master
Aevann1 2021-08-03 18:25:38 +02:00
parent d7e049c71b
commit 647c2aab16
3 changed files with 13 additions and 167 deletions

View File

@ -4,26 +4,19 @@ from .alerts import send_notification
from drama.__main__ import app
def get_logged_in_user(db=None):
if not db:
db=g.db
def get_logged_in_user():
if request.headers.get("Authorization"):
token = request.headers.get("Authorization")
if not token: return None, None
token = token.split()
if len(token) < 2:
return None, None
if len(token) < 2: return None, None
token = token[1]
if not token:
return None, None
if not token: return None, None
client = db.query(ClientAuth).filter(
ClientAuth.access_token == token).first()
#ClientAuth.access_token_expire_utc > int(time.time()
client = g.db.query(ClientAuth).filter(ClientAuth.access_token == token).first()
x = (client.user, client) if client else (None, None)
@ -239,31 +232,6 @@ def validate_formkey(f):
wrapper.__name__ = f.__name__
return wrapper
def no_cors(f):
"""
Decorator prevents content being iframe'd
"""
def wrapper(*args, **kwargs):
origin = request.headers.get("Origin", None)
if origin and origin != "https://" + app.config["SERVER_NAME"] and app.config["FORCE_HTTPS"]==1:
return "This page may not be embedded in other webpages.", 403
resp = make_response(f(*args, **kwargs))
resp.headers.add("Access-Control-Allow-Origin",
app.config["SERVER_NAME"]
)
return resp
wrapper.__name__ = f.__name__
return wrapper
def api(*scopes, no_ban=False):
def wrapper_maker(f):

View File

@ -7,7 +7,6 @@ valid_password_regex = re.compile("^.{8,100}$")
@app.get("/login")
@no_cors
@auth_desired
def login_get(v):
@ -51,7 +50,6 @@ def check_for_alts(current_id):
# login post procedure
@no_cors
@app.post("/login")
@limiter.limit("6/minute")
def login_post():
@ -152,7 +150,6 @@ def logout(v):
@app.get("/signup")
@no_cors
@auth_desired
def sign_up_get(v):
with open('./disablesignups', 'r') as f:
@ -207,7 +204,6 @@ def sign_up_get(v):
@app.post("/signup")
@no_cors
@auth_desired
def sign_up_post(v):
with open('./disablesignups', 'r') as f:

View File

@ -79,143 +79,25 @@ def oauth_authorize_prompt(v):
)
@app.post("/oauth/authorize")
@app.post("/authorize")
@auth_required
@validate_formkey
def oauth_authorize_post(v):
def oauth(v):
client_id = request.form.get("client_id")
scopes_txt = request.form.get("scopes")
state = request.form.get("state")
redirect_uri = request.form.get("redirect_uri")
application = g.db.query(OauthApp).filter_by(client_id=client_id).first()
if not application:
return {"oauth_error": "Invalid `client_id`"}, 401
if application.is_banned:
return {"oauth_error": f"Application `{application.app_name}` is suspended."}, 403
valid_redirect_uris = [x.strip()
for x in application.redirect_uri.split(",")]
if redirect_uri not in valid_redirect_uris:
return {"oauth_error": "Invalid redirect_uri"}, 400
scopes = scopes_txt.split(',')
if not scopes:
return {"oauth_error": "One or more scopes must be specified as a comma-separated list"}, 400
for scope in scopes:
if scope not in SCOPES:
return {"oauth_error": f"The provided scope `{scope}` is not valid."}, 400
if any(x in scopes for x in ["create", "update"]) and "identity" not in scopes:
return {"oauth_error": f"`identity` scope required when requesting `create` or `update` scope."}, 400
if not state:
return {'oauth_error': 'state argument required'}, 400
permanent = bool(int(request.values.get("permanent", 0)))
if not application: return {"oauth_error": "Invalid `client_id`"}, 401
if application.is_banned: return {"oauth_error": f"Application `{application.app_name}` is suspended."}, 403
access_token = secrets.token_urlsafe(128)[:128]
new_auth = ClientAuth(
oauth_client=application.id,
oauth_code=secrets.token_urlsafe(128)[:128],
user_id=v.id,
scope_identity="identity" in scopes,
scope_create="create" in scopes,
scope_read="read" in scopes,
scope_update="update" in scopes,
scope_delete="delete" in scopes,
scope_vote="vote" in scopes,
refresh_token=secrets.token_urlsafe(128)[:128] if permanent else None
oauth_client = application.id,
user_id = v.id,
access_token=access_token
)
g.db.add(new_auth)
return redirect(f"{redirect_uri}?code={new_auth.oauth_code}&scopes={scopes_txt}&state={state}")
@app.post("/oauth/grant")
def oauth_grant():
'''
This endpoint takes the following parameters:
* code - The code parameter provided in the redirect
* client_id - Your client ID
* client_secret - your client secret
'''
application = g.db.query(OauthApp).filter_by(
client_id=request.values.get("client_id"),
client_secret=request.values.get("client_secret")).first()
if not application:
return {"oauth_error": "Invalid `client_id` or `client_secret`"}, 401
if application.is_banned:
return {"oauth_error": f"Application `{application.app_name}` is suspended."}, 403
if request.values.get("grant_type") == "code":
code = request.values.get("code")
if not code:
return {"oauth_error": "code required"}, 400
auth = g.db.query(ClientAuth).filter_by(
oauth_code=code,
access_token=None,
oauth_client=application.id
).first()
if not auth:
return {"oauth_error": "Invalid code"}, 401
auth.oauth_code = None
auth.access_token = secrets.token_urlsafe(128)[:128]
auth.access_token_expire_utc = int(time.time()) + 60 * 60
g.db.add(auth)
g.db.commit()
data = {
"access_token": auth.access_token,
"scopes": auth.scopelist,
"expires_at": auth.access_token_expire_utc,
"token_type": "Bearer"
}
if auth.refresh_token:
data["refresh_token"] = auth.refresh_token
return data
elif request.values.get("grant_type") == "refresh":
refresh_token = request.values.get('refresh_token')
if not refresh_token:
return {"oauth_error": "refresh_token required"}, 401
auth = g.db.query(ClientAuth).filter_by(
refresh_token=refresh_token,
oauth_code=None,
oauth_client=application.id
).first()
if not auth:
return {"oauth_error": "Invalid refresh_token"}, 401
auth.access_token = secrets.token_urlsafe(128)[:128]
auth.access_token_expire_utc = int(time.time()) + 60 * 60
g.db.add(auth)
data = {
"access_token": auth.access_token,
"scopes": auth.scopelist,
"expires_at": auth.access_token_expire_utc
}
return data
else:
return {"oauth_error": f"Invalid grant_type `{request.values.get('grant_type','')}`. Expected `code` or `refresh`."}, 400
return redirect(f"{application.redirect_uri}?token={access_token}")
@app.post("/api_keys")