Removing dependency on crossDomain functionality for login

ca1ed05e · Tor-Einar Skog · 83500179 · ca1ed05e · ca1ed05e · ca1ed05e
Commit ca1ed05e authored 9 years ago by Tor-Einar Skog
--- a/VIPSWeb/settings.py
+++ b/VIPSWeb/settings.py
@@ -94,6 +94,7 @@ MIDDLEWARE_CLASSES = (
    'common.middleware.whodid.WhodidMiddleware',
    'django.middleware.locale.LocaleMiddleware',
    'maintenancemode.middleware.MaintenanceModeMiddleware',
+    'security.middleware.check_login_middleware.CheckLoginMiddleware'
    # Uncomment the next line for simple clickjacking protection:
    # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )

--- a/VIPSWeb/templates/base.html
+++ b/VIPSWeb/templates/base.html
@@ -141,23 +141,7 @@
 	<script src="{% static "js/3rdparty/jquery-1.11.1.min.js" %}"></script>
 	<!-- Include all compiled plugins (below), or include individual files as needed -->
 	<script src="{% static "js/3rdparty/bootstrap.min.js" %}"></script>
-	{% if request.session.vips_logic_user == None %}
-	<!-- Security stuff -->
-	<!-- If not logged in, attempt to do so -->
-	<script type="text/javascript" src="{% static "security/js/crossdomainstorage.js" %}"></script>
-	<script src="{% static "security/js/loginHandler.js" %}"></script>
-	<script type="text/javascript">
-	
-	$(document).ready(function() {
-		/**	
-		var remoteStorage = new CrossDomainStorage("http://{{settings.VIPSLOGIC_SERVER_NAME}}", "/xdomain/xdomainserver.jsp");
-		remoteStorage.requestCookie("rememberedUser", function(name, value){
-			loginUser(value);
-		});*/
-		loginUser("{{uuid}}");
-	});
-	</script>
-	{% endif %}
+
 	{% block extendJS %}{% endblock %}
 	{% block customJS %}{% endblock %}
 </body>

--- a/VIPSWeb/views.py
+++ b/VIPSWeb/views.py
@@ -38,7 +38,9 @@ def index(request):
            if int(chrome_version) < 40:
                user_is_stock_android = True
    
-    uuid = request.GET.get("returnUUID","")
+    user_uuid = request.GET.get("returnUUID",None)
+    if user_uuid == None:
+        user_uuid = request.session.get("user_uuid","")
    
    # Get front page categories. This is defined in local_settings.py
    #message_tags = MessageTag.get_message_tags(translation.get_language())
@@ -47,7 +49,7 @@ def index(request):
    advertisements = Advertisement.objects.exclude(pub_date__gt=datetime.date.today()).exclude(exp_date__lt=datetime.date.today()).order_by('-pub_date')[:1]
    # Last 10 messages
    context = {
-               'uuid': uuid,
+               'user_uuid': user_uuid,
              'advertisements': advertisements,
              'crop_categories': CropCategory.get_crop_categories(translation.get_language()),
              'user_is_stock_android':  user_is_stock_android,

--- a/security/middleware/__init__.py
+++ b/security/middleware/__init__.py
--- a/security/middleware/check_login_middleware.py
+++ b/security/middleware/check_login_middleware.py
+#
+# Copyright (c) 2015 NIBIO <http://www.nibio.no/>. 
+# 
+# This file is part of VIPSWeb.
+# VIPSWeb is free software: you can redistribute it and/or modify
+# it under the terms of the NIBIO Open Source License as published by 
+# NIBIO, either version 1 of the License, or (at your option) any
+# later version.
+# 
+# VIPSWeb is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# NIBIO Open Source License for more details.
+#
+# You should have received a copy of the NIBIO Open Source License
+# along with VIPSWeb.  If not, see <http://www.nibio.no/licenses/>.
+# 
+# @author: Tor-Einar Skog <tor-einar.skog@nibio.no>
+
+from security.models import VipsLogicUser
+from django.conf import settings
+from datetime import datetime, timedelta
+import json
+
+
+class CheckLoginMiddleware(object):
+    datetime_format = "%Y-%m-%d %H:%M:%S"
+    
+    def process_request(self, request):
+        # If UUID is provided, login with VIPSLogic
+        # VIPSLogicUser exists in session for 24 hours
+        # UUID exists for 30 days by default
+        return_uuid = request.GET.get("returnUUID",None)
+        if return_uuid != None:
+            found_user = VipsLogicUser.find_by_uuid(return_uuid)
+            if found_user != None:
+                request.session["vips_logic_user"] = found_user
+                request.session["user_uuid"] = return_uuid
+                request.session["last_modified"] = datetime.now().strftime(CheckLoginMiddleware.datetime_format)
+                request.session.set_expiry(2592000) # 30 days lasting
+            else:
+                    request.session["vips_logic_user"] = None
+                    request.session["user_uuid"] = None
+                    request.session["last_modified"] = None
+                    request.session.set_expiry(0)
+        else:
+            # If not, check if current login is valid
+            # 1. Is last_modified not present or more than 24 hours ago?
+            # If so: check with VIPSLogic if user_uuid is valid
+            last_modified = request.session.get("last_modified", None)
+            print last_modified
+            age_limit = timedelta(days = 1)
+            if  last_modified == None or datetime.strptime(last_modified, CheckLoginMiddleware.datetime_format) < datetime.now() - age_limit:
+                # 2. If not, check if UUID is present
+                # If UUID present, try to login to VIPSLogic with it
+                user_uuid = request.session.get("user_uuid", None)
+                if user_uuid != None:
+                    found_user = VipsLogicUser.find_by_uuid(user_uuid)
+                    if found_user != None:
+                        request.session["vips_logic_user"] = found_user
+                        request.session["user_uuid"] = user_uuid
+                        request.session["last_modified"] = datetime.now().strftime(CheckLoginMiddleware.datetime_format)
+                        request.session.set_expiry(2592000) # 30 days lasting
+                    else:
+                        request.session["vips_logic_user"] = None
+                        request.session["user_uuid"] = None
+                        request.session["last_modified"] = None
+                        request.session.set_expiry(0)
\ No newline at end of file
--- a/security/static/security/js/crossdomainstorage.js
+++ b/security/static/security/js/crossdomainstorage.js
 /*
 * Copyright 2010 Nicholas C. Zakas. All rights reserved.
 * BSD Licensed.
+ * @deprecated Doesn't work with IE/Edge. Using check_login_middleware instead
 */
 function CrossDomainStorage(origin, path){
    this.origin = origin;

--- a/security/static/security/js/loginHandler.js
+++ b/security/static/security/js/loginHandler.js
@@ -19,6 +19,9 @@

 var loginFailed = null;

+/**
+ * @deprecated. Doesn't work with IE/Edge. Using check_login_middleware instead
+ */
 var loginUser = function(userUuid){
 	$.getJSON( "/security/login/" + userUuid, 
 			function( json ) { 

--- a/security/views.py
+++ b/security/views.py
@@ -26,16 +26,18 @@ import requests
 # Create your views here.
 # VIPSLogic login handling
 # Direct login with a user UUID
+# Deprecated. See check_login_middleware for handling
 def login_user_uuid(request, user_uuid):
    found_user = VipsLogicUser.find_by_uuid(user_uuid)
    if found_user != None:
        request.session["vips_logic_user"] = found_user
        request.session["user_uuid"] = user_uuid
-        request.session.set_expiry(0)
+        request.session.set_expiry(2592000) # 30 days lasting
        return JsonResponse({"success":"true"})
    else:
        return JsonResponse({"success":"false"})

+# Deprecated
 def login_form(request):
    return render(request, "security/login_form.html")