I want to do some customization when a user logs in. The problem is that the project is using flask-security which implicitly handles user login.
I want to check some records of users in the database when users log in.
How can I override "login" function in flask-security?
I saw a similar post, and tried it but it's not working.
Plus, it is not exactly what I want to do.
I maybe need to stop the default behavior in case of some users.
So, is anyone having this kind of issue? How can I do it?
You can override the login form when you are setting up Flask-Security:
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
security = Security(app, user_datastore, login_form=CustomLoginForm)
Then create your custom login form class that extends the default LoginForm. And override the validate function to do stuff before or after the login attempt.
from flask_security.forms import LoginForm
class CustomLoginForm(LoginForm):
def validate(self):
# Put code here if you want to do stuff before login attempt
response = super(CustomLoginForm, self).validate()
# Put code here if you want to do stuff after login attempt
return response
"reponse" will be True or False based on if the login was successful or not. If you want to check possible errors that occurred during the login attempt see "self.errors"
Greetings,
Kevin ;)
after registering the flask security extension, you can create an endpoint with the exact same name/route and it should override the one registered by Flask-security.
If you are using blueprints, make sure you register your blueprint before registering Flask-security.
Related
I am messing around making an app in grails. At this point I have already made a login view and the controller. How its working is I got a service which queries my db for the credentials and then if they are valid proceeds to the main screen as shown below. Now I need to add a session to it so that you cant bypass the login. Keep in mind I got no Domain classes because all I need Im querying the database.
This is how the controller works rn:
The login service is basically a firstrow query.
It isn't clear what you really need but in your controller is a variable named session which you can interact with as a Map and do things like session.isLoggedIn = true or if(session.isLoggedIn) { ... } etc. You probably shouldn't do that sort of thing in your app though. You should consider something like https://grails-plugins.github.io/grails-spring-security-core/.
I am using Kyecloak:4.8.0, and have enabled Brute force attack for my realm.
Now whenever user provides wrong credentials for 3 times user will be locked temporarily.
But still user will see "Invalid username/password".
According to this thread Keycloak have done this intentionally:
https://issues.jboss.org/browse/KEYCLOAK-5284
But still i want to show user that his account has been locked.
Is there any way to customize this message?
I tried doing this by adding message in custom keycloak theme as below:
location: themes\adminlte\login\messages\messages_en.properties
accountTemporarilyDisabledMessage=Account is temporarily disabled, contact admin or try again later.
This change is not working.
After going through Keycloak base code what i found is: Keycloak uses Messages.INVALID_USER (invalidUserMessage) from properties which is written in AbstractFormAuthenticator class.
This class is at the end extended by UsernamePasswordForm now to change this to custom message i Wrote Custom Authenticator (Keycloak SPI) like below
public class CustomUsernameFormAuthenticator extends UsernamePasswordForm {
#Override
protected String tempDisabledError() {
return Messages.ACCOUNT_TEMPORARILY_DISABLED;
}
}
After this deploy spi Jar in keycloak and enable it in your realm.
And we are done :)
I've extended the User model in my loopback application, and added phone number as a login method, I use the username field to do this, the only deal is that on login I get the 'email not verified' error, I have my own phoneNumberVerified field, and have overwritten the confirm method to validate the token against the emailVerificationToken and against the phoneNumberVerificationToken and update the corresponding flag, I thought of overwriting the original login method to not allow login only if both emailVerified and phoneNumberVerified fields are false (not just the email) but I don't know how to actually do the login the way loopback does it (I believe it creates an AccessToken or something), and I'm asking for some help on how to do this, thanks XD. I can do the overwriting and validations myself I just need to know how to do the actual login without using the original login method, since I'll be rewriting it.
So I figured out that I actually don't need email or phone number verified validation at all on login (later on the workflow will be required, but that'll be another use case, so it's irrelevant on login to me now XD). So when I was looking on how to overwrite the login method I realized that all the models code it's on the node_modules folder xD
node_modules/loopback/common/models/user.js
And found there in the login method a flag that validates if should check email verified or not, so on my startup script I just put this:
app.models.MyUser.settings.emailVerificationRequired = false;
That stops the email verified validation on login.
And maybe if some of you would like to override the login method I believe copying the whole method from the original user model up there and attaching it to your model and doing some modifications might work xD, it invokes the createAccessToken from the user model (itself) and that's what I believe creates the 'login', what I came to understand is that there is no "session" data, it creates an accesstoken when you successfully login, and as I've been doing just sending the token id to every request 'authenticates' your logged user.
Thanks for reading, have a nice day :)
I was being searching to password protect apiglity admin ui without using htpasswd, but i did not got any information about. Can anybody help me out with this?
Thanks in advance
You don't need password protection for ApiGility UI. Access should only be allowed in the Dev environment.
php public/index.php development enable <- to enable the UI
php public/index.php development disable <- to disable the UI
If you consist of having password protection for it. Then you can add an event to the Application Module.php that check if the identified user is allowed to access that resource.
Edit - If you do want to protect something by password
The following code should be placed in the Module.php file. (In many cases under the Application module).
It call the event manager and attach action to the Dispatch event.
Every time the application reach the dispatch phase it will fire this event.
The action is passed as a call back so you can attach function, classes ans etc. In this example I passed a new class that have access to the MvcEvent ($e).
For example, that class can check if a user is logged in. If it is not then redirect him to /login.
public function onBootstrap(MvcEvent $e)
{
$eventManager = $e->getApplication()->getEventManager();
$eventManager->attach(MvcEvent::EVENT_DISPATCH, array(new UserAccessChecker($e), 'getResponse'));
}
For the purpose of auth You should further investigate ACL & RABC
I wonder what's the best practise for passing user 'model' around. I take http request and convert it to user model in my controller. I don't want to explicitly add an argument to all the templates for this model, and neither to main.
What are the best practises for doing this?
THanks.
If you are logging in, and the user is your authenticated user, then you should put the user in a WrappedRequest and make your request implicit in your templates. If you use something like SecureSocial, then UserAwareAction will provide you with a RequestWithUser (see http://securesocial.ws/guide/user-service.html) and you can do things like
#()(implicit req:RequestWithUser)
Email = #{req.user.map(_.email)}
in your template.
Use the Session scope.
Here is documentation for Play 2.0
http://www.playframework.com/documentation/2.0.2/ScalaSessionFlash
So for example, on the login, add the user to the Session
And on logout remove the user from the Session
Cheers!