klokantech
diff --git a/Diff for: ‎app/jekylledit/controllers/auth.py
+77-112 b/Diff for: ‎app/jekylledit/controllers/auth.py
+77-112
diff --git a/Diff for: ‎app/jekylledit/controllers/site.py
+2-1 b/Diff for: ‎app/jekylledit/controllers/site.py
+2-1
diff --git a/Diff for: ‎app/jekylledit/migrations/versions/2cf8288266e0_.py
+31 b/Diff for: ‎app/jekylledit/migrations/versions/2cf8288266e0_.py
+31
diff --git a/Diff for: ‎app/jekylledit/model/__init__.py
+1-1 b/Diff for: ‎app/jekylledit/model/__init__.py
+1-1
diff --git a/Diff for: ‎app/jekylledit/model/auth.py
+9-4 b/Diff for: ‎app/jekylledit/model/auth.py
+9-4
diff --git a/Diff for: ‎app/jekylledit/model/site.py
+15-8 b/Diff for: ‎app/jekylledit/model/site.py
+15-8
diff --git a/Diff for: ‎app/jekylledit/templates/auth/change-email.txt
+1-1 b/Diff for: ‎app/jekylledit/templates/auth/change-email.txt
+1-1
diff --git a/Diff for: ‎app/jekylledit/templates/auth/reset-password.txt
+1-1 b/Diff for: ‎app/jekylledit/templates/auth/reset-password.txt
+1-1
@@ -13,7 +13,7 @@
 from ..ext.identitytoolkit import Gitkit
 from itsdangerous import URLSafeTimedSerializer
 
-from ..model import Account, Repository, Roles, Site, db
+from ..model import Account, Challenge, Repository, Roles, Site, Sites, db
 from .base import app, mailgun, jsonp
 
 
@@ -70,6 +70,8 @@ def authorization_required(*roles):
     def decorator(func):
         @wraps(func)
         def wrapper(**values):
+            if not current_user.email_verified:
+                abort(403)
             site_id = values['site_id']
             synchronize(site_id)
             needs = [(role, site_id) for role in roles]
@@ -84,26 +86,11 @@ def permission_denied(exc):
     return 'Forbidden', 403
 
 
-@app.template_global()
-def auth_url_for(endpoint, **values):
-    if endpoint == 'widget':
-        if app.config['DEVELOPMENT']:
-            values.setdefault('next', request.url)
-            return url_for('auth.widget', **values)
-        next = values.pop('next', request.url)
-        values['next'] = url_for(
-            'auth.sign_in_success',
-            next=next,
-            _external=True)
-        return url_for('auth.widget', **values)
-    if endpoint == 'sign_out':
-        return url_for('auth.sign_out', **values)
-    raise Exception('Invalid enpoint: {}'.format(endpoint))
-
-
 @blueprint.route('/widget', methods={'GET', 'POST'})
 def widget():
-    if app.config['DEVELOPMENT'] and request.method == 'POST':
+    if app.config['DEVELOPMENT']:
+        if request.method == 'GET':
+            return render_template('auth/widget.html')
         email = request.form['email']
         account = Account.query.filter_by(email=email).one_or_none()
         if account is None:
@@ -115,43 +102,40 @@ def widget():
             db.session.flush()
         login_user(account)
         db.session.commit()
-        return redirect(request.args.get('next', request.url_root))
-    if not app.config['DEVELOPMENT']:
-        url_adapter = _request_ctx_stack.top.url_adapter
-        next = request.args.get('next')
-        if next is not None:
-            url = urlparse(next)
-            if url.netloc != request.host:
-                abort(400)
-            endpoint, __ = url_adapter.match(url.path, 'GET')
-            if endpoint != 'auth.sign_in_success':
-                abort(400)
-            query = parse_qs(url.query)
-            next = query.get('next')
-            if next is None:
-                abort(400)
-            url = urlparse(next[0])
-            if url.netloc != request.host:
-                abort(400)
-            endpoint, values = url_adapter.match(url.path, 'GET')
-            if endpoint != 'auth.site_authenticated':
-                abort(400)
-            site_id = values['site_id']
-            site = synchronize(site_id)
-            options = site.gitkit_options
-        elif request.args.get('mode') == 'select':
-            return render_template(
-                'auth/close-window.html',
-                 message='You can only sign in to a specific site.')
-        else:
-            options = None
-    else:
-        options = None
-    return render_template('auth/widget.html', options=options or {})
+        return render_template('auth/close-window.html', message='You have signed in.')
+    if request.args.get('mode') != 'select':
+        return render_template('auth/widget.html', options={})
+    url_adapter = _request_ctx_stack.top.url_adapter
+    next = request.args.get('next')
+    if next:
+        url = urlparse(next)
+        if url.netloc != request.host:
+            abort(400)
+        endpoint, values = url_adapter.match(url.path, 'GET')
+        if endpoint != 'auth.sign_in_success':
+            abort(400)
+        site = synchronize(values['site_id'])
+        return render_template('auth/widget.html', options=site.gitkit_options)
+    url = urlparse(request.referrer)
+    if url.netloc != request.host:
+        abort(400)
+    endpoint, __ = url_adapter.match(url.path, 'GET')
+    if endpoint != request.endpoint:
+        abort(400)
+    oob_code = parse_qs(url.query).get('oobCode')
+    if not oob_code or len(oob_code) != 1:
+        abort(400)
+    challenge = Challenge.query.get(oob_code[0])
+    if challenge is None:
+        abort(400)
+    base_url = Sites(challenge.site_id).get_base_url()
+    if not base_url.endswith('/'):
+        base_url += '/'
+    return redirect('{}#sign-in'.format(base_url))
 
 
-@blueprint.route('/sign-in-success')
-def sign_in_success():
+@blueprint.route('/site/<site_id>/sign-in-success')
+def sign_in_success(site_id):
     token = gitkit.verify_token()
     if token is None:
         abort(400)
@@ -160,21 +144,27 @@ def sign_in_success():
     if account is None:
         account = Account(id=token['id'])
         db.session.add(account)
-    account.email = gitkit_account['email']
+    email = gitkit_account['email']
+    account.email = email
     account.email_verified = gitkit_account['email_verified']
     account.name = gitkit_account['name']
     account.photo_url = gitkit_account['photo_url']
-    if not account.email_verified:
-        if account.email_challenged is None:
-            send_email_challenge(account)
-        db.session.flush()
-        response = redirect(url_for('.verify_email', id=account.id))
-        db.session.commit()
-        return response
     db.session.flush()
-    login_user(account)
+    if account.email_verified:
+        login_user(account)
+        db.session.commit()
+        return render_template('auth/close-window.html', message='You have signed in.')
+    oob_link = gitkit.get_email_verification_link(email)
+    challenge = Challenge(
+        oob_code=parse_qs(urlparse(oob_link).query)['oobCode'][0],
+        site_id=site_id,
+        account_id=account.id,
+        moment=datetime.utcnow())
+    db.session.add(challenge)
     db.session.commit()
-    return redirect(request.args.get('next', request.url_root))
+    text = render_template('auth/verify-email.txt', oob_link=oob_link)
+    send(email, 'Verify email address', text)
+    return render_template('auth/close-window.html', message='Email verification link sent.')
 
 
 @blueprint.route('/sign-out')
@@ -187,15 +177,6 @@ def sign_out():
     return response
 
 
-@blueprint.route('/account/<id>/verify-email', methods={'GET', 'POST'})
-def verify_email(id):
-    account = Account.query.get_or_404(id)
-    if request.method == 'POST' and not account.email_verified:
-        send_email_challenge(account)
-        db.session.commit()
-    return render_template('auth/verify-email.html', account=account)
-
-
 @blueprint.route('/oob-action')
 def oob_action():
     result = gitkit.get_oob_result()
@@ -220,46 +201,30 @@ def oob_action():
 @jsonp
 def site_token(site_id):
     synchronize(site_id)
-    if not current_user.is_authenticated:
-        next = url_for('.site_authenticated', site_id=site_id, _external=True)
-        location = auth_url_for('widget', mode='select', next=next, _external=True)
-        return jsonify({
-            'status_code': 401,
-            'location': location,
-        })
-    for roles in current_user.roles:
-        if roles.site_id == site_id:
-            return jsonify({
-                'status_code': 200,
-                'access_token': token_serializer.dumps(current_user.id),
-                'account': {
-                    'email': current_user.email,
-                    'name': current_user.name,
-                    'roles': roles.roles,
-                },
-                'sign_out': url_for('.sign_out', _external=True),
-            })
-    return jsonify({
-        'status_code': 403,
-        'account': {
-            'email': current_user.email,
-            'name': current_user.name
-        },
+    next = url_for('.sign_in_success', site_id=site_id, _external=True)
+    response = {
+        'sign_in': url_for('.widget', mode='select', next=next, _external=True),
         'sign_out': url_for('.sign_out', _external=True),
-    })
-
-
-@blueprint.route('/site/<site_id>/authenticated')
-def site_authenticated(site_id):
-    return render_template('auth/close-window.html', message='You have signed in.')
-
-
-def send_email_challenge(account):
-    text = render_template(
-        'auth/verify-email.txt',
-        oob_link=gitkit.get_email_verification_link(account.email))
-    send(account.email, 'Verify email address', text)
-    account.email_challenged = datetime.utcnow()
+    }
+    user = current_user._get_current_object()
+    if not user.is_authenticated:
+        response['status_code'] = 401
+        return jsonify(response)
+    response['account'] = {
+        'email': user.email,
+        'email_verified': user.email_verified,
+        'name': user.name,
+    }
+    for roles in user.roles:
+        if roles.site_id == site_id:
+            response['account']['roles'] = roles.roles
+            break
+    if not user.email_verified or 'roles' not in response['account']:
+        response['status_code'] = 403
+        return jsonify(response)
+    response['status_code'] = 200
+    response['access_token'] = token_serializer.dumps(user.id)
+    return jsonify(response)
 
 
 def send(recipient, subject, text):
 
@@ -3,7 +3,7 @@
 
 import frontmatter
 
-from flask import json, jsonify, request, abort
+from flask import json, jsonify, request
 from flask.ext.cors import cross_origin
 from flask.ext.login import current_user, login_required
 from flask.ext.principal import Permission
@@ -21,6 +21,7 @@ def commit(repository, filenames):
     with repository.transaction():
         repository.execute(['add'] + filenames)
         repository.execute([
+            '-c', 'user.name=JekyllEdit',
             '-c', 'user.email={}'.format(current_user.email),
             'commit',
             '-m', 'File {} updated'.format(filenames[0]),
 
@@ -0,0 +1,31 @@
+"""Track email challenges and their codes.
+
+Revision ID: 2cf8288266e0
+Revises: b04e0f09ebca
+Create Date: 2016-05-26 10:41:15.385102
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '2cf8288266e0'
+down_revision = 'b04e0f09ebca'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    op.create_table(
+        'challenge',
+        sa.Column('oob_code', sa.Unicode(), nullable=False),
+        sa.Column('site_id', sa.Unicode(), nullable=False),
+        sa.Column('account_id', sa.Unicode(), nullable=False),
+        sa.Column('moment', sa.DateTime(), nullable=False),
+        sa.PrimaryKeyConstraint('oob_code', name=op.f('challenge_pkey')),
+        sa.ForeignKeyConstraint(['site_id'], ['site.id'], name=op.f('challenge_site_id_fkey')),
+        sa.ForeignKeyConstraint(['account_id'], ['account.id'], name=op.f('challenge_account_id_fkey')),
+    )
+
+
+def downgrade():
+    op.drop_table('challenge')
@@ -1,5 +1,5 @@
 # flake8: noqa
 
 from .base import db, migrate
-from .auth import Account, Roles, Site
+from .auth import Account, Challenge, Roles, Site
 from .site import Repository, Sites
@@ -19,15 +19,20 @@ class Account(UserMixin, db.Model):
     id = db.Column(db.Unicode, primary_key=True)
     email = db.Column(db.Unicode, unique=True, nullable=False)
     email_verified = db.Column(db.Boolean, default=False, nullable=False)
-    email_challenged = db.Column(db.DateTime)
     name = db.Column(db.Unicode)
     photo_url = db.Column(db.Unicode)
 
     roles = db.relationship('Roles')
 
-    @property
-    def is_active(self):
-        return self.email_verified
+
+class Challenge(db.Model):
+
+    __tablename__ = 'challenge'
+
+    oob_code = db.Column(db.Unicode, primary_key=True)
+    site_id = db.Column(db.Unicode, db.ForeignKey('site.id'), nullable=False)
+    account_id = db.Column(db.Unicode, db.ForeignKey('account.id'), nullable=False)
+    moment = db.Column(db.DateTime, nullable=False)
 
 
 class Roles(db.Model):
 
@@ -1,13 +1,15 @@
-import os.path, os
+import json
+import os
+import os.path
+import yaml
 from base64 import b64decode
-
 import frontmatter
 
-from flask import json
-
 from contextlib import contextmanager
 from subprocess import Popen, PIPE
 
+import frontmatter
+
 
 class Repository:
 
@@ -55,12 +57,12 @@ def __init__(self, name):
         self.name = name
         self.repository = Repository(name)
 
-    def get_config(self, filename = None):
+    def get_config(self, filename=None):
         if filename is None:
             filename = 'jekylledit.json'
         with self.repository.open(filename, 'r') as fp:
             self.config = json.load(fp)
-            if not 'languages' in self.config:
+            if 'languages' not in self.config:
                 self.config.update({'languages': ['en']})
             return self.config
 
@@ -77,7 +79,7 @@ def get_drafts(self, category=None):
                     drafts.append({
                         'author': post.metadata['author'],
                         'category': category,
-                        'date' : post.metadata['date'],
+                        'date': post.metadata['date'],
                         'filename': os.path.join(category, f),
                         'title': post.metadata['title']
                     })
@@ -143,4 +145,9 @@ def save_media(self, media):
             with open(self.repository.path(filename), 'wb+') as fm:
                 fm.write(b64decode(medio['data']))
                 created.append(filename)
-        return created
+        return created
+
+    def get_base_url(self):
+        with self.repository.open('_config.yaml', 'r') as fp:
+            config = yaml.load(fp)
+        return config['baseurl']
@@ -1,4 +1,4 @@
-You have requested to change the email address of your Jekyll Edit
+You have requested to change the email address of your JekyllEdit
 account. Please confirm that you own the new address by clicking
 on the verification link bellow.
 
 
@@ -1,4 +1,4 @@
-You have requested to reset the password to your Jekyll Edit account.
+You have requested to reset the password to your JekyllEdit account.
 Please click on the verification link below to complete the process.
 
 Verification link: {{ oob_link }}
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-You have requested to change the email address of your Jekyll Edit`
	`1`	`+You have requested to change the email address of your JekyllEdit`
`2`	`2`	`account. Please confirm that you own the new address by clicking`
`3`	`3`	`on the verification link bellow.`
`4`	`4`