core.modules.user

Module Contents

Classes

userSkel

UserPassword

GoogleAccount

TimeBasedOTP

User

Functions

createNewUserIfNotExists()

Create a new Admin user, if the userDB is empty

class core.modules.user.userSkel

Bases: viur.core.skeleton.Skeleton

kindName = user
name
password
uid
gaeadmin
access
status
lastlogin
otpid
otpkey
otptimedrift
class core.modules.user.UserPassword(userModule, modulePath)

Bases: object

class loginSkel

Bases: viur.core.skeleton.RelSkel

name
password
class lostPasswordStep1Skel

Bases: viur.core.skeleton.RelSkel

name
captcha
class lostPasswordStep2Skel

Bases: viur.core.skeleton.RelSkel

recoveryKey
password
registrationEnabled = False
registrationEmailVerificationRequired = True
registrationAdminVerificationRequired = True
verifySuccessTemplate = user_verify_success
verifyEmailAddressMail = user_verify_address
verifyFailedTemplate = user_verify_failed
passwordRecoveryTemplate = user_passwordrecover
passwordRecoveryMail = user_password_recovery
passwordRecoveryAlreadySendTemplate = user_passwordrecover_already_sent
passwordRecoverySuccessTemplate = user_passwordrecover_success
passwordRecoveryInvalidTokenTemplate = user_passwordrecover_invalid_token
passwordRecoveryInstuctionsSendTemplate = user_passwordrecover_mail_sent
passwordRecoveryStep1Template = user_passwordrecover_step1
passwordRecoveryStep2Template = user_passwordrecover_step2
passwordRecoveryFailedTemplate = user_passwordrecover_failed
passwordRecoveryRateLimit
passwordRecoveryKeyExpired
passwordRecoveryKeyInvalid
passwordRecoveryUserNotFound
passwordRecoveryAccountLocked
classmethod getAuthMethodName(*args, **kwargs)
login(self, name=None, password=None, skey='', *args, **kwargs)
pwrecover(self, *args, **kwargs)

This implements the password recovery process which let them set a new password for their account after validating a code send to them by email. The process is as following:

  • The user enters his email adress

  • We’ll generate a random code, store it in his session and call sendUserPasswordRecoveryCode

  • sendUserPasswordRecoveryCode will run in the background, check if we have a user with that name and send the code. It runs as a deferredTask so we don’t leak the information if a user account exists.

  • If the user received his code, he can paste the code and set a new password for his account.

To prevent automated attacks, the fist step is guarded by a captcha and we limited calls to this function to 10 actions per 15 minutes. (One complete recovery process consists of two calls).

sendUserPasswordRecoveryCode(self, userName: str, recoveryKey: str) None

Sends the given recovery code to the user given in userName. This function runs deferred so there’s no timing sidechannel that leaks if this user exists. Per default, we’ll send the code by email (assuming we have working email delivery), but this can be overridden to send it by SMS or other means. We’ll also update the changedate for this user, so no more than one code can be send to any given user in four hours.

verify(self, skey, *args, **kwargs)
canAdd(self)
addSkel(self)

Prepare the add-Skel for rendering. Currently only calls self.userModule.addSkel() and sets skel[“status”].value depening on self.registrationEmailVerificationRequired and self.registrationAdminVerificationRequired :return: server.skeleton.Skeleton

add(self, *args, **kwargs)

Allows guests to register a new account if self.registrationEnabled is set to true

See also

addSkel(), onAdded(), canAdd()

Returns

The rendered, added object of the entry, eventually with error hints.

Raises

server.errors.Unauthorized, if the current user does not have the required permissions.

Raises

server.errors.PreconditionFailed, if the skey could not be verified.

class core.modules.user.GoogleAccount(userModule, modulePath)

Bases: object

registrationEnabled = False
classmethod getAuthMethodName(*args, **kwargs)
login(self, skey='', token='', *args, **kwargs)
class core.modules.user.TimeBasedOTP(userModule, modulePath)

Bases: object

class otpSkel

Bases: viur.core.skeleton.RelSkel

otptoken
windowSize = 5
otpTemplate = user_login_timebasedotp
classmethod get2FactorMethodName(*args, **kwargs)
canHandle(self, userKey)
startProcessing(self, userKey)
generateOtps(self, secret, timeDrift)

Generates all valid tokens for the given secret

otp(self, otptoken=None, skey=None, *args, **kwargs)
updateTimeDrift(self, userKey, idx)

Updates the clock-drift value. The value is only changed in 1/10 steps, so that a late submit by an user doesn’t skew it out of bounds. Maximum change per call is 0.3 minutes. :param userKey: For which user should the update occour :param idx: How many steps before/behind was that token :return:

class core.modules.user.User(moduleName, modulePath, *args, **kwargs)

Bases: viur.core.prototypes.list.List

kindName = user
addTemplate = user_add
addSuccessTemplate = user_add_success
lostPasswordTemplate = user_lostpassword
verifyEmailAddressMail = user_verify_address
passwordRecoveryMail = user_password_recovery
authenticationProviders
secondFactorProviders
validAuthenticationMethods = [None, None, None]
secondFactorTimeWindow
adminInfo
extendAccessRights(self, skel)
addSkel(self)
editSkel(self, *args, **kwargs)
secondFactorProviderByClass(self, cls)
getCurrentUser(self, *args, **kwargs)
continueAuthenticationFlow(self, caller, userKey)
secondFactorSucceeded(self, secondFactor, userKey)
authenticateUser(self, userKey, **kwargs)

Performs Log-In for the current session and the given userKey.

This resets the current session: All fields not explicitly marked as persistent by conf[“viur.session.persistentFieldsOnLogin”] are gone afterwards.

Parameters
  • authProvider (object) – Which authentication-provider issued the authenticateUser request

  • userKey (db.Key) – The (DB-)Key of the user we shall authenticate

logout(self, skey='', *args, **kwargs)

Implements the logout action. It also terminates the current session (all keys not listed in viur.session.persistentFieldsOnLogout will be lost).

login(self, *args, **kwargs)
onLogin(self)
onLogout(self, usr)
edit(self, *args, **kwargs)
view(self, key, *args, **kwargs)

Allow a special key “self” to reference always the current user

canView(self, skel)
getAuthMethods(self, *args, **kwargs)

Inform tools like Viur-Admin which authentication to use

onDeleted(self, skel)

Invalidate all sessions of that user

core.modules.user.createNewUserIfNotExists()

Create a new Admin user, if the userDB is empty