forks/microblog.pub
1
0
Fork 1
mirror of https://git.sr.ht/~tsileo/microblog.pub synced 2024-11-15 03:04:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix auth in some endpoint

Browse source
This commit is contained in:
Thomas Sileo 2018-05-21 14:30:52 +02:00
parent 95f6b5e214
commit dc9df98084
1 changed files with 25 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
app.py
View file

@ -178,23 +178,25 @@ def login_required(f):
return f(*args, **kwargs) return f(*args, **kwargs)
return decorated_function return decorated_function
def _api_required():
def api_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if session.get('logged_in'): if session.get('logged_in'):
return f(*args, **kwargs) return
# Token verification # Token verification
token = request.headers.get('Authorization', '').replace('Bearer ', '') token = request.headers.get('Authorization', '').replace('Bearer ', '')
if not token: if not token:
token = request.form.get('access_token', '') token = request.form.get('access_token', '')
try: # Will raise a BadSignature on bad auth
payload = JWT.loads(token) payload = JWT.loads(token)
# TODO(tsileo): log payload def api_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
try:
_api_required()
except BadSignature: except BadSignature:
abort(401) abort(401)
return f(*args, **kwargs) return f(*args, **kwargs)
return decorated_function return decorated_function
@ -434,7 +436,11 @@ def outbox():
)) ))
# Handle POST request # Handle POST request
# FIXME(tsileo): check auth try:
_api_required()
except BadSignature:
abort(401)
data = request.get_json(force=True) data = request.get_json(force=True)
print(data) print(data)
activity = activitypub.parse_activity(data) activity = activitypub.parse_activity(data)
@ -653,14 +659,18 @@ def inbox():
if request.method == 'GET': if request.method == 'GET':
if not is_api_request(): if not is_api_request():
abort(404) abort(404)
# TODO(tsileo): handle auth and only return 404 if unauthenticated try:
# abort(404) _api_required()
except BadSignature:
abort(404)
return jsonify(**activitypub.build_ordered_collection( return jsonify(**activitypub.build_ordered_collection(
DB.inbox, DB.inbox,
q={'meta.deleted': False}, q={'meta.deleted': False},
cursor=request.args.get('cursor'), cursor=request.args.get('cursor'),
map_func=lambda doc: doc['activity'], map_func=lambda doc: doc['activity'],
)) ))
data = request.get_json(force=True) data = request.get_json(force=True)
# FIXME(tsileo): ensure verify_request() == True # FIXME(tsileo): ensure verify_request() == True
print(data) print(data)