created a check_login_simple function

cherry-picked from rodney757, fixed few conflicts due to
out of order cherry-picking. Thanks to rodney757 for making
my idea even better.

mediagoblin/auth/tools.py

@@ -14,13 +14,20 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import logging
+
 import wtforms
+from sqlalchemy import or_
 
 from mediagoblin import mg_globals
+from mediagoblin.auth import lib as auth_lib
+from mediagoblin.db.models import User
 from mediagoblin.tools.mail import normalize_email, send_email
 from mediagoblin.tools.template import render_template
 from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
 
+_log = logging.getLogger(__name__)
+
 
 def normalize_user_or_email_field(allow_email=True, allow_user=True):
     """
@@ -85,3 +92,19 @@ def send_verification_email(user, request):
         # example "GNU MediaGoblin @ Wandborg - [...]".
         'GNU MediaGoblin - Verify your email!',
         rendered_email)
+
+
+def check_login_simple(username, password, username_might_be_email=False):
+    search = (User.username == username)
+    if username_might_be_email and ('@' in username):
+        search = or_(search, User.email == username)
+    user = User.query.filter(search).first()
+    if not user:
+        _log.info("User %r not found", username)
+        auth_lib.fake_login_attempt()
+        return None
+    if not auth_lib.bcrypt_check_password(password, user.pw_hash):
+        _log.warn("Wrong password for %r", username)
+        return None
+    _log.info("Logging %r in", username)
+    return user

mediagoblin/auth/views.py

@@ -25,8 +25,8 @@ from mediagoblin.tools.mail import email_debug_message
 from mediagoblin.auth import lib as auth_lib
 from mediagoblin.auth import forms as auth_forms
 from mediagoblin.auth.lib import send_fp_verification_email
-from mediagoblin.auth.tools import send_verification_email
+from mediagoblin.auth.tools import (send_verification_email,
-from sqlalchemy import or_
+                                    check_login_simple)
 
 
 def register(request):
@@ -106,14 +106,9 @@ def login(request):
         username = login_form.data['username']
 
         if login_form.validate():
-            user = User.query.filter(
+            user = check_login_simple(username, login_form.password.data, True)
-                or_(
-                    User.username == username,
-                    User.email == username,
 
-                )).first()
+            if user:
-
-            if user and user.check_login(login_form.password.data):
                 # set up login in session
                 request.session['user_id'] = unicode(user.id)
                 request.session.save()
@@ -123,10 +118,6 @@ def login(request):
                 else:
                     return redirect(request, "index")
 
-            # Some failure during login occured if we are here!
-            # Prevent detecting who's on this system by testing login
-            # attempt timings
-            auth_lib.fake_login_attempt()
             login_failed = True
 
     return render_to_response(

mediagoblin/db/mixin.py

@@ -34,7 +34,6 @@ import datetime
 from werkzeug.utils import cached_property
 
 from mediagoblin import mg_globals
-from mediagoblin.auth import lib as auth_lib
 from mediagoblin.media_types import get_media_managers, FileTypeNotSupported
 from mediagoblin.tools import common, licenses
 from mediagoblin.tools.text import cleaned_markdown_conversion
@@ -42,13 +41,6 @@ from mediagoblin.tools.url import slugify
 
 
 class UserMixin(object):
-    def check_login(self, password):
-        """
-        See if a user can login with this password
-        """
-        return auth_lib.bcrypt_check_password(
-            password, self.pw_hash)
-
     @property
     def bio_html(self):
         return cleaned_markdown_conversion(self.bio)

mediagoblin/plugins/httpapiauth/__init__.py

@@ -18,6 +18,7 @@ import logging
 
 from werkzeug.exceptions import Unauthorized
 
+from mediagoblin.auth.tools import check_login_simple
 from mediagoblin.plugins.api.tools import Auth
 
 _log = logging.getLogger(__name__)
@@ -39,10 +40,10 @@ class HTTPAuth(Auth):
         if not request.authorization:
             return False
 
-        user = request.db.User.query.filter_by(
+        user = check_login_simple(unicode(request.authorization['username']),
-                username=unicode(request.authorization['username'])).first()
+                                  request.authorization['password'])
 
-        if user.check_login(request.authorization['password']):
+        if user:
             request.user = user
             return True
         else:

mediagoblin/plugins/piwigo/views.py

@@ -23,7 +23,7 @@ from werkzeug.exceptions import MethodNotAllowed, BadRequest, NotImplemented
 from werkzeug.wrappers import BaseResponse
 
 from mediagoblin.meddleware.csrf import csrf_exempt
-from mediagoblin.auth.lib import fake_login_attempt
+from mediagoblin.auth.tools import check_login_simple
 from mediagoblin.media_types import sniff_media
 from mediagoblin.submit.lib import check_file_field, prepare_queue_task, \
     run_process_media, new_upload_entry
@@ -43,15 +43,9 @@ _log = logging.getLogger(__name__)
 def pwg_login(request):
     username = request.form.get("username")
     password = request.form.get("password")
-    user = request.db.User.query.filter_by(username=username).first()
+    user = check_login_simple(username, password)
     if not user:
-        _log.info("User %r not found", username)
-        fake_login_attempt()
         return PwgError(999, 'Invalid username/password')
-    if not user.check_login(password):
-        _log.warn("Wrong password for %r", username)
-        return PwgError(999, 'Invalid username/password')
-    _log.info("Logging %r in", username)
     request.session["user_id"] = user.id
     request.session.save()
     return True
@@ -126,7 +120,7 @@ def pwg_images_addSimple(request):
     dump = []
     for f in form:
         dump.append("%s=%r" % (f.name, f.data))
-    _log.info("addSimple: %r %s %r", request.form, " ".join(dump), 
+    _log.info("addSimple: %r %s %r", request.form, " ".join(dump),
               request.files)
 
     if not check_file_field(request, 'image'):