Add the concept of require_fresh_login to both the backend and frontend. Sensitive methods will now be marked with the annotation, which requires that the user has performed a login within 10 minutes or they are asked to do so in the UI before running the operation again.

2014-09-04 14:24:20 -04:00 · 2014-09-04 14:24:20 -04:00 · e783df31e0
commit e783df31e0
parent 1e7e012b92
9 changed files with 174 additions and 61 deletions
--- a/endpoints/api/init.py
+++ b/endpoints/api/init.py
@ -1,7 +1,8 @@
 import logging
 import json
+import datetime

-from flask import Blueprint, request, make_response, jsonify
+from flask import Blueprint, request, make_response, jsonify, session
 from flask.ext.restful import Resource, abort, Api, reqparse
 from flask.ext.restful.utils.cors import crossdomain
 from werkzeug.exceptions import HTTPException
@ -66,6 +67,11 @@ class Unauthorized(ApiException):
      ApiException.__init__(self, 'insufficient_scope', 403, 'Unauthorized', payload)


+class FreshLoginRequired(ApiException):
+  def __init__(self, payload=None):
+    ApiException.__init__(self, 'fresh_login_required', 401, "Requires fresh login", payload)
+
+
 class ExceedsLicenseException(ApiException):
  def __init__(self, payload=None):
    ApiException.__init__(self, None, 402, 'Payment Required', payload)
@ -264,6 +270,26 @@ def require_user_permission(permission_class, scope=None):

 require_user_read = require_user_permission(UserReadPermission, scopes.READ_USER)
 require_user_admin = require_user_permission(UserAdminPermission, None)
+require_fresh_user_admin = require_user_permission(UserAdminPermission, None)
+
+def require_fresh_login(func):
+  @add_method_metadata('requires_fresh_login', True)
+  @wraps(func)
+  def wrapped(*args, **kwargs):
+    user = get_authenticated_user()
+    if not user:
+      raise Unauthorized()
+
+    logger.debug('Checking fresh login for user %s', user.username)
+
+    last_login = session.get('login_time', datetime.datetime.now() - datetime.timedelta(minutes=60))
+    valid_span = datetime.datetime.now() - datetime.timedelta(minutes=10)
+
+    if last_login >= valid_span:
+      return func(*args, **kwargs)
+    
+    raise FreshLoginRequired()
+  return wrapped


 def require_scope(scope_object):