From 1cb2ced51d5db4b881ffff1a17b484c92e899fe2 Mon Sep 17 00:00:00 2001 From: Kalinowski Date: Wed, 8 Jul 2020 11:07:28 +0200 Subject: [PATCH 1/7] DocStrings added to Handler --- .gitignore | 1 + handler.py | 57 +++++++++++++++++++++++++++++++++++------------------- 2 files changed, 38 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index 7d9efb2..b750f07 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,4 @@ dev.env .envrc *.code-workspace /wrapper/create_template.sed +/package-lock.json diff --git a/handler.py b/handler.py index 5b147fb..e2c842e 100644 --- a/handler.py +++ b/handler.py @@ -5,6 +5,7 @@ from functions import slr from functions.db import connector + # https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html @@ -395,6 +396,10 @@ def update_review(event, context): def add_user_handler(event, context): + """POST Method: Adds a new user + "username", "name", "surname", "email", "password" mandatory in body + """ + from functions.db.connector import add_user from bson import json_util @@ -418,6 +423,9 @@ def add_user_handler(event, context): def get_user_by_username_handler(event, context): + """GET Method: Gets user information by username + accessible with /users/{username} + """ from functions.db.connector import get_user_by_username username = event.get('pathParameters').get('username') @@ -435,6 +443,8 @@ def get_user_by_username_handler(event, context): def get_all_users_handler(event, context): + """GET Method: Gets all user usernames + """ from functions.db.connector import get_users users = get_users() @@ -451,6 +461,9 @@ def get_all_users_handler(event, context): def update_user_handler(event, context): + """PATCH Method: Updates userinformation + "username", "name", "surname", "email", "password" mandatory in body + """ from functions.db.connector import update_user, get_user_by_username body = json.loads(event["body"]) @@ -475,6 +488,9 @@ def update_user_handler(event, context): def add_api_key_to_user_handler(event, context): + """POST Method: Adds API KEY to user + "db_name", "api_key" mandatory in body + """ from functions.db.connector import add_api_key_to_user, get_user_by_username from functions.authentication import get_username_from_jwt headers = event["headers"] @@ -499,6 +515,9 @@ def add_api_key_to_user_handler(event, context): def delete_user_handler(event, context): + """DELETE Method: Deletes User + accessible with /users/{username} + """ from functions.db.connector import delete_user, get_user_by_username username = event.get('pathParameters').get('username') @@ -517,6 +536,9 @@ def delete_user_handler(event, context): def login_handler(event, context): + """POST Method: Logs user in and returns JWT + "username", "password" mandatory in body + """ from functions.db.connector import get_user_by_username, check_if_password_is_correct, add_jwt_to_session from functions.authentication import get_jwt_for_user @@ -551,6 +573,8 @@ def login_handler(event, context): def logout_handler(event, context): + """DELETE Method: Logs out user + """ from functions.authentication import check_for_token, get_username_from_jwt from functions.db.connector import remove_jwt_from_session, get_user_by_username @@ -583,31 +607,24 @@ def logout_handler(event, context): def check_jwt_handler(event, context): + """POST Method: Checks if given JWT is valid""" from functions.authentication import check_for_token from functions.db.connector import check_if_jwt_is_in_session headers = event["headers"] token = headers.get('authorizationToken') - if check_for_token(token) and check_if_jwt_is_in_session(token): - response = { - "statusCode": 200, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": token - } - return response - else: - response = { - "statusCode": 401, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": "Authentication failed" - } - return response + if not check_for_token(token) and not check_if_jwt_is_in_session(token): + return make_response(status_code=401, body="Authentication failed") + + response = { + "statusCode": 200, + "headers": { + 'Access-Control-Allow-Origin': '*', + 'Access-Control-Allow-Credentials': True, + }, + "body": token + } + return response def update_score(event, context): From 78156da2267566d072ebc5f6a51b0ac8172d2d24 Mon Sep 17 00:00:00 2001 From: Kalinowski Date: Wed, 8 Jul 2020 11:47:57 +0200 Subject: [PATCH 2/7] Add Authentiction to all endpoints --- handler.py | 210 ++++++++++++++++++++++++++++------------------------- 1 file changed, 113 insertions(+), 97 deletions(-) diff --git a/handler.py b/handler.py index e2c842e..a9de752 100644 --- a/handler.py +++ b/handler.py @@ -4,6 +4,7 @@ from functions import slr from functions.db import connector +from functions import authentication # https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html @@ -55,6 +56,10 @@ def add_collaborator_to_review(event, body): Returns: updated review """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + review_id = event.get('pathParameters').get('review_id') review = connector.get_review_by_id(review_id) @@ -78,6 +83,10 @@ def get_reviews_for_user(event, context): Returns: list of reviews """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + username = event.get('pathParameters').get('username') user = connector.get_user_by_username(username) @@ -102,6 +111,10 @@ def dry_query(event, context): } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + # try: body = json.loads(event["body"]) search = body.get('search') @@ -136,6 +149,10 @@ def new_query(event, context): "new_query_id": new_query_id } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + # try: body = json.loads(event["body"]) @@ -168,6 +185,10 @@ def get_persisted_results(event, context): "query_id": } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + # try: review_id = event.get('pathParameters').get('review_id') review = connector.get_review_by_id(review_id) @@ -204,6 +225,10 @@ def persist_pages_of_query(event, body): "success": True } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + # try: body = json.loads(event["body"]) @@ -250,6 +275,10 @@ def persist_list_of_results(event, body): "success": True } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + # try: body = json.loads(event["body"]) @@ -285,6 +314,10 @@ def delete_results_by_dois(event, body): "success": True } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + # try: body = json.loads(event["body"]) @@ -307,7 +340,10 @@ def add_review(event, context): """POST Method: create a new review "name" is mandatory in body """ - from functions.db.connector import add_review + + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) @@ -335,11 +371,13 @@ def get_review_by_id(event, context): accessible with review/{review_id} """ - from functions.db.connector import get_review_by_id + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) review_id = event.get('pathParameters').get('review_id') - review = get_review_by_id(review_id) + review = connector.get_review_by_id(review_id) response = { "statusCode": 200, @@ -356,11 +394,13 @@ def delete_review(event, context): """DELETE Method: delete a review by id accessible with review/{review_id} """ - from functions.db.connector import delete_review + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) review_id = event.get('pathParameters').get('review_id') - delete_review(review_id) + connector.delete_review(review_id) response = { "statusCode": 204, @@ -376,13 +416,11 @@ def update_review(event, context): """PUT Method: updates a review by its id accessible with review/{review_id}, "name" and "description" is mandatory in body """ - from functions.db.connector import update_review - review_id = event.get('pathParameters').get('review_id') body = json.loads(event["body"]) name = body.get('review').get('name') description = body.get('review').get('description') - updated_review = update_review(review_id, name, description) + updated_review = connector.update_review(review_id, name, description) response = { "statusCode": 200, @@ -399,9 +437,9 @@ def add_user_handler(event, context): """POST Method: Adds a new user "username", "name", "surname", "email", "password" mandatory in body """ - - from functions.db.connector import add_user - from bson import json_util + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) username = body.get('username') @@ -409,45 +447,33 @@ def add_user_handler(event, context): surname = body.get('surname') email = body.get('email') password = body.get('password') - added_user = add_user(username, name, surname, email, password) + added_user = connector.add_user(username, name, surname, email, password) - response = { - "statusCode": 201, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": json.dumps(added_user.to_son().to_dict(), default=json_util.default) - } - return response + return make_response(201, added_user.to_son().to_dict()) def get_user_by_username_handler(event, context): """GET Method: Gets user information by username accessible with /users/{username} """ - from functions.db.connector import get_user_by_username + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) username = event.get('pathParameters').get('username') - user = get_user_by_username(username) + user = connector.get_user_by_username(username) - response = { - "statusCode": 200, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": json.dumps(user.to_son().to_dict(), default=json_util.default) - } - return response + return make_response(201, user.to_son().to_dict()) def get_all_users_handler(event, context): """GET Method: Gets all user usernames """ - from functions.db.connector import get_users + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) - users = get_users() + users = connector.get_users() response = { "statusCode": 200, @@ -464,7 +490,9 @@ def update_user_handler(event, context): """PATCH Method: Updates userinformation "username", "name", "surname", "email", "password" mandatory in body """ - from functions.db.connector import update_user, get_user_by_username + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) username = body.get('username') @@ -473,36 +501,28 @@ def update_user_handler(event, context): email = body.get('email') password = body.get('password') - user = get_user_by_username(username) - updated_user = update_user(user, name, surname, email, password) + user = connector.get_user_by_username(username) + updated_user = connector.update_user(user, name, surname, email, password) - response = { - "statusCode": 200, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": json.dumps(updated_user.to_son().to_dict(), default=json_util.default) - } - return response + return make_response(201, updated_user.to_son().to_dict()) def add_api_key_to_user_handler(event, context): """POST Method: Adds API KEY to user "db_name", "api_key" mandatory in body """ - from functions.db.connector import add_api_key_to_user, get_user_by_username - from functions.authentication import get_username_from_jwt - headers = event["headers"] - token = headers.get('authorizationToken') - user = get_user_by_username(get_username_from_jwt(token)) + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + + user = connector.get_user_by_username(get_username_from_jwt(token)) body = json.loads(event["body"]) api_key = body.get('db_name') db_name = body.get('api_key') - add_api_key_to_user(user, body) + connector.add_api_key_to_user(user, body) response = { "statusCode": 201, @@ -518,12 +538,14 @@ def delete_user_handler(event, context): """DELETE Method: Deletes User accessible with /users/{username} """ - from functions.db.connector import delete_user, get_user_by_username + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) username = event.get('pathParameters').get('username') - user_to_delete = get_user_by_username(username) - delete_user(user_to_delete) + user_to_delete = connector.get_user_by_username(username) + connector.delete_user(user_to_delete) response = { "statusCode": 200, @@ -539,18 +561,15 @@ def login_handler(event, context): """POST Method: Logs user in and returns JWT "username", "password" mandatory in body """ - from functions.db.connector import get_user_by_username, check_if_password_is_correct, add_jwt_to_session - from functions.authentication import get_jwt_for_user - body = json.loads(event["body"]) username = body.get('username') password = body.get('password') - user = get_user_by_username(username) - password_correct = check_if_password_is_correct(user, password) + user = connector.get_user_by_username(username) + password_correct = connector.check_if_password_is_correct(user, password) if password_correct: - token = get_jwt_for_user(user) - add_jwt_to_session(user, token) + token = authentication.get_jwt_for_user(user) + connector.add_jwt_to_session(user, token) response = { "statusCode": 200, "headers": { @@ -560,31 +579,28 @@ def login_handler(event, context): "body": token } return response - else: - response = { - "statusCode": 401, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": "Authentication failed" - } - return response + + response = { + "statusCode": 401, + "headers": { + 'Access-Control-Allow-Origin': '*', + 'Access-Control-Allow-Credentials': True, + }, + "body": "Authentication failed" + } + return response def logout_handler(event, context): """DELETE Method: Logs out user """ - from functions.authentication import check_for_token, get_username_from_jwt - from functions.db.connector import remove_jwt_from_session, get_user_by_username - headers = event["headers"] - token = headers.get('authorizationToken') + token = event["headers"].get('authorizationToken') - if check_for_token(token): - username = get_username_from_jwt(token) - user = get_user_by_username(username) - remove_jwt_from_session(user) + if authentication.check_for_token(token): + username = authentication.get_username_from_jwt(token) + user = connector.get_user_by_username(username) + connector.remove_jwt_from_session(user) response = { "statusCode": 200, "headers": { @@ -594,27 +610,23 @@ def logout_handler(event, context): "body": "Successfully logged out" } return response - else: - response = { - "statusCode": 401, - "headers": { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Credentials': True, - }, - "body": "Authentication failed" - } - return response + + response = { + "statusCode": 401, + "headers": { + 'Access-Control-Allow-Origin': '*', + 'Access-Control-Allow-Credentials': True, + }, + "body": "Authentication failed" + } + return response def check_jwt_handler(event, context): """POST Method: Checks if given JWT is valid""" - from functions.authentication import check_for_token - from functions.db.connector import check_if_jwt_is_in_session - - headers = event["headers"] - token = headers.get('authorizationToken') - if not check_for_token(token) and not check_if_jwt_is_in_session(token): - return make_response(status_code=401, body="Authentication failed") + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) response = { "statusCode": 200, @@ -644,6 +656,10 @@ def update_score(event, context): } } """ + token = event["headers"].get('authorizationToken') + if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): + return make_response(status_code=401, body={"Authentication": "Failed"}) + body = json.loads(event["body"]) review_id = event.get('pathParameters').get('review_id') From 7b487793ce8caf1926d944d44f6e424f351f4f97 Mon Sep 17 00:00:00 2001 From: Kalinowski Date: Wed, 8 Jul 2020 11:50:50 +0200 Subject: [PATCH 3/7] Add Authentiction to all endpoints --- handler.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handler.py b/handler.py index a9de752..8f5b6dd 100644 --- a/handler.py +++ b/handler.py @@ -515,7 +515,7 @@ def add_api_key_to_user_handler(event, context): if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): return make_response(status_code=401, body={"Authentication": "Failed"}) - user = connector.get_user_by_username(get_username_from_jwt(token)) + user = connector.get_user_by_username(authentication.get_username_from_jwt(token)) body = json.loads(event["body"]) From 96fbe3b5acf8f895268bda3229b7e7d291d748e3 Mon Sep 17 00:00:00 2001 From: Kalinowski Date: Wed, 8 Jul 2020 13:18:08 +0200 Subject: [PATCH 4/7] Authentication Added to all endpoints & username gets extracted from token when needed --- handler.py | 8 ++++---- serverless.yml | 6 ------ 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/handler.py b/handler.py index 8f5b6dd..ee9298c 100644 --- a/handler.py +++ b/handler.py @@ -63,7 +63,7 @@ def add_collaborator_to_review(event, body): review_id = event.get('pathParameters').get('review_id') review = connector.get_review_by_id(review_id) - username = event.get('queryStringParameters').get('username') + username = authentication.get_username_from_jwt(token) user = connector.get_user_by_username(username) updated_result = connector.add_collaborator_to_review(review, user) @@ -87,7 +87,7 @@ def get_reviews_for_user(event, context): if not authentication.check_for_token(token) and not connector.check_if_jwt_is_in_session(token): return make_response(status_code=401, body={"Authentication": "Failed"}) - username = event.get('pathParameters').get('username') + username = authentication.get_username_from_jwt(token) user = connector.get_user_by_username(username) reviews = connector.get_reviews(user) @@ -347,7 +347,7 @@ def add_review(event, context): body = json.loads(event["body"]) - owner_name = body.get('owner_name') + owner_name = authentication.get_username_from_jwt(token) owner = connector.get_user_by_username(owner_name) name = body.get('name') @@ -668,7 +668,7 @@ def update_score(event, context): doi = event.get('queryStringParameters').get('doi') result = connector.get_result_by_doi(review, doi) - user_id = body.get('user') + user_id = authentication.get_username_from_jwt(token) score = body.get('score') comment = body.get('comment') diff --git a/serverless.yml b/serverless.yml index 0dffe7c..689d6dc 100644 --- a/serverless.yml +++ b/serverless.yml @@ -75,8 +75,6 @@ functions: cors: true request: parameters: - querystrings: - username: true paths: review_id: true get_reviews_for_user: @@ -86,10 +84,6 @@ functions: path: users/{username}/reviews method: get cors: true - request: - parameters: - querystrings: - username: true persist_list_of_results: handler: handler.persist_list_of_results events: From e210be02ad4352ed2f3ff4b54126e1de11886eca Mon Sep 17 00:00:00 2001 From: philippekalinowski Date: Wed, 15 Jul 2020 12:41:43 +0200 Subject: [PATCH 5/7] Added master token, that authorizes all endpoints --- handler.py | 53 ++++++++++++++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/handler.py b/handler.py index 6ed695b..303d45f 100644 --- a/handler.py +++ b/handler.py @@ -47,7 +47,18 @@ def make_response(status_code: int, body: dict): } -def check_correct_token(token: str): +def is_token_invalid(token: str): + """Checks if given token is invalid + + Args: + token: token that shall be checked + Returns: + boolean indicating validity of token + """ + # remove for final build, used for development + if token == "dev": + return False + if not authentication.check_for_token(token) or not connector.check_if_jwt_is_in_session(token): return True else: @@ -64,7 +75,7 @@ def add_collaborator_to_review(event, *args): updated review """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) review_id = event.get('pathParameters').get('review_id') @@ -91,7 +102,7 @@ def get_reviews_for_user(event, *args): list of reviews """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) username = authentication.get_username_from_jwt(token) @@ -119,7 +130,7 @@ def dry_query(event, *args): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) # try: @@ -167,7 +178,7 @@ def new_query(event, *args): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) # try: @@ -203,7 +214,7 @@ def get_persisted_results(event, *args): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) # try: @@ -257,7 +268,7 @@ def persist_pages_of_query(event, *args): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) # try: @@ -306,7 +317,7 @@ def persist_list_of_results(event, *args): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) # try: @@ -345,7 +356,7 @@ def delete_results_by_dois(event, body): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) # try: @@ -372,7 +383,7 @@ def add_review(event, *args): """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) @@ -394,7 +405,7 @@ def get_review_by_id(event, *args): """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) review_id = event.get('pathParameters').get('review_id') @@ -409,7 +420,7 @@ def delete_review(event, *args): accessible with review/{review_id} """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) review_id = event.get('pathParameters').get('review_id') @@ -424,7 +435,7 @@ def update_review(event, *args): accessible with review/{review_id}, "name" and "description" is mandatory in body """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) review_id = event.get('pathParameters').get('review_id') @@ -441,7 +452,7 @@ def add_user_handler(event, context): "username", "name", "surname", "email", "password" mandatory in body """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) @@ -460,7 +471,7 @@ def get_user_by_username_handler(event, context): accessible with /users/{username} """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) username = event.get('pathParameters').get('username') @@ -473,7 +484,7 @@ def get_all_users_handler(event, context): """GET Method: Gets all user usernames """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) users = connector.get_users() @@ -486,7 +497,7 @@ def update_user_handler(event, context): "username", "name", "surname", "email", "password" mandatory in body """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) @@ -507,7 +518,7 @@ def add_api_key_to_user_handler(event, context): "db_name", "api_key" mandatory in body """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) user = connector.get_user_by_username(authentication.get_username_from_jwt(token)) @@ -527,7 +538,7 @@ def delete_user_handler(event, context): accessible with /users/{username} """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) username = event.get('pathParameters').get('username') @@ -604,7 +615,7 @@ def logout_handler(event, context): def check_jwt_handler(event, context): """POST Method: Checks if given JWT is valid""" token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) response = { @@ -636,7 +647,7 @@ def update_score(event, *args): } """ token = event["headers"].get('authorizationToken') - if check_correct_token(token): + if is_token_invalid(token): return make_response(status_code=401, body={"Authentication": "Failed"}) body = json.loads(event["body"]) From 2b156198781da47513ec0ff48a8035354d6b73f8 Mon Sep 17 00:00:00 2001 From: philippekalinowski Date: Wed, 15 Jul 2020 13:56:17 +0200 Subject: [PATCH 6/7] Master Token Updates to encapsulate philosapiens user --- handler.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handler.py b/handler.py index 303d45f..e514850 100644 --- a/handler.py +++ b/handler.py @@ -55,8 +55,8 @@ def is_token_invalid(token: str): Returns: boolean indicating validity of token """ - # remove for final build, used for development - if token == "dev": + # remove for final build, used for development with persisted user (philosapiens) + if token == "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InBoaWxvc2FwaWVucyIsImV4cCI6MTY1NTI5NDEyM30.VLRExCXJqck13HLG4P3GzmYxjDvDZukDNHkN6gAnPPo": return False if not authentication.check_for_token(token) or not connector.check_if_jwt_is_in_session(token): From 3df147a105cf29a75e8223965d3664ef4a5d8ffa Mon Sep 17 00:00:00 2001 From: philippekalinowski Date: Mon, 20 Jul 2020 10:54:28 +0200 Subject: [PATCH 7/7] Added password hashing without salt / NOTE: all previous users need to be removed --- functions/authentication.py | 2 +- functions/db/connector.py | 7 ++++--- handler.py | 4 ---- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/functions/authentication.py b/functions/authentication.py index e95bc6c..f72d318 100644 --- a/functions/authentication.py +++ b/functions/authentication.py @@ -50,4 +50,4 @@ def get_username_from_jwt(token: str): Args: token: token the username shall be extracted from """ - return decode_token(token).get("username") + return decode_token(token).get("username") \ No newline at end of file diff --git a/functions/db/connector.py b/functions/db/connector.py index 265aa89..9fb50f0 100644 --- a/functions/db/connector.py +++ b/functions/db/connector.py @@ -3,6 +3,7 @@ import json import os import sys +import hashlib from typing import Union from bson import ObjectId @@ -293,7 +294,7 @@ def add_user(username: str, name: str, surname: str, email: str, password: str) user.name = name user.surname = surname user.email = email - user.password = password + user.password = hashlib.sha3_256(password.encode()).hexdigest() return user.save() @@ -324,7 +325,7 @@ def update_user(user: User, name, surname, email, password) -> User: user.name = name user.surname = surname user.email = email - user.password = password + user.password = hashlib.sha3_256(password.encode()) return user.save() @@ -375,7 +376,7 @@ def check_if_password_is_correct(user: User, password: str) -> bool: user: User object the password shall be checked for password: password as str that shall be checked """ - if user.password == password: + if user.password == hashlib.sha3_256(password.encode()).hexdigest(): print("PW true") return True else: diff --git a/handler.py b/handler.py index e514850..88f9ab3 100644 --- a/handler.py +++ b/handler.py @@ -451,10 +451,6 @@ def add_user_handler(event, context): """POST Method: Adds a new user "username", "name", "surname", "email", "password" mandatory in body """ - token = event["headers"].get('authorizationToken') - if is_token_invalid(token): - return make_response(status_code=401, body={"Authentication": "Failed"}) - body = json.loads(event["body"]) username = body.get('username') name = body.get('name')