mirror of
https://git.sr.ht/~tsileo/microblog.pub
synced 2024-11-15 03:04:28 +00:00
Fix auth in some endpoint
This commit is contained in:
parent
95f6b5e214
commit
dc9df98084
1 changed files with 25 additions and 15 deletions
40
app.py
40
app.py
|
@ -178,24 +178,26 @@ def login_required(f):
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
return decorated_function
|
return decorated_function
|
||||||
|
|
||||||
|
def _api_required():
|
||||||
|
if session.get('logged_in'):
|
||||||
|
return
|
||||||
|
|
||||||
def api_required(f):
|
# Token verification
|
||||||
|
token = request.headers.get('Authorization', '').replace('Bearer ', '')
|
||||||
|
if not token:
|
||||||
|
token = request.form.get('access_token', '')
|
||||||
|
|
||||||
|
# Will raise a BadSignature on bad auth
|
||||||
|
payload = JWT.loads(token)
|
||||||
|
def api_required(f):
|
||||||
@wraps(f)
|
@wraps(f)
|
||||||
def decorated_function(*args, **kwargs):
|
def decorated_function(*args, **kwargs):
|
||||||
if session.get('logged_in'):
|
|
||||||
return f(*args, **kwargs)
|
|
||||||
|
|
||||||
# Token verification
|
|
||||||
token = request.headers.get('Authorization', '').replace('Bearer ', '')
|
|
||||||
if not token:
|
|
||||||
token = request.form.get('access_token', '')
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
payload = JWT.loads(token)
|
_api_required()
|
||||||
# TODO(tsileo): log payload
|
|
||||||
except BadSignature:
|
except BadSignature:
|
||||||
abort(401)
|
abort(401)
|
||||||
return f(*args, **kwargs)
|
|
||||||
|
return f(*args, **kwargs)
|
||||||
return decorated_function
|
return decorated_function
|
||||||
|
|
||||||
|
|
||||||
|
@ -434,7 +436,11 @@ def outbox():
|
||||||
))
|
))
|
||||||
|
|
||||||
# Handle POST request
|
# Handle POST request
|
||||||
# FIXME(tsileo): check auth
|
try:
|
||||||
|
_api_required()
|
||||||
|
except BadSignature:
|
||||||
|
abort(401)
|
||||||
|
|
||||||
data = request.get_json(force=True)
|
data = request.get_json(force=True)
|
||||||
print(data)
|
print(data)
|
||||||
activity = activitypub.parse_activity(data)
|
activity = activitypub.parse_activity(data)
|
||||||
|
@ -653,14 +659,18 @@ def inbox():
|
||||||
if request.method == 'GET':
|
if request.method == 'GET':
|
||||||
if not is_api_request():
|
if not is_api_request():
|
||||||
abort(404)
|
abort(404)
|
||||||
# TODO(tsileo): handle auth and only return 404 if unauthenticated
|
try:
|
||||||
# abort(404)
|
_api_required()
|
||||||
|
except BadSignature:
|
||||||
|
abort(404)
|
||||||
|
|
||||||
return jsonify(**activitypub.build_ordered_collection(
|
return jsonify(**activitypub.build_ordered_collection(
|
||||||
DB.inbox,
|
DB.inbox,
|
||||||
q={'meta.deleted': False},
|
q={'meta.deleted': False},
|
||||||
cursor=request.args.get('cursor'),
|
cursor=request.args.get('cursor'),
|
||||||
map_func=lambda doc: doc['activity'],
|
map_func=lambda doc: doc['activity'],
|
||||||
))
|
))
|
||||||
|
|
||||||
data = request.get_json(force=True)
|
data = request.get_json(force=True)
|
||||||
# FIXME(tsileo): ensure verify_request() == True
|
# FIXME(tsileo): ensure verify_request() == True
|
||||||
print(data)
|
print(data)
|
||||||
|
|
Loading…
Reference in a new issue