coto / gae-boilerplate Goto Github PK

Allow users to login to the site via their Facebook account once logged in say they could also then authorise their Third Parties account as a optional login method. This would allow the user to authenticate via any third party but end up with their user account on this site as the end result.

Also is necessary to use the authorisation they have provided to get basic user details (profile pic/name etc) and post status updates.

Requirements:

• If the user login to the website with Twitter, Facebook or Linkedin, and the account is NOT linked to any account on the website. The system has to offer create an account (http://appengine.protoboard.cl/create/)
• If the user login to the website with Twitter, Facebook or Linkedin, and the account is linked to an account. The login process should continue.

There are more information about Login with those services here:

• Simple auth for OAuth 2.0, 1.0 and OpenID: https://groups.google.com/forum/?fromgroups#!topic/webapp2/u-V6fa2Bhx4

It's necessary send this kind of email when the password is changed:

The password for your account - [email protected] - was recently changed.
If you made this change, you don't need to do anything more.

If you didn't change your password, your account might have been hijacked. To
get back into your account, you'll need to reset your password by clicking this
link: https://appengine.protoboard.cl/password-reset/[email protected].

Important account security tips:

• Never give out your password or personal information by email or on social
  networks. We will never contact you to ask you for your password.
• Never use the same password for this site and other websites.

Sincerely,
The Team

override the webapp2_extras.appengine.auth.models.User.create_user() method. More info: http://code.google.com/p/webapp-improved/issues/detail?id=57

We have a language.py where we have to write spanish code encoded (it means that you have to write &aacute instead á), but the problem with the code is that running the code you see the text encode too.

see the code in spanish here

It's necessary use translation (dictionary or i18n lib) for messages in handlers.py like:

• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L86
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L93
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L97
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L108
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L114
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L131
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L133
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L149
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L162
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L167
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L181
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L185
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L228
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L265
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L270
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L288
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L293
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L326
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L331
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L337
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L342
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L362
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L370
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L375
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L417
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L422
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L427
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L446
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L454
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L459
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L488
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L493
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L516
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L520
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L530
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L538
• https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L565

Test these features:

• Register (RegisterHandler)
• Login (LoginHandler)
• Contact (ContactHandler)
• Edit Profile (EditProfileHandler)
• Edit Password (EditPasswordHandler)
• Reset Password (PasswordResetHandler)
• Logout (LogoutHandler)

currently auth_id is username. I believe almost all apps require unique and verified (task #22) email for users whereas only a subset of apps use usernames. Therefore it may be a good idea to change auth_id to email and let users of the boilerplate decide whether username should be required or not (we can default it to required).

I think one of the most common setups is to make email the primary form of authentication and username would act more like a display name for forums, comments etc that other users see. Username would still need to be unique for this scenario but may or may not be required (for instance a user could be anonymous or the app may not need display names). But in almost all cases apps want emails so that they can email users notifications, reset passwords etc. And it can be assumed that there are no users without email.

An additional advantage of this change is that the registration can be made even faster on the home page: only email and password. Usernames can be chosen on the edit profile page later. This is not something everyone will want but it would be a nice option for some users who desire the easiest registration to promote more sign ups.

One question is what is the main identifier for twitter, facebook, linkedin, and google openid logins? ( feature #4 and #55) Is it username or email? I think this would help to drive this decision.

Allow users to login to the site via their LinkedIn account once logged in say they could also then authorise their Third Parties account as a optional login method. This would allow the user to authenticate via any third party but end up with their user account on this site as the end result.

Also is necessary to use the authorisation they have provided to get basic user details (profile pic/name etc) and post status updates.

Requirements:

• If the user login to the website with Twitter, Facebook or Linkedin, and the account is NOT linked to any account on the website. The system has to offer create an account (http://appengine.protoboard.cl/create/)
• If the user login to the website with Twitter, Facebook or Linkedin, and the account is linked to an account. The login process should continue.

There are more information about Login with those services here:

• Simple auth for OAuth 2.0, 1.0 and OpenID: https://groups.google.com/forum/?fromgroups#!topic/webapp2/u-V6fa2Bhx4

Create the view and controller for update user information for registered users

When the user wants to change your password, the system has to ask for password in order to made the change

https://developers.google.com/appengine/articles/openid#ui

(note that the other 3: facebook, twitter, and linkedin are oauth and are covered by other issues)

Currently we use SHA512 which is excellent but a user noted that bcrypt might be even better (see http://stackoverflow.com/questions/11458969/google-app-engine-choosing-the-right-direction/11496978#11496978). @coto have you looked at bcrypt? I've seen that it is much stronger but also much slower (see http://stackoverflow.com/questions/11393564/bcrypt-in-python).

Note rather than replacing SHA512 we could add it as an option to the encrypt utility function if its an easy option.

i'm seeing that when logging in with correct credentials from the homepage, the user is taken to the login page and wtforms displays that credentials are missing and need to be filled in again. somehow wtforms is not recognizing the credentials we are sending from the homepage. This is probably a minor issue. Is anyone else experiencing this?

Create a page that only admins can access that enables admins to view the visitors log, organize user accounts (view and delete users). Most importantly this will provide an example of how to create admin only areas and mark users as admins.

Here is the controller to Reset Password https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L36

It has to send an email with a link with a token, this link has to send to this controller https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L63 , match the new password and store on the datastore

Today is ready the feature to update user profile (User Kind on datastore), but when the user update the username or email (unique_properties for the user), the "Unique" kind on datastore is not updated.

Here is the Edit Profile Handler:
https://github.com/coto/gae-boilerplate/blob/master/web/handlers.py#L381

Here is the Edit Profile sample:
http://appengine.beecoss.com/settings/profile (you have to be logged)

When you force a 404 error, there are a TemplateNotFound, here is the log

errors/default_error.html
Traceback (most recent call last):
File "/base/python27_runtime/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 1536, in call
rv = self.handle_exception(request, response, e)
File "/base/python27_runtime/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 1596, in handle_exception
return handler(request, response, e)
File "/base/data/home/apps/s~sandengine/latest.360189283466406656/main.py", line 28, in handle_404
t = jinja2.get_jinja2(app=app).render_template(template, **c)
File "/base/python27_runtime/python27_lib/versions/third_party/webapp2-2.5.1/webapp2_extras/jinja2.py", line 158, in render_template
return self.environment.get_template(_filename).render(**context)
File "/base/python27_runtime/python27_lib/versions/third_party/jinja2-2.6/jinja2/environment.py", line 719, in get_template
return self._load_template(name, self.make_globals(globals))
File "/base/python27_runtime/python27_lib/versions/third_party/jinja2-2.6/jinja2/environment.py", line 693, in _load_template
template = self.loader.load(self, name, globals)
File "/base/python27_runtime/python27_lib/versions/third_party/jinja2-2.6/jinja2/loaders.py", line 115, in load
source, filename, uptodate = self.get_source(environment, name)
File "/base/python27_runtime/python27_lib/versions/third_party/jinja2-2.6/jinja2/loaders.py", line 180, in get_source
raise TemplateNotFound(template)
TemplateNotFound: errors/default_error.html

If the very first request results in 404 any subsequent requests to home page fails with exception: UndefinedError: 'str' is undefined. This can be seen both with SDK Server and Appengine.

The issue is caused by the error handler initializing jinja2 without the factory used in BaseHandler.

replace manual validation contained in controllers with wtforms

after choose any language, always the new url is http://DOMAIN/OLD_URL/?&hl=NEW_LANGUAGE,

but what happen when the OLD_URL has other parameters before?

I will try to use only links instead a list

We will continue using Bootstrap, but some people said would be better remove this page from boilerplate because all of them have to do it too

ssl using appspot is free.

custom domain ssl is in test mode by google.

would it be possible to cut out the oauth code using google's hosting of the code: https://developers.google.com/appengine/docs/python/oauth/overview

Note we need to check if this is oauth or oauth2. Also if we can use this then we may not need httplib2. we should also check if this idea supports https.

Move external libraries like:

• Babel
• pytz
• wtforms

into one folder (external)

I think is time to launch version 2.0 stable, I'd like to have your opinions @peta15 @sergue1 @pmanacas

observation: user can only login with username. logging via email does not work
cause: auth_id set to username so email is not a valid auth_id
solution: either remove the text on the boilerplate that indicates that user can "Enter your Username or Email" and replace with "Enter your Username" or add email as an auth_id

i18n.py can be cleaned up:

• remove AVAILABLE_LOCALES and LANGUAGES arrays. replace with logic provided by Babel that automatically detects available locales and provides locale display names (Locale.display_name, Locale.default) http://packages.python.org/Babel/display.html, http://packages.python.org/Babel/api/babel.core.Locale-class.html
• simplify or remove accept header parsing code by using Babel provided logic (Locale.parse, Locale.negotiate) and use these methods instead of checking AVAILABLE_LOCALES in our set_locale method. catch the UnknownLocaleError to automatically check available locales (i believe this exception is thrown when locale data is not found in our locale folders matching the locale code given.
• point users to docs for picking language/locale identifiers: http://cldr.unicode.org/index/cldr-spec/picking-the-right-language-code, http://www.sil.org/iso639-3/codes.asp
• change selection of locales list in base.html into a loop that runs over locales and their display names via Locale.display_name

both jquery validation and wtforms require fixes for translation to function.

related stack overflow query: http://stackoverflow.com/questions/11425042/lazy-gettext-error-on-google-app-engine-with-python-webapp2-babel

add login and logout buttons on top bar (example: http://duolingo.com/)

Right now, the app.yaml specifies "latest" for the webapp2 version. For a produciton app, this is bad practice since newer library versions will be added in future releases which may not be 100% backwards compatible. Currently, the only webapp2 version available is "2.3" so that should be specified in the app.yaml file. For reference, you can see which versions of a library exist by looking for the SUPPORTED_LIBRARIES dict in google/appengine/api/appinfo.py in the SDK.

cross site request forgery and other security measures should be implemented as seen in http://guides.rubyonrails.org/security.html

in the menu has to appear for spanish:
English - Inglés
Italian - Italiano
Chinese - 简体中文

where the second word never change when the user choose another language

The code is commented in order to have a functional version for now

https://github.com/coto/gae-boilerplate/blob/master/templates/boilerplate_register.html#L36

Allow users to login to the site via their Twitter account once logged in say they could also then authorise their Third Parties account as a optional login method. This would allow the user to authenticate via any third party but end up with their user account on this site as the end result.

Also is necessary to use the authorisation they have provided to get basic user details (profile pic/name etc) and post status updates.

Requirements:

• If the user login to the website with Twitter, Facebook or Linkedin, and the account is NOT linked to any account on the website. The system has to offer create an account (http://appengine.protoboard.cl/create/)
• If the user login to the website with Twitter, Facebook or Linkedin, and the account is linked to an account. The login process should continue.

There are more information about Login with those services here:

• Simple auth for OAuth 2.0, 1.0 and OpenID: https://groups.google.com/forum/?fromgroups#!topic/webapp2/u-V6fa2Bhx4