Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Commit

Permalink
Add controller to handle verification
Browse files Browse the repository at this point in the history
  • Loading branch information
rohitpaulk committed Jul 13, 2017
1 parent 36a030d commit 86a1bbe
Show file tree
Hide file tree
Showing 3 changed files with 108 additions and 1 deletion.
6 changes: 6 additions & 0 deletions gratipay/security/user.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ def from_id(cls, userid):
"""
return cls(Participant.from_id(userid))

@classmethod
def from_email(cls, email):
"""Find a participant based on id and return a User.
"""
return cls(Participant.from_email(email))

@classmethod
def from_username(cls, username):
"""Find a participant based on username and return a User.
Expand Down
55 changes: 54 additions & 1 deletion tests/py/test_www_email_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@

import json

from gratipay.security.authentication.email import create_signin_nonce, verify_nonce, NONCE_INVALID
from gratipay.testing import Harness
from gratipay.testing.email import QueuedEmailHarness

from gratipay.utils import encode_for_querystring

class TestSendLink(Harness):
def test_returns_json(self):
Expand Down Expand Up @@ -40,3 +41,55 @@ def test_sends_email(self):
assert self.get_last_email()['to'] == 'alice <[email protected]>'
assert 'Click the link below to sign in to Gratipay' in self.get_last_email()['body_text']
assert 'Click the button below to sign in to Gratipay' in self.get_last_email()['body_html']

class TestVerify(Harness):
def setUp(self):
self.make_participant('alice', email_address='[email protected]')
self.nonce = create_signin_nonce(self.db, '[email protected]')

def test_400_if_nonce_not_provided(self):
response = self.client.GxT('/auth/email/verify.html?email=abcd')
assert response.code == 400
assert response.body == '`nonce` parameter must be provided'

def test_400_if_email_not_provided(self):
response = self.client.GxT('/auth/email/verify.html?nonce=abcd')
assert response.code == 400
assert response.body == '`email` parameter must be provided'

def test_redirects_on_success(self):
link = self._get_link('[email protected]', self.nonce)
response = self.client.GET(link, raise_immediately=False)

assert response.code == 302
assert response.headers['Location'] == '/'
assert response.headers.cookie.get('session')

def test_logs_in_on_success(self):
link = self._get_link('[email protected]', self.nonce)
response = self.client.GET(link, raise_immediately=False)

assert response.headers.cookie.get('session')

def test_invalidates_nonce_on_success(self):
link = self._get_link('[email protected]', self.nonce)
self.client.GET(link, raise_immediately=False)

assert verify_nonce(self.db, '[email protected]', self.nonce) == NONCE_INVALID

def test_invalid_nonce(self):
response = self.client.GET(self._get_link('[email protected]', 'dummy_nonce'))

assert "Sorry, that's a bad link." in response.body

def test_expired_nonce(self):
self.db.run("UPDATE email_auth_nonces SET ctime = ctime - interval '1 day'")
response = self.client.GET(self._get_link('[email protected]', self.nonce))

assert "This link has expired. Please generate a new one." in response.body

def _get_link(self, email, nonce):
encoded_email = encode_for_querystring(email)

return '/auth/email/verify.html?nonce=%s&email=%s' % (nonce, encoded_email)

48 changes: 48 additions & 0 deletions www/auth/email/verify.html.spt
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
from aspen import Response

from gratipay.security.authentication.email import verify_nonce, invalidate_nonce
from gratipay.security.authentication.email import NONCE_VALID, NONCE_INVALID, NONCE_EXPIRED
from gratipay.utils import decode_from_querystring
from gratipay.security.user import User

[---]

if 'nonce' not in request.qs:
raise Response(400, '`nonce` parameter must be provided')

if 'email' not in request.qs:
raise Response(400, '`email` parameter must be provided')

email = decode_from_querystring(request.qs['email'])
nonce = request.qs['nonce']

result = verify_nonce(website.db, email, nonce)

if result == NONCE_VALID:
_user = User.from_email(email) # '_user' to avoid conflict with 'user' in template
_user.sign_in(response.headers.cookie) # TODO: What if user is already signed in?
invalidate_nonce(website.db, email, nonce)
website.redirect("/", response=response) # TODO: Why should response be passed?
else:
suppress_sidebar = True

[---] text/html via jinja2
{% extends "templates/base.html" %}
{% block content %}
{% if result == NONCE_EXPIRED %}
<h1>{{ _("Link expired") }}</h1>
<p>{{ _( "This link has expired. Please generate a new one.") }}</p>
{# TODO: Add form for email right here? #}
{% else %} {# NONCE_INVALID #}
<h1>{{ _("Bad Info") }}</h1>
<p>
{{ _( "Sorry, that's a bad link.") }}

<br/><br/>

{{ _("If you think this is a mistake, please contact {a}[email protected].{_a}"
, a=('<a href="mailto:[email protected]">'|safe)
, _a='</a>'|safe) }}
</p>
{% endif %}
{% endblock %}

0 comments on commit 86a1bbe

Please sign in to comment.