Ticket #131: remember_me.3.patch

a/acct_mgr/admin.py

@@ -59 +59 @@
-                    self.config.save()
-            self.config.set('account-manager', 'force_passwd_change',
-                            req.args.get('force_passwd_change'))
+            self.config.set('account-manager', 'persistent_sessions',
+                            req.args.get('persistent_sessions'))
-            self.config.save()
-
-
@@ -81 +83 @@
-        ]
-        sections = sorted(sections, key=lambda i: i['name'])
-        data = {'sections': sections,
-
+
+
-        return 'admin_accountsconfig.html', data
-
-    def _do_users(self, req):

a/acct_mgr/api.py

@@ -88 +88 @@
-    force_passwd_change = BoolOption('account-manager', 'force_passwd_change',
-                                     True, doc="Forge the user to change "
-                                     "password when it's reset.")
+    persistent_sessions = BoolOption('account-manager', 'persistent_sessions',
+                                     False, doc="Allow the user to be "
+                                     "remembered across sessions without "
+                                     "needing to re-authenticate. This is, "
+                                     "user checks a \"Remember Me\" checkbox "
+                                     "and, next time he visits the site, he'll "
+                                     "be remembered")
-
-    # Public API
-
@@ -107 +114 @@
-        return self.password_store.check_password(user, password)
-
-    def delete_user(self, user):
- 
- 
- 
- 
- 
- 
- 
- 
+
+
+
+
+
+
+
+
-        db.commit()
-        db.close()
- 
+
-        self.log.debug('deleted user')
-        if self.password_store.delete_user(user):
-            self._notify('deleted', user)

a/acct_mgr/templates/admin_accountsconfig.html

@@ -39 +39 @@
-        <input type="radio" name="force_passwd_change" value="false"
-          checked="${not force_passwd_change and 'checked' or None}">No</input>
-      </fieldset>
+
+      <fieldset>
+        <legend>Persistent Sessions</legend>
+        <label for="persistent_sessions">
+          Allow the user to be remembered across sessions without needing to
+          re-authenticate?<br/>
+          This is, user checks a "Remember Me" <tt>checkbox</tt> and, next time
+          he visits the site,<br/>
+          he'll be remembered and automatically authenticated.
+        </label>
+        <input type="radio" name="persistent_sessions" value="true"
+          checked="${persistent_sessions and 'checked' or None}">Yes</input>
+        <input type="radio" name="persistent_sessions" value="false"
+          checked="${not persistent_sessions and 'checked' or None}">No</input>
+      </fieldset>
+
-      <div class="buttons">
-        <input type="submit" name="save" value="Save" />
-      </div>

a/acct_mgr/templates/login.html

@@ -34 +34 @@
-          <label for="password">Password:</label>
-          <input type="password" id="password" name="password" class="textwidget" size="20" />
-        </div>
+        <div py:if="persistent_sessions">
+          <input type="checkbox" id="rememberme" name="rememberme" value="1" />
+          <label for="rememberme">Remember me</label>
+        </div>
-        <input type="submit" value="Login" />
-
-        <p py:if="reset_password_enabled">

a/acct_mgr/web_ui.py

@@ -13 +13 @@
-import os
-import random
-import string
+import time
-
-from trac import perm, util
-from trac.core import *
@@ -411 +412 @@
-
-class LoginModule(auth.LoginModule):
-
-
+, IRequestFilter
-
-    def authenticate(self, req):
-        if req.method == 'POST' and req.path_info.startswith('/login'):
@@ -425 +426 @@
-        if req.path_info.startswith('/login') and req.authname == 'anonymous':
-            data = {
-                'referer': self._referer(req),
-
+
+
+
+
-            }
-            if req.method == 'POST':
-                data['login_error'] = 'Invalid username or password'
-            return 'login.html', data, None
-        return auth.LoginModule.process_request(self, req)
-
+    # IRequestFilter methods
+    def pre_process_request(self, req, handler):
+        if 'trac_auth_session' in req.incookie:
+            # Let's check for a matching IP, proxy'ed or not
+            remote_addr = req.get_header("X-Forwarded-For") or req.remote_addr
+            if not req.incookie['trac_auth_session'].value == remote_addr:
+                self.log.debug("Cookie IP does not match Remote address IP: "
+                               "'%s'!='%s'; Killing Session",
+                               req.incookie['trac_auth_session'].value,
+                               remote_addr)
+                self._do_logout(req)
+                # Repeat request after logout in order for the user not to
+                # think he's logged in
+                req.redirect(req.path_info)
+
+
+            # Let's now check with the one we have on auth_cookie db table
+            db = self.env.get_db_cnx()
+            cursor = db.cursor()
+            cursor.execute("SELECT ipnr from auth_cookie WHERE cookie=%s",
+                           (req.incookie['trac_auth'].value,))
+            row = cursor.fetchone()
+            if not req.incookie['trac_auth_session'].value == row[0]:
+                self.log.debug("Cookie IP does not match DB IP: '%s'!='%s'; "
+                               "Killing Session",
+                               req.incookie['trac_auth_session'].value,
+                               row[0])
+                self._do_logout(req)
+                # Repeat request after logout in order for the user not to
+                # think he's logged in
+                req.redirect(req.path_info)
+        # XXX: Would there be a way to know if a user authenticated using a
+        # cookie and not the login form, and, if he requested /prefs force him
+        # to re-authenticate?
+        return handler
+
+    def post_process_request(self, req, template, data, content_type):
+        return (template, data, content_type)
+
+    def _get_name_for_cookie(self, req, cookie):
+        name = auth.LoginModule._get_name_for_cookie(self, req, cookie)
+        if not AccountManager(self.env).persistent_sessions:
+            # Persistent sessions not enabled
+            return name
+
+        self.env.log.debug('Updating auth cookie %s for user %s' %
+                            (cookie.value, name))
+        db = self.env.get_db_cnx()
+        cursor = db.cursor()
+        cursor.execute('UPDATE auth_cookie SET time=%s WHERE cookie=%s',
+                        (int(time.time()), cookie.value))
+        db.commit()
+        req.outcookie['trac_auth'] = cookie.value
+        req.outcookie['trac_auth']['path'] = self.env.href()
+
+        if 'trac_auth_session' in req.incookie:
+            # Let's check for a matching IP, proxy'ed or not
+            remote_addr = req.get_header("X-Forwarded-For") or req.remote_addr
+            if req.incookie['trac_auth_session'].value == remote_addr:
+                req.outcookie['trac_auth']['expires'] = 86400 * 30
+        return name
+
-    def _do_login(self, req):
-        if not req.remote_user:
-            req.redirect(self.env.abs_href())
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-    def _remote_user(self, req):
-        user = req.args.get('user')