_invite(invited_user['service'], invited_user['id'])`
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00			`if user:`
Remember me functionality added and tested. Merge extra. Fixed comment. 2016-02-23 15:45:19 +00:00			`# Remember me login`
			`if not login_fresh() and \`
			`not current_user.is_anonymous() and \`
			`current_user.id == user.id and \`
			`user.is_active():`
			`confirm_login()`
Merge with master. 2016-03-29 22:50:40 +01:00			`services = service_api_client.get_services({'user_id': str(user.id)}).get('data', [])`
Remember me functionality added and tested. Merge extra. Fixed comment. 2016-02-23 15:45:19 +00:00			`if (len(services) == 1):`
			`return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))`
			`else:`
			`return redirect(url_for('main.choose_service'))`

All tests passing and merged with master. 2016-01-27 16:30:33 +00:00			`session['user_details'] = {"email": user.email_address, "id": user.id}`
If user is pending it means they have not verified email yet Added better checking on re use of consumed verification link. 2016-03-29 12:13:36 +01:00			`if user.is_active():`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00			`if request.args.get('next'):`
			`return redirect(url_for('.two_factor', next=request.args.get('next')))`
			`else:`
			`return redirect(url_for('.two_factor'))`
Added fixes for forms to hide potential email philshing scams. 2016-01-28 16:36:36 +00:00			`# Vague error message for login in case of user not known, locked, inactive or password not verified`
			`flash('Username or password is incorrect')`
Sign in view, form and template refactored. 2016-01-05 14:30:06 +00:00
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00			`return render_template('views/signin.html', form=form)`
Incrementing of failed logins happens on api side 2016-01-26 12:32:08 +00:00

Added fixes for forms to hide potential email philshing scams. 2016-01-28 16:36:36 +00:00			`def _get_and_verify_user(user, password):`
Incrementing of failed logins happens on api side 2016-01-26 12:32:08 +00:00			`if not user:`
			`return None`
			`elif user.is_locked():`
			`return None`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`elif not user_api_client.verify_password(user.id, password):`
Incrementing of failed logins happens on api side 2016-01-26 12:32:08 +00:00			`return None`
			`else:`
			`return user`