def _get_bearer_token(self): auth = request.headers.get("Authorization") try: auth_scheme, bearer_token = require_split(auth, 2) require(auth_scheme.lower() == "bearer") return OAuth2AccessToken.get_token(bearer_token) except RequirementException: self._auth_error(400, "invalid_request")
def _get_bearer_token(self, strict=True): auth = request.headers.get("Authorization") try: auth_scheme, bearer_token = require_split(auth, 2) require(auth_scheme.lower() == "bearer") return bearer_token except RequirementException: if strict: self._auth_error(400, "invalid_request")
def _get_client_auth(self): auth = request.headers.get("Authorization") try: client_id, client_secret = parse_http_basic(auth) client = OAuth2Client.get_token(client_id) require(client) require(constant_time_compare(client.secret, client_secret)) return client except RequirementException: abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
def parse_http_basic(authorization_header): """Parse the username/credentials out of an HTTP Basic Auth header. Raises RequirementException if anything is uncool. """ auth_scheme, auth_token = require_split(authorization_header, 2) require(auth_scheme.lower() == "basic") try: auth_data = base64.b64decode(auth_token) except TypeError: raise RequirementException return require_split(auth_data, 2, ":")
def authenticate_with_token(self): set_extension(request.environ, "json") set_content_type() require_https() require_domain(g.oauth_domain) try: access_token = OAuth2AccessToken.get_token( self._get_bearer_token()) require(access_token) require(access_token.check_valid()) c.oauth2_access_token = access_token account = Account._byID36(access_token.user_id, data=True) require(account) require(not account._deleted) c.oauth_user = account except RequirementException: self._auth_error(401, "invalid_token") handler = self._get_action_handler() if handler: oauth2_perms = getattr(handler, "oauth2_perms", None) if oauth2_perms: grant = OAuth2Scope(access_token.scope) required = set(oauth2_perms['allowed_scopes']) if not grant.has_access(c.site.name, required): self._auth_error(403, "insufficient_scope") c.oauth_scope = grant else: self._auth_error(400, "invalid_request")
def POST_snoovatar(self, form, jquery, public, snoo_color, unvalidated_components): if not feature.is_enabled('snoovatars'): return if form.has_errors( "components", errors.NO_TEXT, errors.TOO_LONG, errors.BAD_STRING, ): return if form.has_errors("snoo_color", errors.BAD_CSS_COLOR): return try: tailors = g.plugins["gold"].tailors_data validated = {} for tailor in tailors: tailor_name = tailor["name"] component = unvalidated_components.get(tailor_name) # if the tailor requires a selection, ensure there is one if not tailor["allow_clear"]: require(component) # ensure this dressing exists dressing = component.get("dressingName") if dressing: for d in tailor["dressings"]: if dressing == d["name"]: break else: raise RequirementException validated[tailor_name] = component except RequirementException: c.errors.add(errors.INVALID_SNOOVATAR, field="components") form.has_errors("components", errors.INVALID_SNOOVATAR) return SnoovatarsByAccount.save( user=c.user, name="snoo", public=public, snoo_color=snoo_color, components=validated, )
def authenticate_with_token(self): set_extension(request.environ, "json") set_content_type() require_https() require_domain(g.oauth_domain) try: access_token = OAuth2AccessToken.get_token(self._get_bearer_token()) require(access_token) require(access_token.check_valid()) c.oauth2_access_token = access_token account = Account._byID36(access_token.user_id, data=True) require(account) require(not account._deleted) c.oauth_user = account except RequirementException: self._auth_error(401, "invalid_token") handler = self._get_action_handler() if handler: oauth2_perms = getattr(handler, "oauth2_perms", None) if oauth2_perms or True: grant = OAuth2Scope(access_token.scope) required = set(oauth2_perms['allowed_scopes']) if not grant.has_access(c.site.name, required): self._auth_error(403, "insufficient_scope") c.oauth_scope = grant else: self._auth_error(400, "invalid_request")
def pre(self): set_extension(request.environ, "json") MinimalController.pre(self) require_https() try: access_token = OAuth2AccessToken.get_token( self._get_bearer_token()) require(access_token) require(access_token.check_valid()) c.oauth2_access_token = access_token account = Account._byID36(access_token.user_id, data=True) require(account) require(not account._deleted) c.oauth_user = account except RequirementException: self._auth_error(401, "invalid_token") handler = self._get_action_handler() if handler: oauth2_perms = getattr(handler, "oauth2_perms", None) if oauth2_perms: grant = OAuth2Scope(access_token.scope) if grant.subreddit_only and c.site.name not in grant.subreddits: self._auth_error(403, "insufficient_scope") required_scopes = set(oauth2_perms['allowed_scopes']) if not (grant.scopes >= required_scopes): self._auth_error(403, "insufficient_scope") else: self._auth_error(400, "invalid_request")
def pre(self): set_extension(request.environ, "json") MinimalController.pre(self) require_https() try: access_token = OAuth2AccessToken.get_token(self._get_bearer_token()) require(access_token) require(access_token.check_valid()) c.oauth2_access_token = access_token account = Account._byID36(access_token.user_id, data=True) require(account) require(not account._deleted) c.oauth_user = account except RequirementException: self._auth_error(401, "invalid_token") handler = self._get_action_handler() if handler: oauth2_perms = getattr(handler, "oauth2_perms", None) if oauth2_perms: grant = OAuth2Scope(access_token.scope) if grant.subreddit_only and c.site.name not in grant.subreddits: self._auth_error(403, "insufficient_scope") required_scopes = set(oauth2_perms['allowed_scopes']) if not (grant.scopes >= required_scopes): self._auth_error(403, "insufficient_scope") else: self._auth_error(400, "invalid_request")
def POST_snoovatar(self, form, jquery, public, snoo_color, unvalidated_components): if not feature.is_enabled('snoovatars'): return if form.has_errors("components", errors.NO_TEXT, errors.TOO_LONG, errors.BAD_STRING, ): return if form.has_errors("snoo_color", errors.BAD_CSS_COLOR): return try: tailors = g.plugins["gold"].tailors_data validated = {} for tailor in tailors: tailor_name = tailor["name"] component = unvalidated_components.get(tailor_name) # if the tailor requires a selection, ensure there is one if not tailor["allow_clear"]: require(component) # ensure this dressing exists dressing = component.get("dressingName") if dressing: for d in tailor["dressings"]: if dressing == d["name"]: break else: raise RequirementException validated[tailor_name] = component except RequirementException: c.errors.add(errors.INVALID_SNOOVATAR, field="components") form.has_errors("components", errors.INVALID_SNOOVATAR) return SnoovatarsByAccount.save( user=c.user, name="snoo", public=public, snoo_color=snoo_color, components=validated, )
def _get_client_auth(self): auth = request.headers.get("Authorization") try: auth_scheme, auth_token = require_split(auth, 2) require(auth_scheme.lower() == "basic") try: auth_data = base64.b64decode(auth_token) except TypeError: raise RequirementException client_id, client_secret = require_split(auth_data, 2, ":") client = OAuth2Client.get_token(client_id) require(client) require(client.secret == client_secret) return client except RequirementException: abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
def pre(self): set_extension(request.environ, "json") MinimalController.pre(self) require_https() try: access_token = self._get_bearer_token() require(access_token) c.oauth2_access_token = access_token account = Account._byID(access_token.user_id, data=True) require(account) require(not account._deleted) c.oauth_user = account except RequirementException: self._auth_error(401, "invalid_token") handler = self._get_action_handler() if handler: oauth2_perms = getattr(handler, "oauth2_perms", None) if oauth2_perms: if access_token.scope not in oauth2_perms["allowed_scopes"]: self._auth_error(403, "insufficient_scope") else: self._auth_error(400, "invalid_request")