def token(request):
"""Get an API token for the logged in user."""
if request.method == 'POST': # OAuth2 access token endpoint
for name in [
'client_id',
'client_secret',
'code',
'state'
]:
if name not in request.params:
msg = '%s "%s".' % (messages.MISSING_PARAMETER, name)
raise HTTPBadRequest(msg)
raise NotImplementedError('OAuth provider not implemented yet.')
else: # Annotator token endpoint
if not request.user:
msg = messages.NOT_LOGGED_IN
raise HTTPForbidden(msg)
settings = request.registry.settings
key = settings['api.key']
consumer = models.Consumer.get_by_key(key)
assert(consumer)
user_id = 'acct:%s@%s' % (request.user.user_name, request.host)
message = {
'userId': user_id,
'consumerKey': str(consumer.key),
'ttl': consumer.ttl,
}
return auth.encode_token(message, consumer.secret)
def auth_token():
ac = 'Access-Control-'
headers = {}
if 'origin' in request.headers:
headers[ac + 'Allow-Origin'] = request.headers['origin']
headers[ac + 'Allow-Credentials'] = 'true'
headers[ac +
'Expose-Headers'] = 'Location, Content-Type, Content-Length'
if request.method == 'OPTIONS':
headers[
ac +
'Allow-Headers'] = 'X-Requested-With, Content-Type, Content-Length'
headers[ac + 'Allow-Methods'] = 'GET, OPTIONS'
headers[ac + 'Max-Age'] = '86400'
if g.user:
c = Consumer.fetch('annotateit')
payload = {
'consumerKey': c.key,
'userId': g.user.username,
'ttl': c.ttl
}
if g.user.is_admin:
payload['admin'] = True
token = auth.encode_token(payload, c.secret)
return Response(token, headers=headers, mimetype='text/plain')
else:
return Response('Please go to {0} to log in!'.format(request.host_url),
status=401,
headers=headers,
mimetype='text/plain')
def setup(self):
super(TestStoreAuthz, self).setup()
self.user = MockUser() # alice
self.anno_id = '123'
self.permissions = {
'read': [self.user.id, 'bob'],
'update': [self.user.id, 'charlie'],
'admin': [self.user.id]
}
self.ctx = self.app.test_request_context()
self.ctx.push()
ann = Annotation(id=self.anno_id,
user=self.user.id,
consumer=self.user.consumer.key,
text='Foobar',
permissions=self.permissions)
ann.save()
for u in ['alice', 'bob', 'charlie']:
token = auth.encode_token({'consumerKey': self.user.consumer.key, 'userId': u}, self.user.consumer.secret)
setattr(self, '%s_headers' % u, {'x-annotator-auth-token': token})
def setup(self):
super(TestStoreAuthz, self).setup()
self.user = MockUser() # alice
self.anno_id = '123'
self.permissions = {
'read': [self.user.id, 'bob'],
'update': [self.user.id, 'charlie'],
'admin': [self.user.id]
}
self.ctx = self.app.test_request_context()
self.ctx.push()
ann = Annotation(id=self.anno_id,
user=self.user.id,
consumer=self.user.consumer.key,
text='Foobar',
permissions=self.permissions)
ann.save()
for u in ['alice', 'bob', 'charlie']:
token = auth.encode_token(
{
'consumerKey': self.user.consumer.key,
'userId': u
}, self.user.consumer.secret)
setattr(self, '%s_headers' % u, {'x-annotator-auth-token': token})
def test_reject_expired_token(self):
tok = auth.encode_token({}, 'secret')
self.time_travel(seconds=310)
assert_raises(auth.TokenInvalid,
auth.decode_token,
tok,
'secret',
ttl=300)
def create_token(self, request, refresh_token=False):
client = request.client
message = dict(consumerKey=client.client_id, ttl=client.ttl)
message.update(request.extra_credentials or {})
token = {
'access_token': auth.encode_token(message, client.client_secret),
'expires_in': client.ttl,
'token_type': 'http://annotateit.org/api/token',
}
return token
def generate_token(request):
message = {
'consumerKey': request.client.key,
'ttl': request.client.ttl,
}
if request.extra_credentials is not None:
message.update(request.extra_credentials)
return auth.encode_token(message, request.client.secret)
def token(self):
token = {
'consumerKey': g.annotator_consumer_key,
'ttl': 86400,
'userId': c.author,
'userIsAnonymous': c.user is None
}
response.headers['content-type'] = 'text/plain'
return auth.encode_token(token, g.annotator_consumer_secret)
def setup(self):
super(TestStore, self).setup()
self.user = MockUser()
payload = {'consumerKey': self.user.consumer.key, 'userId': self.user.id}
token = auth.encode_token(payload, self.user.consumer.secret)
self.headers = {'x-annotator-auth-token': token}
self.ctx = self.app.test_request_context()
self.ctx.push()
def setup(self):
super(TestStore, self).setup()
self.user = MockUser()
payload = {'consumerKey': self.user.consumer.key, 'userId': self.user.id}
token = auth.encode_token(payload, self.user.consumer.secret)
self.headers = {'x-annotator-auth-token': token}
self.ctx = self.app.test_request_context()
self.ctx.push()
def token_generator(request):
"""
Generate a token from a request.
The request must have the ``client`` and `extra_credentials`` properties
added by OAuthLib, and a ``user`` (possibly ``None``).
"""
client = request.client
credentials = request.extra_credentials or {}
credentials.setdefault('ttl', DEFAULT_TTL)
credentials.setdefault('consumerKey', client.client_id)
if request.user is not None:
credentials.setdefault('userId', request.user)
return encode_token(credentials, client.client_secret)
def token(request):
"""Get an API token for the logged in user."""
# The response is a JSON Web Token signed with the application's consumer
# key and secret. In the future, other applications may have their own
# consumer keys. Although, most of this should go away in favor of more
# traditional OAuth tools and the need for the token request might be
# made to vanish when the iframe architecture settles and cross-domain
# communication is handled at the browser runtime via postMessage.
settings = request.registry.settings
secret = settings.get('h.api_secret')
key = settings.get('h.consumer_key')
ttl = settings.get('h.api_ttl', auth.DEFAULT_TTL)
# @@ make this deal with oid+realms, oauth etc better
user_id = 'acct:%s@%s' % (request.user.users[0].login, request.host)
message = {'userId': user_id, 'consumerKey': key, 'ttl': ttl}
body = auth.encode_token(message, secret)
return Response(body=body)
def __call__(self):
request = self.request
consumer = self.Consumer.get_by_key(self.settings['api.key'])
assert (consumer)
message = {
'consumerKey': str(consumer.key),
'ttl': consumer.ttl,
}
if request.user:
parts = {
'username': request.user.username,
'provider': request.host
}
message['userId'] = 'acct:%(username)s@%(provider)s' % parts
return auth.encode_token(message, consumer.secret)
def __call__(self):
request = self.request
consumer = self.Consumer.get_by_key(self.settings['api.key'])
assert(consumer)
message = {
'consumerKey': str(consumer.key),
'ttl': consumer.ttl,
}
if request.user:
parts = {
'username': request.user.username,
'provider': request.server_name
}
message['userId'] = 'acct:%(username)s@%(provider)s' % parts
return auth.encode_token(message, consumer.secret)
def token(request):
"""Get an API token for the logged in user."""
# The response is a JSON Web Token signed with the application's consumer
# key and secret. In the future, other applications may have their own
# consumer keys. Although, most of this should go away in favor of more
# traditional OAuth tools and the need for the token request might be
# made to vanish when the iframe architecture settles and cross-domain
# communication is handled at the browser runtime via postMessage.
settings = request.registry.settings
secret = settings.get('h.api_secret')
key = settings.get('h.consumer_key')
ttl = settings.get('h.api_ttl', auth.DEFAULT_TTL)
# @@ make this deal with oid+realms, oauth etc better
user_id = 'acct:%s@%s' % (request.user.users[0].login, request.host)
message = {
'userId': user_id,
'consumerKey': key,
'ttl': ttl
}
body = auth.encode_token(message, secret)
return Response(body=body)
def auth_token():
ac = 'Access-Control-'
headers = {}
if 'origin' in request.headers:
headers[ac + 'Allow-Origin'] = request.headers['origin']
headers[ac + 'Allow-Credentials'] = 'true'
headers[ac + 'Expose-Headers'] = 'Location, Content-Type, Content-Length'
if request.method == 'OPTIONS':
headers[ac + 'Allow-Headers'] = 'X-Requested-With, Content-Type, Content-Length'
headers[ac + 'Allow-Methods'] = 'GET, OPTIONS'
headers[ac + 'Max-Age'] = '86400'
if g.user:
c = Consumer.fetch('annotateit')
payload = {'consumerKey': c.key, 'userId': g.user.username, 'ttl': c.ttl}
if g.user.is_admin:
payload['admin'] = True
token = auth.encode_token(payload, c.secret)
return Response(token, headers=headers, mimetype='text/plain')
else:
return Response('Please go to {0} to log in!'.format(request.host_url), status=401, headers=headers, mimetype='text/plain')
def make_request(consumer, obj=None):
obj = obj or {}
obj.update({'consumerKey': consumer.key})
return MockRequest(Headers([
('x-annotator-auth-token', auth.encode_token(obj, consumer.secret))
]))
def test_decode_token_unicode(self):
tok = auth.encode_token({}, 'secret')
assert auth.decode_token(
unicode(tok),
'secret'), "token should have been successfully decoded"
def test_reject_inauthentic_token(self):
tok = auth.encode_token({'userId': 'alice'}, 'secret')
tok += 'extrajunk'
assert_raises(auth.TokenInvalid, auth.decode_token, tok, 'secret')
def test_reject_notyetvalid_token(self):
tok = auth.encode_token({}, 'secret')
self.time_travel(minutes=-1)
assert_raises(auth.TokenInvalid, auth.decode_token, tok, 'secret')
def test_reject_expired_token(self):
tok = auth.encode_token({}, 'secret')
self.time_travel(seconds=310)
assert_raises(auth.TokenInvalid, auth.decode_token, tok, 'secret', ttl=300)
def test_reject_notyetvalid_token(self):
tok = auth.encode_token({}, 'secret')
self.time_travel(minutes=-1)
assert_raises(auth.TokenInvalid, auth.decode_token, tok, 'secret')
def test_reject_inauthentic_token(self):
tok = auth.encode_token({'userId': 'alice'}, 'secret')
tok += 'extrajunk'
assert_raises(auth.TokenInvalid, auth.decode_token, tok, 'secret')
def test_decode_token(self):
tok = auth.encode_token({}, 'secret')
assert auth.decode_token(tok, 'secret'), "token should have been successfully decoded"
def make_request(consumer, obj=None):
obj = obj or {}
obj.update({'consumerKey': consumer.key})
return MockRequest(
Headers([('x-annotator-auth-token',
auth.encode_token(obj, consumer.secret))]))
