def check_authentication()

in scripts/ApacheAccessHandler.py [0:0]

• 69 lines of code
• 14 McCabe index (conditional complexity)

def check_authentication(req):
    password = req.get_basic_auth_pw()  # MUST be called before req.user
    username = req.user
    log(req, "checking auth for: %s" % username)
    if not username or not password:
        return False
    auth_url = req.get_options().get('ALLURA_AUTH_URL', 'https://127.0.0.1/auth/do_login')

    # work through our own Antispam protection
    auth_form_url = auth_url.replace('/do_login', '/')
    auth_form_page = requests.get(auth_form_url, allow_redirects=False).text
    auth_inputs = re.findall(r'(<input.*?>)', auth_form_page, re.I)
    re_name = re.compile(r''' name=["']?(.*?)["' />]''')
    re_value = re.compile(r''' value=["']?(.*?)["' />]''')
    for i, input in enumerate(auth_inputs):
        if 'password' in input:
            password_field = re_name.search(input).group(1)
            username_field = re_name.search(auth_inputs[i-1]).group(1)
        if 'spinner' in input:
            spinner_value = re_value.search(input).group(1)
            honey1_field = re_name.search(auth_inputs[i+1]).group(1)
            honey2_field = re_name.search(auth_inputs[i+2]).group(1)
        if 'timestamp' in input:
            timestamp_value = re_value.search(input).group(1)

    r = requests.post(auth_url, allow_redirects=False, data={
        username_field: username,
        password_field: password,
        'timestamp': timestamp_value,
        'spinner': spinner_value,
        honey1_field: '',
        honey2_field: '',
        'return_to': '/login_successful',
        '_csrf_token': 'this-is-our-session',
    }, cookies={
        '_csrf_token': 'this-is-our-session',
    })
    if r.status_code == 302 and r.headers['location'].endswith('/login_successful'):
        return True
    else:
        # try 2FA
        password, code = password[:-6], password[-6:]
        log(req, 'trying multifactor for user: %s' % username)
        sess = requests.Session()
        r = sess.post(auth_url, allow_redirects=False, data={
            username_field: username,
            password_field: password,
            'timestamp': timestamp_value,
            'spinner': spinner_value,
            honey1_field: '',
            honey2_field: '',
            'return_to': '/login_successful',
            '_csrf_token': 'this-is-our-session',
        }, cookies={
            '_csrf_token': 'this-is-our-session',
        })
        if r.status_code == 302 and '/auth/multifactor' in r.headers['location']:
            multifactor_url = auth_url.replace('do_login', 'do_multifactor')
            r = sess.post(multifactor_url, allow_redirects=False, data={
                'mode': 'totp',
                'code': code,
                'return_to': '/login_successful',
                '_csrf_token': 'this-is-our-session',
            }, cookies={
                '_csrf_token': 'this-is-our-session',
            })
            if r.status_code == 302 and r.headers['location'].endswith('/login_successful'):
                return True
            else:
                if 'rate limit exceeded' in r.text:
                    raise RateLimitExceeded()
    return False