def testNoAccessToken(self): """ Test the rejection of a request to a protected resource without a token. """ request = MockRequest('GET', 'protectedResource') self.assertFalse( isAuthorized(request, 'scope'), msg='Expected isAuthorized to reject a request without a token.') self.assertFailedProtectedResourceRequest(request, MissingTokenError(['scope']))
def testAccessTokenInBodyWrongMethod(self): """ Test the rejection of a request to a protected resource with a valid token in the request body but a request that was not made with the POST method. """ request = MockRequest('GET', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request with a valid token ' 'in the request body that was not send with the POST method.') self.assertFailedProtectedResourceRequest( request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def testAccessTokenInBodyWrongContentType(self): """ Test the rejection of a request to a protected resource with a valid token but an invalid content type. """ request = MockRequest('POST', 'protectedResource', arguments={'access_token': self.VALID_TOKEN}) request.setRequestHeader('Content-Type', 'application/other') self.assertFalse( isAuthorized(request, self.VALID_TOKEN_SCOPE), msg='Expected isAuthorized to reject a request ' 'with a valid token in the request body with a content type ' 'that is not "application/x-www-form-urlencoded".') self.assertFailedProtectedResourceRequest( request, MissingTokenError(self.VALID_TOKEN_SCOPE))
def isAuthorized(request, scope, allowInsecureRequestDebug=False): """ Returns True if the token in the request grants access to the given scope. The token is validated via the authTokenStorage singleton given to the TokenResource instance. If the token is invalid, does not grant access to the scope or was not send via a secure protocol, False is returned, an error is written to the request and the request is closed. You can not write to the request if this function returned False! :param request: The request. :param scope: The scope or list of scopes the token must grant access to. :param allowInsecureRequestDebug: Allow requests to originate from insecure connections. Only use for local testing! :return: True, if the request is authorized, False otherwise. """ error = None scope = scope if type(scope) == list else [scope] if not (allowInsecureRequestDebug or request.isSecure()): error = InsecureConnectionError() else: try: requestToken = _getToken(request) except ValueError: error = MultipleTokensError(scope) else: if requestToken is None: error = MissingTokenError(scope) else: try: requestToken = requestToken.decode('utf-8') except UnicodeDecodeError: pass else: tokenStorage = TokenResource.getTokenStorageSingleton() if tokenStorage.contains(requestToken): if tokenStorage.hasAccess(requestToken, scope): return True else: error = InsufficientScopeRequestError(scope) if error is None: error = InvalidTokenRequestError(scope) request.write(error.generate(request)) request.finish() return False