diff --git a/lemur/auth/service.py b/lemur/auth/service.py
index 42c68b7b..e42bf543 100644
--- a/lemur/auth/service.py
+++ b/lemur/auth/service.py
@@ -68,7 +68,7 @@ def create_token(user):
def login_required(f):
"""
- Validates the JWT and ensures that is has not expired.
+ Validates the JWT and ensures that is has not expired and the user is still active.
:param f:
:return:
@@ -94,7 +94,12 @@ def login_required(f):
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
- g.current_user = user_service.get(payload['sub'])
+ user = user_service.get(payload['sub'])
+
+ if not user.active:
+ return dict(message='User is not currently active'), 403
+
+ g.current_user = user
if not g.current_user:
return dict(message='You are not logged in'), 403
diff --git a/lemur/auth/views.py b/lemur/auth/views.py
index c97043de..6ba81086 100644
--- a/lemur/auth/views.py
+++ b/lemur/auth/views.py
@@ -93,7 +93,7 @@ class Login(Resource):
else:
user = user_service.get_by_username(args['username'])
- if user and user.check_password(args['password']):
+ if user and user.check_password(args['password']) and user.active:
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
@@ -194,6 +194,7 @@ class Ping(Resource):
roles.append(role)
role = role_service.get_by_name(profile['email'])
+
if not role:
role = role_service.create(profile['email'], description='This is a user specific role')
roles.append(role)
@@ -231,9 +232,14 @@ class Ping(Resource):
roles
)
+ if not user.active:
+ metrics.send('invalid_login', 'counter', 1)
+ return dict(message='The supplied credentials are invalid'), 403
+
# Tell Flask-Principal the identity changed
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
+ metrics.send('successful_login', 'counter', 1)
return dict(token=create_token(user))
@@ -272,10 +278,16 @@ class Google(Resource):
user = user_service.get_by_email(profile['email'])
+ if not user.active:
+ metrics.send('invalid_login', 'counter', 1)
+ return dict(message='The supplied credentials are invalid.'), 401
+
if user:
metrics.send('successful_login', 'counter', 1)
return dict(token=create_token(user))
+ metrics.send('invalid_login', 'counter', 1)
+
class Providers(Resource):
def get(self):
diff --git a/lemur/static/app/angular/app.js b/lemur/static/app/angular/app.js
index 9a22eac9..4308992f 100644
--- a/lemur/static/app/angular/app.js
+++ b/lemur/static/app/angular/app.js
@@ -105,6 +105,15 @@
RestangularConfigurer.setBaseUrl('http://localhost:8000/api/1');
RestangularConfigurer.setDefaultHttpFields({withCredentials: true});
+ // handle situation where our token has become invalid.
+ RestangularConfigurer.setErrorInterceptor(function (response) {
+ if (response.status === 403) {
+ $auth.logout();
+ $location.path('/login');
+ return false;
+ }
+ });
+
RestangularConfigurer.addResponseInterceptor(function (data, operation) {
var extractedData;
diff --git a/lemur/static/app/angular/users/view/view.tpl.html b/lemur/static/app/angular/users/view/view.tpl.html
index 239e619a..0b85ea93 100644
--- a/lemur/static/app/angular/users/view/view.tpl.html
+++ b/lemur/static/app/angular/users/view/view.tpl.html
@@ -27,7 +27,7 @@
|
-
+
|
|