implement security

eveai_app/views/auth_views.py

@@ -1,5 +1,5 @@
 from datetime import datetime as dt, timezone as tz
-from flask import request, redirect, url_for, flash, render_template, Blueprint, jsonify
+from flask import request, redirect, url_for, flash, render_template, Blueprint, jsonify, session
 from ..models.user import User, Tenant
 from ..extensions import db, bcrypt
 from .auth_forms import LoginForm
@@ -14,27 +14,45 @@ def login():
     if request.method == 'POST':
         email = request.form.get('email')
         password = request.form.get('password')
-        remember_me = True if request.form.get('remember_me') else False
+        # remember_me = True if request.form.get('remember_me') else False
 
         user = User.query.filter_by(email=email).first()
+        tenant = Tenant.query.filter_by(id=user.tenant_id).first()
         if user:
-            if bcrypt.check_password_hash(user.password, password):
-                response = jsonify({'msg': 'Login Successful'})
-                flash('Logged in successfully!', category='success')
-                access_token = create_access_token(
-                    identity=user.id,
-                    additional_claims={'tenant': user.tenant_id})
-                refresh_token = create_refresh_token(
-                    identity=user.id,
-                    additional_claims={'tenant': user.tenant_id})
-                set_access_cookies(response, access_token)
-                set_refresh_cookies(response, refresh_token)
+            if user.is_active:
+                if bcrypt.check_password_hash(user.password, password):
+                    response = jsonify({'msg': 'Login Successful'})
+                    flash('Logged in successfully!', category='success')
 
-                return redirect(url_for('user_bp.user'))
+                    # set session information
+                    # session['user_id'] = user.id
+                    # session['user_name'] = user.user_name
+                    # session['email'] = user.email
+                    # session['tenant_id'] = user.tenant_id
+                    # session['tenant_name'] = tenant.name
+
+                    # set JWT header information
+                    additional_claims = {'tenant': user.tenant_id,
+                                         'is_super': user.is_super,
+                                         'is_admin': user.is_admin,
+                                         'is_tester': user.is_tester}
+                    access_token = create_access_token(
+                        identity=user.id,
+                        additional_claims=additional_claims)
+                    refresh_token = create_refresh_token(
+                        identity=user.id,
+                        additional_claims=additional_claims)
+                    set_access_cookies(response, access_token)
+                    set_refresh_cookies(response, refresh_token)
+                    response.headers['Location'] = url_for('user_bp.user')
+
+                    return response, 302
+                else:
+                    flash('Incorrect email/password combination, try again.', category='error')
             else:
-                flash('Incorrect password, try again.', category='error')
+                flash('Account disabled. Please contact your administrator.', category='error')
         else:
-            flash('Email does not exist.', category='error')
+            flash('Incorrect email/password combination, try again.', category='error')
 
     form = LoginForm()
     return render_template('login.html', form=form)