UserAuthentication.py File Reference

This file defines and implements a user authentication engine, which is a subclass of AViewpoint that handles user authentication (logins). More...

Classes
class	Plugins.Application.Arena.UserAuthentication.AnAuthenticationError
	Represents an error that might occur within the authentication module itself. More...
class	Plugins.Application.Arena.UserAuthentication.AUserAuthenticator
	A user authentication engine, which authenticates users. More...

Variables
string	Plugins.Application.Arena.UserAuthentication.uaLogOutQueryKey = "logout"
	The name of the query key used to specify that the user wishes to log out.
string	Plugins.Application.Arena.UserAuthentication.uaUserNameQueryKey = "username"
	The name of the query key used to specify the user name.
string	Plugins.Application.Arena.UserAuthentication.uaPasswordQueryKey = "pwd"
	The name of the query key used to specify the password.
string	Plugins.Application.Arena.UserAuthentication.uaLoginViewName = "site/user/login"
	The name of the view used to display the login prompts.
string	Plugins.Application.Arena.UserAuthentication.uaUserNamePrompt = "username.tpl.html"
	The name of the template used to display the user name prompt.
string	Plugins.Application.Arena.UserAuthentication.uaPasswordPrompt = "password.tpl.html"
	The name of the template used to display the password prompt.
string	Plugins.Application.Arena.UserAuthentication.uaLandingVariable = "user/authentication/landing"
	The session variable used to store the desired landing channel.
string	Plugins.Application.Arena.UserAuthentication.uaProgressIndicator = "user/authentication/progress"
	The session variable used to track authentication progress.
string	Plugins.Application.Arena.UserAuthentication.uaUserNameVariable = "/user/authentication/username"
	The name of the session variable used to track what user is attempting to authenticate.
string	Plugins.Application.Arena.UserAuthentication.uaUserAgentVariable = "/user/authentication/user-agent"
	The name of the session variable used to track the user agent between authentication steps.
string	Plugins.Application.Arena.UserAuthentication.uaTimestampVariable = "/user/authentication/timestamp"
	The name of the session variable used to track the time between authentication steps.
	Plugins.Application.Arena.UserAuthentication.uaSessionVariables = uaProgressIndicator,\
string	Plugins.Application.Arena.UserAuthentication.aeAuthenticationError = "the user name or password provided is incorrect"
	The format of the error message used when failing to authenticate a user.
string	Plugins.Application.Arena.UserAuthentication.aeUserAccountDisabled = "\"{}\": this account is disabled"
	The format of the error message used when a user account is locked.
string	Plugins.Application.Arena.UserAuthentication.aeUserAgentMismatch = "the user agent strings do not match; got \"{}\" but "
	The format of the log message used when there is a user agent mismatch.
string	Plugins.Application.Arena.UserAuthentication.aePasswordMissing = "the password component (\"{}\") is missing from the query"
	The format of the log message used when no password is provided.
string	Plugins.Application.Arena.UserAuthentication.aePasswordIncorrect = "the password supplied for the user \"{}\" is incorrect"
	The format of the log message used when an incorrect password is provided.

Detailed Description

This file defines and implements a user authentication engine, which is a subclass of AViewpoint that handles user authentication (logins).

This engine requires the following query parameters:

• username: The name of the user to be authenticated
• pwd: The hashed value of the user password, which will be compared to the hashed value stored in the user record. In the future, this value will be hashed using a secure token known only to the server and the client. There is an additional, optional query parameter:
• logout: This query parameter is used to clear user credentials from the current session; as a result, the session becomes an anonymous one again, with the limited privileges associated therewith. It is worth noting that this query parameter, if provided, negates all others: you cannot use it with /p username or /p pwd, as it will clear the results of the login process and force the user to begin again at step one (entering a username).

For security purposes, this engine is presently set up such that logging in with it is a two-step process; this is done on purpose to help prevent brute-force attacks. The engine will NOT accept both the user name and password query parameters at the same time. Additionally, the password-entry view is designed, by default, to require a three-word passphrase rather than a single password; this helps to prevent dictionary-based attacks from being successful, as the complexity of a three-word passphrase is enough to prevent modern computers (as of 2013) from easily cracking the passphrase.

At present, this engine also validates the client's User Agent, to ensure that it does not change between the time the user name is entered and the the time that the password is entered. This is not the greatest guarantor of security, but...

The views used by this engine are designed with the assumption that the user name is provided by an AJAX request, while the final password step is submitted as a regular browser request. This can be changed to suit the needs of your site without changing the code; one needs only to change the associated views.

In the future, AJAX will be used to hash the passphrase using a random secure token that is known only to the server (and which is calculated by the client). If the user enters the token into their browser incorrectly, it will be hashed incorrectly, and authentication will fail. This token is randomly generated each time it is requested, thus preventing passwords from being easily cracked.