klokantech
diff --git a/‎app/jekylledit/controllers/__init__.py
+1 b/‎app/jekylledit/controllers/__init__.py
+1
diff --git a/‎app/jekylledit/controllers/auth.py
+49-172 b/‎app/jekylledit/controllers/auth.py
+49-172
diff --git a/‎app/jekylledit/controllers/base.py
-2 b/‎app/jekylledit/controllers/base.py
-2
diff --git a/‎app/jekylledit/controllers/site.py
+2-1 b/‎app/jekylledit/controllers/site.py
+2-1
@@ -2,3 +2,4 @@
 from . import auth
 from . import site
 app.register_blueprint(auth.blueprint, url_prefix='/auth')
+app.register_blueprint(auth.firebase.blueprint, url_prefix='/auth')
@@ -2,42 +2,52 @@
 import os
 import re
 
-from datetime import datetime
 from functools import wraps
-from urllib.parse import urlparse, parse_qs
 
-from flask import Blueprint, _request_ctx_stack, abort, jsonify, make_response, \
-    redirect, render_template, request, url_for
+from flask import Blueprint, jsonify, render_template, url_for
+from flask_firebase import FirebaseAuth
 from flask_login import LoginManager, current_user, login_user, logout_user
 from flask_principal import Identity, Permission, PermissionDenied, Principal
-from ..ext.identitytoolkit import Gitkit
 from itsdangerous import URLSafeTimedSerializer
 
-from ..model import Account, OobAction, Repository, Roles, Site, Sites, db
-from .base import app, mailgun, jsonp
+from ..model import Account, Repository, Roles, Site, db
+from .base import app, jsonp
 
 
 blueprint = Blueprint('auth', __name__)
+firebase = FirebaseAuth(app)
 login_manager = LoginManager(app)
 principal = Principal(app, use_sessions=False, skip_static=True)
-if not app.debug:
-    gitkit = Gitkit(app, {
-        'widget': 'auth.widget',
-        'sign_in_success': 'auth.sign_in_success',
-        'sign_out': 'auth.sign_out',
-        'oob_action': 'auth.oob_action',
-    })
-else:
-    gitkit = None
-
-
-GITKIT_OPTIONS = {'accountChooserEnabled', 'displayMode', 'signInOptions'}
 
 
 token_serializer = URLSafeTimedSerializer(app.secret_key, salt='access-token')
 token_regex = re.compile(r'Bearer\s+([-_.0-9a-zA-Z]+)$')
 
 
+@firebase.production_loader
+def production_sign_in(token):
+    account = Account.query.get(token['sub'])
+    if account is None:
+        account = Account.query.filter(Account.email == token['email']).one_or_none()
+        if account is not None:
+            # ID Changed when moving from Gitkit to Firebase.
+            account.id = token['sub']
+        else:
+            account = Account(id=token['sub'])
+            db.session.add(account)
+    account.email = token['email']
+    account.email_verified = token['email_verified']
+    account.name = token['name']
+    db.session.flush()
+    login_user(account)
+    db.session.commit()
+
+
+@firebase.unloader
+def sign_out():
+    logout_user()
+
+
 @login_manager.user_loader
 def load_user(id):
     return Account.query.get(id)
@@ -70,8 +80,9 @@ def authorization_required(*roles):
     def decorator(func):
         @wraps(func)
         def wrapper(**values):
-            if not current_user.email_verified:
-                abort(403)
+            # XXX
+            # if not current_user.email_verified:
+            #     abort(403)
             site_id = values['site_id']
             synchronize(site_id)
             needs = [(role, site_id) for role in roles]
@@ -86,181 +97,52 @@ def permission_denied(exc):
     return 'Forbidden', 403
 
 
-@blueprint.route('/widget', methods={'GET', 'POST'})
-def widget():
-    if app.debug:
-        if request.method == 'GET':
-            return render_template('auth/widget.html')
-        email = request.form['email']
-        account = Account.query.filter_by(email=email).one_or_none()
-        if account is None:
-            account = Account(
-                id=email,
-                email=email,
-                email_verified=True)
-            db.session.add(account)
-            db.session.flush()
-        login_user(account)
-        db.session.commit()
-        return render_template('auth/close-window.html', message='You have signed in.')
-    if request.args.get('mode') != 'select':
-        return render_template('auth/widget.html', options={})
-    url_adapter = _request_ctx_stack.top.url_adapter
-    next = request.args.get('next')
-    if next:
-        url = urlparse(next)
-        if url.netloc != request.host:
-            abort(400)
-        endpoint, values = url_adapter.match(url.path, 'GET')
-        if endpoint != 'auth.sign_in_success':
-            abort(400)
-        site = synchronize(values['site_id'])
-        return render_template('auth/widget.html', options=site.gitkit_options)
-    url = urlparse(request.referrer)
-    if url.netloc != request.host:
-        abort(400)
-    endpoint, __ = url_adapter.match(url.path, 'GET')
-    if endpoint != request.endpoint:
-        abort(400)
-    oob_code = parse_qs(url.query).get('oobCode')
-    if not oob_code or len(oob_code) != 1:
-        abort(400)
-    action = OobAction.query.get(oob_code[0])
-    if action is None:
-        abort(400)
-    base_url = Sites(action.site_id).get_base_url()
-    if not base_url.endswith('/'):
-        base_url += '/'
-    return redirect('{}#sign-in'.format(base_url))
+@blueprint.route('/signed-in')
+def signed_in():
+    return render_template('auth/close-window.html', message='You have signed in.')
 
 
-@blueprint.route('/site/<site_id>/sign-in-success')
-def sign_in_success(site_id):
-    token = gitkit.verify_token()
-    if token is None:
-        abort(400)
-    gitkit_account = gitkit.get_account_by_id(token['id'])
-    account = Account.query.get(token['id'])
-    if account is None:
-        account = Account(id=token['id'])
-        db.session.add(account)
-    email = gitkit_account['email']
-    account.email = email
-    account.email_verified = gitkit_account['email_verified']
-    account.name = gitkit_account['name']
-    account.photo_url = gitkit_account['photo_url']
-    db.session.flush()
-    login_user(account)
-    if account.email_verified:
-        db.session.commit()
-        return render_template('auth/close-window.html', message='You have signed in.')
-    oob_link = gitkit.get_email_verification_link(email)
-    action = OobAction(
-        oob_code=parse_qs(urlparse(oob_link).query)['oobCode'][0],
-        site_id=site_id,
-        moment=datetime.utcnow())
-    db.session.add(action)
-    db.session.commit()
-    text = render_template('auth/verify-email.txt', oob_link=oob_link)
-    send(email, 'Verify email address', text)
-    return render_template('auth/close-window.html', message='Email verification link sent.')
-
-
-@blueprint.route('/sign-out')
-def sign_out():
-    logout_user()
-    text = render_template('auth/close-window.html', message='You have signed out.')
-    response = make_response(text)
-    if not app.debug:
-        gitkit.delete_token(response)
-    return response
-
-
-@blueprint.route('/oob-action', methods={'POST'})
-def oob_action():
-    url_adapter = _request_ctx_stack.top.url_adapter
-    url = urlparse(request.referrer)
-    if url.netloc != request.host:
-        abort(400)
-    endpoint, __ = url_adapter.match(url.path, 'GET')
-    if endpoint != 'auth.widget':
-        abort(400)
-    next = parse_qs(url.query).get('next')
-    if not next or len(next) != 1:
-        abort(400)
-    url = urlparse(next[0])
-    if url.netloc != request.host:
-        abort(400)
-    endpoint, values = url_adapter.match(url.path, 'GET')
-    if endpoint != 'auth.sign_in_success':
-        abort(400)
-    result = gitkit.get_oob_result()
-    action = OobAction(
-        oob_code=parse_qs(urlparse(result['oob_link']).query)['oobCode'][0],
-        site_id=values['site_id'],
-        moment=datetime.utcnow())
-    db.session.add(action)
-    db.session.commit()
-    if result['action'] == 'changeEmail':
-        text = render_template(
-            'auth/change-email.txt',
-            email=result['email'],
-            new_email=result['new_email'],
-            oob_link=result['oob_link'])
-        send(result['new_email'], 'Change of email address', text)
-        return result['response_body']
-    if result['action'] == 'resetPassword':
-        text = render_template(
-            'auth/reset-password.txt',
-            oob_link=result['oob_link'])
-        send(result['email'], 'Password reset', text)
-        return result['response_body']
-    raise Exception('Invalid action {}'.format(result['action']))
+@blueprint.route('/signed-out')
+def signed_out():
+    return render_template('auth/close-window.html', message='You have signed out.')
 
 
 @blueprint.route('/site/<site_id>/token')
 @jsonp
 def site_token(site_id):
     synchronize(site_id)
-    next = url_for('.sign_in_success', site_id=site_id, _external=True)
     response = {
-        'sign_in': url_for('.widget', mode='select', next=next, _external=True),
-        'sign_out': url_for('.sign_out', _external=True),
+        'sign_in': firebase.url_for(
+            'widget',
+            mode='select',
+            next=url_for('auth.signed_in', _scheme='https', _external=True),
+        ),
+        'sign_out': firebase.url_for(
+            'sign_out',
+            next=url_for('auth.signed_out', _scheme='https', _external=True),
+        ),
     }
     user = current_user._get_current_object()
     if not user.is_authenticated:
         response['status_code'] = 401
         return jsonify(response)
-    if not user.email_verified:
-        gitkit_account = gitkit.get_account_by_id(user.id)
-        user.email_verified = gitkit_account['email_verified']
-        db.session.commit()
     response['account'] = {
         'email': user.email,
-        'email_verified': user.email_verified,
+        'email_verified': True,  # XXX user.email_verified,
         'name': user.name,
     }
     for roles in user.roles:
         if roles.site_id == site_id:
             response['account']['roles'] = roles.roles
             break
-    if not user.email_verified or 'roles' not in response['account']:
+    if 'roles' not in response['account']:  # XXX or not user.email_verified
         response['status_code'] = 403
         return jsonify(response)
     response['status_code'] = 200
     response['access_token'] = token_serializer.dumps(user.id)
     return jsonify(response)
 
 
-def send(recipient, subject, text):
-    mailgun.send({
-        'from': 'no-reply@{}'.format(mailgun.domain),
-        'to': recipient,
-        'subject': subject,
-        'text': text,
-    })
-
-
 def synchronize(site_id):
     repository = Repository(site_id)
     site = Site.query.get(site_id)
@@ -280,11 +162,6 @@ def synchronize(site_id):
             site = Site(id=site_id)
             db.session.add(site)
         site.mtime = mtime
-        gitkit_options = data.get('gitkit_options') or None
-        if gitkit_options is not None:
-            if not set(gitkit_options).issubset(GITKIT_OPTIONS):
-                raise Exception
-        site.gitkit_options = gitkit_options
         roles = []
         default_roles = data.get('default_roles', ['visitor'])
         for account in data.get('accounts', []):
 
@@ -7,13 +7,11 @@
 from flask import Flask, request, url_for
 from flask_babel import Babel
 from ..ext.mailgun import Mailgun
-from ..ext.normalizeUnicode import normalizeUnicode
 
 
 app = Flask('jekylledit')
 app.config.from_object('{}.settings'.format(app.import_name))
 
-
 babel = Babel(app)
 if not app.debug:
     mailgun = Mailgun(app)
 
@@ -12,8 +12,9 @@
 from flask_principal import Permission
 from pid import PidFile, PidFileAlreadyLockedError
 
+from ..ext import normalizeUnicode
 from ..model import Repository, Roles, Sites
-from .base import app, mailgun, normalizeUnicode
+from .base import app, mailgun
 from .auth import authorization_required