def api_key_confirm(token=None, secret=None):
req = ApiKeyRequest.from_token(db.session, token)
if not req:
time.sleep(5)
flash('Email login request not found.', 'danger')
return redirect('/')
if req.secret != secret:
flash('Email login code invalid.', 'danger')
return redirect('/')
now = datetime.datetime.now()
if now > req.expiry:
time.sleep(5)
flash('Email login request expired.', 'danger')
return redirect('/')
if request.method == 'POST':
confirm = request.form.get('confirm') == 'true'
if not confirm:
db.session.delete(req)
db.session.commit()
flash('Email login cancelled.', 'success')
return redirect('/')
perms = request.form.getlist('perms')
api_key = ApiKey(req.user, req.device_name)
for name in perms:
perm = Permission.from_name(db.session, name)
api_key.permissions.append(perm)
req.created_api_key = api_key
db.session.add(req)
db.session.add(api_key)
db.session.commit()
flash('Email login confirmed.', 'success')
return redirect('/')
return render_template('paydb/api_key_confirm.html',
req=req,
perms=Permission.PERMS_ALL)
def api_key_create():
content = request.get_json(force=True)
if content is None:
return bad_request(web_utils.INVALID_JSON)
params, err_response = get_json_params(
content, ["email", "password", "device_name"])
if err_response:
return err_response
email, password, device_name = params
if not email:
return bad_request(web_utils.INVALID_EMAIL)
email = email.lower()
user = User.from_email(db.session, email)
if not user:
time.sleep(5)
return bad_request(web_utils.AUTH_FAILED)
if not flask_security.verify_password(password, user.password):
time.sleep(5)
return bad_request(web_utils.AUTH_FAILED)
api_key = ApiKey(user, device_name)
for name in Permission.PERMS_ALL:
perm = Permission.from_name(db.session, name)
api_key.permissions.append(perm)
db.session.add(api_key)
db.session.commit()
return jsonify(
dict(token=api_key.token,
secret=api_key.secret,
device_name=api_key.device_name,
expiry=api_key.expiry))
def your_keys(request):
if request.method == 'POST':
if 'create_key' in request.POST:
purpose = request.POST.get('purpose', '')
group, created = ApiKeyGroup.objects.get_or_create(
name = 'default'
)
key = ApiKey.create_for_user(request.user, group, purpose)
return HttpResponseRedirect('/api/your-keys/')
# Are they deleting a key?
for k in request.POST.keys():
if k.startswith('delete_'):
key = k.replace('delete_', '')
try:
api_key = ApiKey.objects.get(
key = key,
user = request.user
)
api_key.delete()
except ApiKey.DoesNotExist:
pass
return HttpResponseRedirect('/api/your-keys/')
return render(request, 'api/your_keys.html', {
'keys': request.user.api_keys.select_related('group').order_by(
'created_at'
),
})
def add_key(form):
try:
new_key = ApiKey(developer=current_user,
occupation=form.occupation.data,
application=form.application.data,
usage=html2text(form.usage.data),
api_key=generate_new_key())
except AttributeError:
return abort(400)
db.session.add(new_key)
db.session.commit()
def transfer_tx_callback(api_keys, txn):
txt = json.dumps(txn)
print("transfer_tx_callback: tx %s" % txt)
for api_key in api_keys:
print("sending 'tx' event to room %s" % api_key)
socketio.emit("tx", txt, json=True, room=api_key)
if not TxNotification.exists(db.session, txn["id"]):
print("adding to tx notification table")
api_key = ApiKey.from_token(db.session, api_key)
txnoti = TxNotification(api_key.user, txn["id"])
db.session.add(txnoti)
db.session.commit()
def check_auth(api_key_token, nonce, sig, body):
api_key = ApiKey.from_token(db.session, api_key_token)
if not api_key:
return False, "not found", None
if not api_key.user.active:
return False, "inactive account", None
res, reason = check_hmac_auth(api_key, nonce, sig, body)
if not res:
return False, reason, None
# update api key nonce
db.session.commit()
return True, "", api_key
def create_api_key(request):
if request.method == 'POST':
form = ApiKeyForm(request.POST)
if form.is_valid():
db_api_key = ApiKey()
db_api_key.user = request.user
db_api_key.description = form.cleaned_data['description']
db_api_key.name = form.cleaned_data['name']
db_api_key.url = form.cleaned_data['url']
db_api_key.accepted_tos = form.cleaned_data['accepted_tos']
db_api_key.save()
form = ApiKeyForm()
else:
form = ApiKeyForm()
return render_to_response('api/apply_key.html', {
'user': request.user,
'form': form
},
context_instance=RequestContext(request))
def check_auth(session, api_key_token, nonce, sig, body):
# pylint: disable=import-outside-toplevel
from models import ApiKey
api_key = ApiKey.from_token(session, api_key_token)
if not api_key:
return False, AUTH_FAILED, None
if not api_key.user.active:
return False, AUTH_FAILED, None
res, reason = check_hmac_auth(api_key, nonce, sig, body)
if not res:
return False, reason, None
# update api key nonce
session.commit()
return True, "", api_key
def create_api_key(request):
if request.method == 'POST':
form = ApiKeyForm(request.POST)
if form.is_valid():
db_api_key = ApiKey()
db_api_key.user = request.user
db_api_key.description = form.cleaned_data['description']
db_api_key.name = form.cleaned_data['name']
db_api_key.url = form.cleaned_data['url']
db_api_key.accepted_tos= form.cleaned_data['accepted_tos']
db_api_key.save()
form = ApiKeyForm()
else:
form = ApiKeyForm()
return render_to_response('api/apply_key.html',
{ 'user': request.user, 'form': form },
context_instance=RequestContext(request))
def has_write_access(cls, namespace, apikey):
a = ApiKey.find(namespace, apikey)
if a:
return a.has_write
