perbaikan manajemen cookies

aagusti
Commit 6354fa0b authored Jun 22, 2022 by aagusti
Showing 6 changed files with 190 additions and 22 deletions
opensipkd/base/views/base_google.py
opensipkd/base/views/base_views.py
opensipkd/base/views/register.py
opensipkd/base/views/templates/login.pt
opensipkd/base/views/user_ext.py
opensipkd/base/views/user_login.py
--- a/opensipkd/base/views/base_google.py
+++ b/opensipkd/base/views/base_google.py
@@ -60,11 +60,11 @@ def googlesignin(request):
    # Or, if multiple clients access the backend server:
    gtoken = json.loads(request.params['id_token'])
+    # idinfo = id_token.verify_oauth2_token(gtoken, requests.Request())
+    # test
    import jwt
    idinfo = jwt.decode(gtoken["credential"], options={"verify_signature": False})  # KEY, algorithms=["RS256"]) #
+    if idinfo['aud'] not in CLIENT_IDS or idinfo['azp'] not in CLIENT_IDS:
-    # idinfo = id_token.verify_oauth2_token(gtoken, requests.Request())
-    if idinfo['aud'] not in CLIENT_IDS:
        raise ValueError('Could not verify audience.')
    if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:

--- a/opensipkd/base/views/base_views.py
+++ b/opensipkd/base/views/base_views.py
@@ -18,12 +18,6 @@ from ..models import User
 class BaseView(object):
    def __init__(self, request):
-        if not "test" in request.session:
-            request.session["test"]='TEST'
-            print("********8 Session test not found")
-        else:
-            print("********9 Session", request.session["test"])
        self.req = request
        self.ses = self.req.session
        self.params = self.req.params
@@ -184,12 +178,12 @@ class BaseView(object):
    def validation_failure(self, value):
        return value
+    def cancel_act(self):
+        pass
    def view_add(self):
-        print("*************** view_add", self.ses)
        form = self.get_form(self.add_schema)
        if self.req.POST:
-            print("*************** view_add_pos", self.ses)
            if 'save' in self.req.POST:
                controls = self.req.POST.items()
                try:
@@ -197,13 +191,14 @@ class BaseView(object):
                except ValidationFailure as e:
                    value = self.validation_failure(e.cstruct)
                    value.update(self.before_add())
-                    print("*************** on error", self.ses)
                    form.render(appstruct=value)
                    return dict(form=form.render(), scripts=self.form_scripts)
                self.save_request(dict(controls))
+            if "cancel" in self.req.POST or 'batal' in self.req.POST:
+                self.cancel_act()
            return self.route_list()
        values = self.before_add()
-        print("*************** on view", self.ses)
        form.set_appstruct(values)
        table = self.get_item_table()
        return dict(form=form.render(), table=table and table.render() or None,

--- a/opensipkd/base/views/register.py
+++ b/opensipkd/base/views/register.py
@@ -33,6 +33,7 @@ from deform import (widget, Button, FileData)
 from opensipkd.tools import Upload
 from pyramid.httpexceptions import HTTPFound
 from pyramid.i18n import TranslationStringFactory
+from pyramid.security import forget
 from pyramid.view import view_config
 from ziggurat_foundations.models.services.user import UserService
@@ -350,16 +351,25 @@ class Registrasi(BaseView):
        DBSession.add(partner)
        DBSession.flush()
        return row
+    def cancel_act(self):
+        forget(self.req)
+        self.ses.delete()
    @view_config(route_name='register', renderer='templates/form_input.pt')
    def view_register(self):
+        if "g_state" in self.req.cookies:
+            if "id_info" not in self.ses or not self.ses["id_info"]:
+                return HTTPFound(location=self.req.route_url("login"))
        request = self.req
        reg_form = get_params("reg_form")
        if reg_form:
            return HTTPFound(location=self.req.route_url(reg_form))
        self.bindings = dict(user=None)
        if request.user:
            return HTTPFound(location=request.route_url("profile"))
        return super(Registrasi, self).view_add()
    def query_id(self):

--- a/opensipkd/base/views/templates/login.pt
+++ b/opensipkd/base/views/templates/login.pt
@@ -136,6 +136,15 @@
        src="https://accounts.google.com/gsi/client" async defer></script>
 <script tal:condition="request.google_signin_client_id">
+    window.onload = function (e) {
+        const value = document.cookie;
+        const parts = value.split(`g_state=`);
+        console.log(parts.length)
+        if (parts.length === 2) {
+            document.cookie = document.cookie + ";max-age=0";
+        }
+    }
    function onSignIn(googleUser) {
        // var profile = googleUser.getBasicProfile();
        // console.log('ID: ' + profile.getId()); // Do not send to your backend! Use an ID token instead.
@@ -143,7 +152,7 @@
        // console.log('Image URL: ' + profile.getImageUrl());
        // console.log('Email: ' + profile.getEmail()); // This is null if the 'email' scope is not present.
        //getId(), getName(), getGivenName(), getFamilyName(), getImageUrl(), getEmail() methods, and
-        console.log(googleUser);
+        // console.log(googleUser);
        // console.log(googleUser.getId());
        // console.log(googleUser.getName());
        // var id_token = googleUser.getAuthResponse().id_token;

--- a/opensipkd/base/views/user_ext.py
+++ b/opensipkd/base/views/user_ext.py
+import os
+import re
+import colander
+import transaction
+from datatables import (ColumnDT, DataTables, )
+from deform import (Form, widget, ValidationFailure, Button, )
+# from sqlalchemy.exc import IntegrityErrortpl
+from sqlalchemy.exc import IntegrityError
+from opensipkd.tools import create_now
+from opensipkd.tools.buttons import btn_cancel, btn_save, btn_close, btn_delete, btn_view
+from opensipkd.tools.report import open_rml_row, csv_response, open_rml_pdf, pdf_response
+from pyramid.httpexceptions import (HTTPFound, HTTPNotFound, )
+from pyramid.i18n import TranslationStringFactory
+from pyramid.view import view_config
+from sqlalchemy import (func, or_, )
+from ziggurat_foundations.models.services.user import UserService
+from . import BaseView
+from .company import company_widget
+from .user_login import (
+    regenerate_security_code, send_email_security_code, generate_api_key, )
+from ..models import (DBSession, User, Group, UserGroup, ResCompany, ExternalIdentity)
+_ = TranslationStringFactory('user')
+########
+# List #
+########
+class AddSchema(colander.Schema):
+    external_user_name = colander.SchemaNode(
+        colander.String(), title=_('User Name'))
+    provider_name = (colander.SchemaNode(colander.String(), title=_('Provider')))
+    local_user_id = (colander.SchemaNode(colander.String(), title=_('User ID')))
+class EditSchema(AddSchema):
+    external_id = colander.SchemaNode(colander.String(),
+                                      widget=widget.TextInputWidget(readonly=True),
+                                      missing=colander.drop)
+class ListSchema(colander.Schema):
+    id = colander.SchemaNode(colander.String())
+    external_user_name = colander.SchemaNode(
+        colander.String(), title=_('User Name'))
+    provider_name = (colander.SchemaNode(colander.String(), title=_('Provider')))
+    local_user_id = (colander.SchemaNode(colander.String(), title=_('User ID')))
+class UserExt(BaseView):
+    def __init__(self, request):
+        super(UserExt, self).__init__(request)
+        self.edit_schema = EditSchema
+        self.list_schema = ListSchema
+        # self.list_url = "/user/ext"
+        self.list_route = "user-ext"
+        self.list_buttons = (btn_view, btn_delete, btn_close)
+    @view_config(
+        route_name='user-ext', renderer='templates/form_input.pt',
+        permission='user-view')
+    def view_list(self):
+        form = super(UserExt, self).view_list()
+        return form
+    @view_config(
+        route_name='user-ext-view', renderer='templates/form_input.pt',
+        permission='user-view')
+    def view_view(self):
+        return super(UserExt, self).view_view()
+    @view_config(
+        route_name='user-ext-delete', renderer='templates/form_input.pt',
+        permission='user-edit')
+    def view_delete(self):
+        return super(UserExt, self).view_delete()
+    @view_config(
+        route_name='user-ext-act', renderer='json', permission='user-view')
+    def view_act(self):
+        req = self.req
+        url_dict = req.matchdict
+        if url_dict['act'] == 'grid':
+            columns = [
+                ColumnDT(ExternalIdentity.external_id, mData='id'),
+                ColumnDT(ExternalIdentity.external_user_name, mData='external_user_name'),
+                ColumnDT(ExternalIdentity.provider_name, mData='provider_name'),
+                ColumnDT(ExternalIdentity.local_user_id, mData='local_user_id'),
+            ]
+            query = DBSession.query().select_from(ExternalIdentity). \
+                outerjoin(User, User.id == ExternalIdentity.local_user_id)
+            if self.req.user.company_id:
+                query = query.filter(User.company_id == self.req.user.company_id)
+            row_table = DataTables(req.GET, query, columns)
+            return row_table.output_result()
+    def delete_msg(self, row):
+        return f'Data ID {row.external_id} sudah dihapus.'
+    def query_id(self):
+        return DBSession.query(ExternalIdentity).filter_by(external_id=self.req.matchdict["id"])
+        # elif url_dict['act'] == 'csv':
+        #     query = query_register()
+        #     row = query.first()
+        #     header = row.keys()
+        #     rows = []
+        #     for item in query.all():
+        #         rows.append(list(item))
+        #
+        #     filename = 'user.csv'
+        #     value = {
+        #         'header': header,
+        #         'rows': rows,
+        #     }
+        #     return csv_response(request, value, filename)
+        # elif url_dict['act'] == 'pdf':
+        #     # todo ganti rml jadi openoffice
+        #     query = query_register()
+        #     _here = os.path.dirname(__file__)  # get current folder -> views
+        #     path = os.path.dirname(_here)  # mundur 1 level
+        #     path = os.path.join(path, 'reports')
+        #     rml_row = open_rml_row(path + '/user.row.rml')
+        #     rows = []
+        #     for r in query.all():
+        #         s = rml_row.format(user_name=r.user_name, email=r.email,
+        #                            registered_date=r.registered_date)
+        #         rows.append(s)
+        #     pdf, filename = open_rml_pdf(path + '/user.rml', rows=rows,
+        #                                  company=request.company,
+        #                                  departement=request.departement,
+        #                                  address=request.address)
+        #     return pdf_response(request, pdf, filename)
--- a/opensipkd/base/views/user_login.py
+++ b/opensipkd/base/views/user_login.py
@@ -23,6 +23,7 @@ import os
 from importlib import import_module
 import colander
+import requests
 from deform import widget, Form, ValidationFailure, Button
 from pyramid.httpexceptions import HTTPFound, HTTPNotFound
 from pyramid.renderers import render_to_response
@@ -61,9 +62,7 @@ def get_login_headers(request, user):
 @view_config(route_name='login', renderer='templates/login.pt')
 def view_login(request):
-    if "g_state" in request.session:
+    request.session["login"]=True
-        z
-        del request.session["g_state"]
    next_url = request.params.get('next', request.referrer)
    login_tpl = get_params('login_tpl', 'templates/login.pt')
    if not next_url:
@@ -75,7 +74,7 @@ def view_login(request):
    schema = Login(validator=login_validator)
    form = Form(schema, buttons=('login',))
-    message=""
+    message = ""
    if 'login' in request.POST:
        identity = request.POST.get('username')
        user = schema.user = User.get_by_identity(identity)
@@ -130,25 +129,42 @@ def view_login(request):
        provider_name = request.params["provider_name"]
        if provider_name == "google":
            from .base_google import googlesignin
+            try:
+                id_info = googlesignin(request)
+            except Exception as e:
+                login = ""
+                request.session.flash(str(e), "error")
+                return render_to_response(login_tpl,
+                                          dict(form=form.render(),
+                                               message=message,
+                                               url=request.route_url('login'),
+                                               next_url=next_url,
+                                               login=login, ),
+                                          request=request)
-            id_info = googlesignin(request)
            request.session["id_info"] = id_info
        else:
            id_info = None
        user = id_info and ExternalIdentityService. \
            user_by_external_id_and_provider(id_info['sub'], id_info['iss'])
        if id_info and not user:
            request.session.flash('Silahkan Melakukan Registrasi')
            register_form = get_params("register_form", 'register')
            return HTTPFound(location=request.route_url(register_form))
-        if user and user.status==1:
+        if user and user.status == 1:
            return redirect_login(request, user)
        else:
            message = "User anda masih menunggu verifikasi atau lagi di blokir"
            request.session.flash(message, "error")
-    login = ""
+    # if "g_state" in request.cookies:
+        # requests.post("https://accounts.google.com/o/oauth2/revoke?token=" + ACCESS_TOKEN);
+    # headers = forget(request)
+    # request.session.delete()
+    # request.session["start"]="login"
+    login=""
    return render_to_response(login_tpl,
                              dict(form=form.render(),
                                   message=message,
@@ -182,9 +198,10 @@ def view_logout(request):
        set_user_log("Logout", request, log)
        headers = forget(request)
        request.session.delete()
+        if "g_state" in request.cookies:
+            del request.cookies["g_state"]
        return HTTPFound(location=f"{request.route_url('home')}",
                         headers=headers)
    return dict()