Is787/invitation update (#834)

Improvements on #787 

- invitation **gets deleted upon ONE use or expiration (5 days)**
- moved portal demo scripts from ``services/web/server/tests/sandbox`` ==> [scripts/demo](scripts/demo)
- create demo markdown and csv file with invitation codes

- bit of cleanup refactoring in login subsytem
- updated tests
- doc and logs
- Aiohttp server Background task loop deprecated

Author: pcrespov

scripts/demo/portal_markdown.md

@@ -51,4 +51,3 @@ This pages is for testing purposes for issue [#715](https://github.com/ITISFound
 - [weedI0YvR6tMA7XEpaxgJZT2Z8SCUy](https://staging.osparc.io/#/registration/?invitation=weedI0YvR6tMA7XEpaxgJZT2Z8SCUy)
 - [Q9m5C98ALYZDr1BjilkaaXWSMKxU21](https://staging.osparc.io/#/registration/?invitation=Q9m5C98ALYZDr1BjilkaaXWSMKxU21)
 - [jvhSQfoAAfin4htKgvvRYi3pkYdPhM](https://staging.osparc.io/#/registration/?invitation=jvhSQfoAAfin4htKgvvRYi3pkYdPhM)
-

services/web/server/src/simcore_service_webserver/login/__init__.py

@@ -8,11 +8,13 @@
 
 import asyncpg
 from aiohttp import web
+
 from servicelib.application_keys import APP_CONFIG_KEY
 
 from ..db import DSN
 from ..db_config import CONFIG_SECTION_NAME as DB_SECTION
 from ..email_config import CONFIG_SECTION_NAME as SMTP_SECTION
+from ..rest_config import CONFIG_SECTION_NAME as REST_SECTION
 from ..rest_config import APP_OPENAPI_SPECS_KEY
 from ..statics import INDEX_RESOURCE_NAME
 from .cfg import APP_LOGIN_CONFIG, cfg
@@ -37,7 +39,7 @@ async def _setup_config_and_pgpool(app: web.Application):
     db_cfg = app[APP_CONFIG_KEY][DB_SECTION]['postgres']
 
     # db
-    pool = await asyncpg.create_pool(dsn=DSN.format(**db_cfg), loop=app.loop)
+    pool = await asyncpg.create_pool(dsn=DSN.format(**db_cfg), loop=asyncio.get_event_loop())
     storage = AsyncpgStorage(pool) #NOTE: this key belongs to cfg, not settings!
 
     # config
@@ -64,7 +66,7 @@ async def _setup_config_and_pgpool(app: web.Application):
     yield
 
     try:
-        await asyncio.wait_for( pool.close(), timeout=TIMEOUT_SECS, loop=app.loop)
+        await asyncio.wait_for( pool.close(), timeout=TIMEOUT_SECS)
     except asyncio.TimeoutError:
         log.exception("Failed to close login storage loop")
 
@@ -79,7 +81,7 @@ def setup(app: web.Application):
 
     log.debug("Setting up %s ...", __name__)
 
-    # TODO: requires rest ready!
+    assert REST_SECTION in app[APP_CONFIG_KEY]
     assert SMTP_SECTION in app[APP_CONFIG_KEY]
     assert DB_SECTION in app[APP_CONFIG_KEY]
 

services/web/server/src/simcore_service_webserver/login/confirmation.py

@@ -0,0 +1,62 @@
+""" Confirmation codes/tokens tools
+
+    Codes are inserted in confirmation tables and they are associated to a user and an action
+    Used to validate some action (e.g. register, invitation, etc)
+    Codes can be used one time
+    Codes have expiration date (duration time is configurable)
+"""
+import logging
+from datetime import datetime, timedelta
+
+from ..db_models import ConfirmationAction
+from .cfg import cfg
+
+log = logging.getLogger(__name__)
+
+async def validate_confirmation_code(code, db):
+    confirmation = await db.get_confirmation({'code': code})
+    if confirmation and is_confirmation_expired(confirmation):
+        log.info("Confirmation code '%s' %s. Deleting ...", code,
+            "consumed" if confirmation else "expired")
+        await db.delete_confirmation(confirmation)
+        confirmation = None
+    return confirmation
+
+
+async def make_confirmation_link(request, confirmation):
+    link = request.app.router['auth_confirmation'].url_for(code=confirmation['code'])
+    return '{}://{}{}'.format(request.scheme, request.host, link)
+
+
+def get_expiration_date(confirmation):
+    lifetime = get_confirmation_lifetime(confirmation)
+    estimated_expiration = confirmation['created_at'] + lifetime
+    return estimated_expiration
+
+
+async def is_confirmation_allowed(user, action):
+    db = cfg.STORAGE
+    confirmation = await db.get_confirmation({'user': user, 'action': action})
+    if not confirmation:
+        return True
+    if is_confirmation_expired(confirmation):
+        await db.delete_confirmation(confirmation)
+        return True
+
+
+def is_confirmation_expired(confirmation):
+    age = datetime.utcnow() - confirmation['created_at']
+    lifetime = get_confirmation_lifetime(confirmation)
+    return age > lifetime
+
+
+def get_confirmation_lifetime(confirmation):
+    lifetime_days = cfg['{}_CONFIRMATION_LIFETIME'.format(
+        confirmation['action'].upper())]
+    lifetime = timedelta(days=lifetime_days)
+    return lifetime
+
+
+__all__ = (
+    "ConfirmationAction",
+)

services/web/server/src/simcore_service_webserver/login/handlers.py

@@ -1,21 +1,20 @@
 import logging
 
-import attr
 import passwordmeter
 from aiohttp import web
 from yarl import URL
 
-from servicelib.rest_models import LogMessageType
 from servicelib.rest_utils import extract_and_validate
 
 from ..db_models import ConfirmationAction, UserRole, UserStatus
 from ..security_api import check_password, encrypt_password, forget, remember
 from .cfg import APP_LOGIN_CONFIG, cfg, get_storage
 from .config import get_login_config
+from .confirmation import (is_confirmation_allowed, make_confirmation_link,
+                            validate_confirmation_code)
 from .decorators import RQT_USERID_KEY, login_required
-from .storage import AsyncpgStorage
-from .utils import (common_themed, get_client_ip, is_confirmation_allowed,
-                    is_confirmation_expired, make_confirmation_link,
+from .registration import check_invitation, check_registration
+from .utils import (common_themed, flash_response, get_client_ip,
                     render_and_send_mail, themed)
 
  # FIXME: do not use cfg singleton. use instead cfg = request.app[APP_LOGIN_CONFIG]
@@ -410,62 +409,3 @@ async def check_password_strength(request: web.Request):
     if improvements:
         data['improvements'] = improvements
     return data
-
-
-
-# helpers -----------------------------------------------------------------
-async def check_invitation(invitation:str, db):
-    confirmation = await validate_confirmation_code(invitation, db)
-    if confirmation is None:
-        raise web.HTTPForbidden(reason="Request requires invitation or invitation expired")
-
-
-async def validate_confirmation_code(code, db):
-    confirmation = await db.get_confirmation({'code': code})
-    if confirmation and is_confirmation_expired(confirmation):
-        await db.delete_confirmation(confirmation)
-        confirmation = None
-    return confirmation
-
-
-def flash_response(msg: str, level: str="INFO"):
-    response = web.json_response(data={
-        'data': attr.asdict(LogMessageType(msg, level)),
-        'error': None
-    })
-    return response
-
-
-async def check_registration(email: str, password: str, confirm: str, db: AsyncpgStorage):
-    # email : required & formats
-    # password: required & secure[min length, ...]
-
-    # If the email field is missing, return a 400 - HTTPBadRequest
-    if email is None or password is None:
-        raise web.HTTPBadRequest(reason="Email and password required",
-                                    content_type='application/json')
-
-    if confirm and password != confirm:
-        raise web.HTTPConflict(reason=cfg.MSG_PASSWORD_MISMATCH,
-                               content_type='application/json')
-
-    # TODO: If the email field isn’t a valid email, return a 422 - HTTPUnprocessableEntity
-    # TODO: If the password field is too short, return a 422 - HTTPUnprocessableEntity
-    # TODO: use passwordmeter to enforce good passwords, but first create helper in front-end
-
-    user = await db.get_user({'email': email})
-    if user:
-        # Resets pending confirmation if re-registers?
-        if user['status'] == CONFIRMATION_PENDING:
-            _confirmation = await db.get_confirmation({'user': user, 'action': REGISTRATION})
-
-            if is_confirmation_expired(_confirmation):
-                await db.delete_confirmation(_confirmation)
-                await db.delete_user(user)
-                return
-
-        # If the email is already taken, return a 409 - HTTPConflict
-        raise web.HTTPConflict(reason=cfg.MSG_EMAIL_EXISTS,
-                               content_type='application/json')
-
-    log.debug("Registration data validated")

services/web/server/src/simcore_service_webserver/login/registration.py

@@ -1,20 +1,63 @@
 """ Core functionality and tools for user's registration
 
-
+    - registration code
+    - invitation code
 """
-# TODO: Move handlers.check_registration  and other utils related with registration here
 import json
 import logging
+from pprint import pformat
+from typing import Dict
 
+from aiohttp import web
 from yarl import URL
 
-from ..db_models import ConfirmationAction
+from ..db_models import UserStatus
+from .cfg import cfg
+from .confirmation import (ConfirmationAction, get_expiration_date,
+                           is_confirmation_expired, validate_confirmation_code)
 from .storage import AsyncpgStorage
-from .utils import get_expiration_date
 
 log = logging.getLogger(__name__)
 
-async def create_invitation(host, guest, db:AsyncpgStorage):
+
+async def check_registration(email: str, password: str, confirm: str, db: AsyncpgStorage):
+    # email : required & formats
+    # password: required & secure[min length, ...]
+
+    # If the email field is missing, return a 400 - HTTPBadRequest
+    if email is None or password is None:
+        raise web.HTTPBadRequest(reason="Email and password required",
+                                    content_type='application/json')
+
+    if confirm and password != confirm:
+        raise web.HTTPConflict(reason=cfg.MSG_PASSWORD_MISMATCH,
+                               content_type='application/json')
+
+    # TODO: If the email field isn’t a valid email, return a 422 - HTTPUnprocessableEntity
+    # TODO: If the password field is too short, return a 422 - HTTPUnprocessableEntity
+    # TODO: use passwordmeter to enforce good passwords, but first create helper in front-end
+
+    user = await db.get_user({'email': email})
+    if user:
+        # Resets pending confirmation if re-registers?
+        if user['status'] == UserStatus.CONFIRMATION_PENDING.value:
+            _confirmation = await db.get_confirmation({
+                'user': user,
+                'action': ConfirmationAction.REGISTRATION.value
+            })
+
+            if is_confirmation_expired(_confirmation):
+                await db.delete_confirmation(_confirmation)
+                await db.delete_user(user)
+                return
+
+        # If the email is already taken, return a 409 - HTTPConflict
+        raise web.HTTPConflict(reason=cfg.MSG_EMAIL_EXISTS,
+                               content_type='application/json')
+
+    log.debug("Registration data validated")
+
+async def create_invitation(host:Dict, guest:str, db:AsyncpgStorage):
     """ Creates an invitation token for a guest to register in the platform
 
         Creates and injects an invitation token in the confirmation table associated
@@ -34,10 +77,22 @@ async def create_invitation(host, guest, db:AsyncpgStorage):
     )
     return confirmation
 
+async def check_invitation(invitation:str, db):
+    confirmation = None
+    if invitation:
+        confirmation = await validate_confirmation_code(invitation, db)
 
-def get_confirmation_info(confirmation):
-    info = confirmation
+    if confirmation:
+        #FIXME: check if action=invitation??
+        log.info("Invitation code used. Deleting %s", pformat(get_confirmation_info(confirmation)))
+        await db.delete_confirmation(confirmation)
+    else:
+        raise web.HTTPForbidden(reason=("Invalid invitation code."
+                                        "Your invitation was already used or might have expired."
+                                        "Please contact our support team to get a new one.") )
 
+def get_confirmation_info(confirmation):
+    info = dict(confirmation)
     # data column is a string
     try:
         info['data'] = json.loads(confirmation['data'])
@@ -52,7 +107,6 @@ def get_confirmation_info(confirmation):
 
     return info
 
-
 def get_invitation_url(confirmation, origin: URL=None) -> URL:
     code = confirmation['code']
     assert confirmation['action'] == ConfirmationAction.INVITATION.name

services/web/server/src/simcore_service_webserver/login/utils.py

@@ -1,14 +1,18 @@
 import random
 import string
-from datetime import datetime, timedelta
+
 from email.mime.text import MIMEText
 from logging import getLogger
 from os.path import join
 
 import aiosmtplib
+import attr
 import passlib.hash
+from aiohttp import web
 from aiohttp_jinja2 import render_string
 
+from servicelib.rest_models import LogMessageType
+
 from ..resources import resources
 from .cfg import cfg  # TODO: remove this singleton!!!
 
@@ -33,40 +37,6 @@ def get_random_string(min_len, max_len=None):
     return ''.join(random.choice(CHARS) for x in range(size))
 
 
-async def make_confirmation_link(request, confirmation):
-    link = request.app.router['auth_confirmation'].url_for(code=confirmation['code'])
-    return '{}://{}{}'.format(request.scheme, request.host, link)
-
-
-async def is_confirmation_allowed(user, action):
-    db = cfg.STORAGE
-    confirmation = await db.get_confirmation({'user': user, 'action': action})
-    if not confirmation:
-        return True
-    if is_confirmation_expired(confirmation):
-        await db.delete_confirmation(confirmation)
-        return True
-
-
-def is_confirmation_expired(confirmation):
-    age = datetime.utcnow() - confirmation['created_at']
-    lifetime = get_confirmation_lifetime(confirmation)
-    return age > lifetime
-
-
-def get_confirmation_lifetime(confirmation):
-    lifetime_days = cfg['{}_CONFIRMATION_LIFETIME'.format(
-        confirmation['action'].upper())]
-    lifetime = timedelta(days=lifetime_days)
-    return lifetime
-
-
-def get_expiration_date(confirmation):
-    lifetime = get_confirmation_lifetime(confirmation)
-    estimated_expiration = confirmation['created_at'] + lifetime
-    return estimated_expiration
-
-
 def get_client_ip(request):
     try:
         ips = request.headers['X-Forwarded-For']
@@ -118,3 +88,10 @@ def themed(template):
 
 def common_themed(template):
     return resources.get_path(join(cfg.COMMON_THEME, template))
+
+def flash_response(msg: str, level: str="INFO"):
+    response = web.json_response(data={
+        'data': attr.asdict(LogMessageType(msg, level)),
+        'error': None
+    })
+    return response

services/web/server/src/simcore_service_webserver/storage.py

@@ -17,7 +17,7 @@
 
 async def storage_client_ctx(app: web.Application):
     # TODO: deduce base url from configuration and add to session
-    async with ClientSession(loop=app.loop) as session: # TODO: check if should keep webserver->storage session?
+    async with ClientSession() as session: # TODO: check if should keep webserver->storage session?
         app[APP_STORAGE_SESSION_KEY] = session
         yield
 

services/web/server/tests/helpers/utils_login.py

@@ -104,4 +104,5 @@ async def __aenter__(self):
         return self.confirmation
 
     async def __aexit__(self, *args):
-        await self.db.delete_confirmation(self.confirmation)
+        if await self.db.get_confirmation(self.confirmation):
+            await self.db.delete_confirmation(self.confirmation)

services/web/server/tests/unit/with_postgres/test_registration.py

@@ -153,6 +153,10 @@ async def test_registration_with_invitation(client, is_invitation_required, has_
             })
             await assert_status(r, expected_response)
 
+        if is_invitation_required and has_valid_invitation:
+            db = get_storage(client.app)
+            assert not await db.get_confirmation(confirmation)
+
 
 if __name__ == '__main__':
     pytest.main([__file__, '--maxfail=1'])