Add "magic link" functionality

When using a device that is bothersome to log in on (e.g. a Kindle) you can use a magic link to log in via another device. Configuration was added and is disabled by default.
7 years ago · 623f5c8ef0
parent 5276bda153
commit 623f5c8ef0
8 changed files with 221 additions and 2 deletions
--- a/cps/redirect.py
+++ b/cps/redirect.py
@ -0,0 +1,25 @@
 # http://flask.pocoo.org/snippets/62/
 from urlparse import urlparse, urljoin
 from flask import request, url_for, redirect
 def is_safe_url(target):
    ref_url = urlparse(request.host_url)
    test_url = urlparse(urljoin(request.host_url, target))
    return test_url.scheme in ('http', 'https') and ref_url.netloc == test_url.netloc
 def get_redirect_target():
    for target in request.values.get('next'), request.referrer:
        if not target:
            continue
        if is_safe_url(target):
            return target
 def redirect_back(endpoint, **values):
    target = request.form['next']
    if not target or not is_safe_url(target):
        target = url_for(endpoint, **values)
    return redirect(target)
--- a/cps/templates/admin.html
+++ b/cps/templates/admin.html
@ -64,6 +64,7 @@
        <th>{{_('Uploading')}}</th>
        <th>{{_('Public registration')}}</th>
        <th>{{_('Anonymous browsing')}}</th>
        <th>{{_('Remote Login')}}</th>
    </tr>
      <tr>
        <td>{{config.config_calibre_dir}}</td>
@ -73,6 +74,7 @@
        <td>{% if config.config_uploading %}<span class="glyphicon glyphicon-ok"></span>{% else %}<span class="glyphicon glyphicon-remove"></span>{% endif %}</td>
        <td>{% if config.config_public_reg %}<span class="glyphicon glyphicon-ok"></span>{% else %}<span class="glyphicon glyphicon-remove"></span>{% endif %}</td>
        <td>{% if config.config_anonbrowse %}<span class="glyphicon glyphicon-ok"></span>{% else %}<span class="glyphicon glyphicon-remove"></span>{% endif %}</td>
        <td>{% if config.config_remote_login %}<span class="glyphicon glyphicon-ok"></span>{% else %}<span class="glyphicon glyphicon-remove"></span>{% endif %}</td>
  </table>
  <div class="btn btn-default"><a href="{{url_for('configuration')}}">{{_('Configuration')}}</a></div>
  <h2>{{_('Administration')}}</h2>
--- a/cps/templates/config_edit.html
+++ b/cps/templates/config_edit.html
@ -93,6 +93,10 @@
        <input type="checkbox" id="config_public_reg" name="config_public_reg" {% if content.config_public_reg %}checked{% endif %}>
        <label for="config_public_reg">{{_('Enable public registration')}}</label>
    </div>
    <div class="form-group">
      <input type="checkbox" id="config_remote_login" name="config_remote_login" {% if content.config_remote_login %}checked{% endif %}>
      <label for="config_remote_login">{{_('Enable remote login ("magic link")')}}</label>
    </div>
    <h2>{{_('Default Settings for new users')}}</h2>
    <div class="form-group">
      <input type="checkbox" name="admin_role" id="admin_role" {% if content.role_admin() %}checked{% endif %}>
--- a/cps/templates/login.html
+++ b/cps/templates/login.html
@ -3,6 +3,7 @@
 <div class="well col-sm-6 col-sm-offset-2">
  <h2 style="margin-top: 0">{{_('Login')}}</h2>
  <form method="POST" role="form">
    <input type="hidden" name="next" value="{{next_url}}">
    <div class="form-group">
      <label for="username">{{_('Username')}}</label>
      <input type="text" class="form-control" id="username" name="username" placeholder="{{_('Username')}}">
@ -17,6 +18,9 @@
      </label>
    </div>
    <button type="submit" name="submit" class="btn btn-default">{{_('Submit')}}</button>
    {% if remote_login %}
    <a href="{{url_for('remote_login')}}" class="pull-right">{{_('Log in with magic link')}}</a>
    {% endif %}
  </form>
 </div>
  {% if error %}
--- a/cps/templates/remote_login.html
+++ b/cps/templates/remote_login.html
@ -0,0 +1,40 @@
 {% extends "layout.html" %}
 {% block body %}
 <div class="well">
  <h2 style="margin-top: 0">{{_('Remote Login')}}</h2>
  <p>
    {{_('Using your another device, visit')}} <a href="{{verify_url}}">{{verify_url}}</a> {{_('and log in')}}.
  </p>
  <p>
    {{_('Once you do so, you will automatically get logged in on this device.')}}
  </p>
  <p>
    {{_('The link will expire after %s minutes.' % 10)}}
  </p>
 </div>
 {% endblock %}
 {% block js %}
 <script type="text/javascript">
  (function () {
    // Poll the server to check if the user has authenticated
    var t = setInterval(function () {
      $.post('{{url_for("token_verified")}}', { token: '{{token}}' })
        .done(function(response) {
          if (response.status === 'success') {
            // Wait a tick so cookies are updated
            setTimeout(function () {
              window.location.href = '{{url_for("index")}}';
            }, 0);
          }
        })
        .fail(function (xhr) {
          clearInterval(t);
          var response = JSON.parse(xhr.responseText);
          alert(response.message);
        });
    }, 5000);
  })()
 </script>
 {% endblock %}
--- a/cps/ub.py
+++ b/cps/ub.py
@ -11,6 +11,8 @@ import logging
 from werkzeug.security import generate_password_hash
 from flask_babel import gettext as _
 import json
 import datetime
 from binascii import hexlify
 dbpath = os.path.join(os.path.normpath(os.getenv("CALIBRE_DBPATH", os.path.dirname(os.path.realpath(__file__)) + os.sep + ".." + os.sep)), "app.db")
 engine = create_engine('sqlite:///{0}'.format(dbpath), echo=False)
@ -260,11 +262,29 @@ class Settings(Base):
    config_google_drive_calibre_url_base = Column(String)
    config_google_drive_watch_changes_response = Column(String)
    config_columns_to_ignore = Column(String)
    config_remote_login = Column(Boolean)
    def __repr__(self):
        pass
 class RemoteAuthToken(Base):
    __tablename__ = 'remote_auth_token'
    id = Column(Integer, primary_key=True)
    auth_token = Column(String(8), unique=True)
    user_id = Column(Integer, ForeignKey('user.id'))
    verified = Column(Boolean, default=False)
    expiration = Column(DateTime)
    def __init__(self):
        self.auth_token = hexlify(os.urandom(4))
        self.expiration = datetime.datetime.now() + datetime.timedelta(minutes=10)  # 10 min from now
    def __repr__(self):
        return '<Token %r>' % self.id
 # Class holds all application specific settings in calibre-web
 class Config:
    def __init__(self):
@ -299,6 +319,7 @@ class Config:
        self.config_columns_to_ignore = data.config_columns_to_ignore
        self.db_configured = bool(self.config_calibre_dir is not None and
                (not self.config_use_google_drive or os.path.exists(self.config_calibre_dir + '/metadata.db')))
        self.config_remote_login = data.config_remote_login
    @property
    def get_main_dir(self):
@ -449,6 +470,16 @@ def migrate_Database():
        session.commit()
    if session.query(User).filter(User.role.op('&')(ROLE_ANONYMOUS) == ROLE_ANONYMOUS).first() is None:
        create_anonymous_user()
    try:
        session.query(exists().where(Settings.config_remote_login)).scalar()
    except exc.OperationalError:
        conn = engine.connect()
        conn.execute("ALTER TABLE Settings ADD column `config_remote_login` INTEGER DEFAULT 0")
 def clean_database():
    # Remove expired remote login tokens
    now = datetime.datetime.now()
    session.query(RemoteAuthToken).filter(now > RemoteAuthToken.expiration).delete()
 def create_default_config():
    settings = Settings()
@ -529,7 +560,9 @@ if not os.path.exists(dbpath):
    except Exception:
        raise
 else:
    Base.metadata.create_all(engine)
    migrate_Database()
    clean_database()
 # Generate global Settings Object accecable from every file
 config = Config()
--- a/cps/web.py
+++ b/cps/web.py
@ -58,6 +58,7 @@ import shutil
 import gdriveutils
 import tempfile
 import hashlib
 from redirect import redirect_back, is_safe_url
 from tornado import version as tornadoVersion
@ -372,6 +373,21 @@ def login_required_if_no_ano(func):
    return login_required(func)
 def remote_login_required(f):
    @wraps(f)
    def inner(*args, **kwargs):
        if config.config_remote_login:
            return f(*args, **kwargs)
        if request.is_xhr:
            data = {'status': 'error', 'message': 'Forbidden'}
            response = make_response(json.dumps(data, ensure_ascii=false))
            response.headers["Content-Type"] = "application/json; charset=utf-8"
            return response, 403
        abort(403)
    return inner
 # custom jinja filters
@app.template_filter('shortentitle')
 def shortentitle_filter(s):
@ -1805,14 +1821,20 @@ def login():
        if user and check_password_hash(user.password, form['password']):
            login_user(user, remember=True)
            flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
-            return redirect(url_for("index"))
+            return redirect_back(url_for("index"))
        else:
            ipAdress=request.headers.get('X-Forwarded-For', request.remote_addr)
            app.logger.info('Login failed for user "' + form['username'] + '" IP-adress: ' + ipAdress)
            flash(_(u"Wrong Username or Password"), category="error")
-    return render_title_template('login.html', title=_(u"login"))
+    next_url = request.args.get('next')
    if next_url is None or not is_safe_url(next_url):
        next_url = url_for('index')
    return render_title_template('login.html', title=_(u"login"), next_url=next_url,
                                 remote_login=config.config_remote_login)
@app.route('/logout')
@ -1823,6 +1845,87 @@ def logout():
    return redirect(url_for('login'))
@app.route('/remote/login')
@remote_login_required
 def remote_login():
    auth_token = ub.RemoteAuthToken()
    ub.session.add(auth_token)
    ub.session.commit()
    verify_url = url_for('verify_token', token=auth_token.auth_token, _external=true)
    return render_title_template('remote_login.html', title=_(u"login"), token=auth_token.auth_token,
                                 verify_url=verify_url)
@app.route('/verify/<token>')
@remote_login_required
@login_required
 def verify_token(token):
    auth_token = ub.session.query(ub.RemoteAuthToken).filter(ub.RemoteAuthToken.auth_token == token).first()
    # Token not found
    if auth_token is None:
        flash(_(u"Token not found"), category="error")
        return redirect(url_for('index'))
    # Token expired
    if datetime.datetime.now() > auth_token.expiration:
        ub.session.delete(auth_token)
        ub.session.commit()
        flash(_(u"Token has expired"), category="error")
        return redirect(url_for('index'))
    # Update token with user information
    auth_token.user_id = current_user.id
    auth_token.verified = True
    ub.session.commit()
    flash(_(u"Success! Please return to your device"), category="success")
    return redirect(url_for('index'))
@app.route('/ajax/verify_token', methods=['POST'])
@remote_login_required
 def token_verified():
    token = request.form['token']
    auth_token = ub.session.query(ub.RemoteAuthToken).filter(ub.RemoteAuthToken.auth_token == token).first()
    data = {}
    # Token not found
    if auth_token is None:
        data['status'] = 'error'
        data['message'] = _(u"Token not found")
    # Token expired
    elif datetime.datetime.now() > auth_token.expiration:
        ub.session.delete(auth_token)
        ub.session.commit()
        data['status'] = 'error'
        data['message'] = _(u"Token has expired")
    elif not auth_token.verified:
        data['status'] = 'not_verified'
    else:
        user = ub.session.query(ub.User).filter(ub.User.id == auth_token.user_id).first()
        login_user(user)
        ub.session.delete(auth_token)
        ub.session.commit()
        data['status'] = 'success'
        flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
    response = make_response(json.dumps(data, ensure_ascii=false))
    response.headers["Content-Type"] = "application/json; charset=utf-8"
    return response
@app.route('/send/<int:book_id>')
@login_required
@download_required
@ -2178,6 +2281,10 @@ def configuration_helper(origin):
            content.config_anonbrowse = 1
        if "config_public_reg" in to_save and to_save["config_public_reg"] == "on":
            content.config_public_reg = 1
        content.config_remote_login = ("config_remote_login" in to_save and to_save["config_remote_login"] == "on")
        if not content.config_remote_login:
            ub.session.query(ub.RemoteAuthToken).delete()
        content.config_default_role = 0
        if "admin_role" in to_save:
--- a/readme.md
+++ b/readme.md
@ -26,6 +26,7 @@ Calibre Web is a web app providing a clean interface for browsing, reading and d
 - Support for Calibre custom columns
 - Fine grained per-user permissions
 - Self update capability
 - "Magic Link" login to make it easy to log on eReaders
 ## Quick start
@ -55,6 +56,9 @@ Tick to allow not logged in users to browse the catalog, anonymous user permissi
 Enable uploading:
 Tick to enable uploading of PDF, epub, FB2. This requires the imagemagick library to be installed.    
 Enable remote login ("magic link"):
 Tick to enable remote login, i.e. a link that allows user to log in via a different device.
 ## Requirements
 Python 2.7+