def post(self):
grant_type = request.form.get('grant_type')
username = request.form.get('username')
password = request.form.get('password')
if grant_type is None or grant_type.lower() != 'password':
return api_abort(code=400,
message='The grant type must be password.')
user = User.query.filter_by(username=username).first()
if user is None or not user.validate_password(password):
return api_abort(
code=400,
message='Either the username or password was invalid.')
token, expiration = generate_token(user)
response = jsonify({
'access_token': token,
'token_type': 'Bearer',
'expires_in': expiration
})
response.headers['Cache-Control'] = 'no-store'
response.headers['Pragma'] = 'no-cache'
return response
def delete(self, item_id):
"""Delete item."""
item = Item.query.get_or_404(item_id)
if g.current_user != item.author:
return api_abort(403)
db.session.delete(item)
db.session.commit()
return '', 204
def patch(self, item_id):
"""Toggle item."""
item = Item.query.get_or_404(item_id)
if g.current_user != item.author:
return api_abort(403)
item.done = not item.done
db.session.commit()
return '', 204
def put(self, item_id):
"""Edit item."""
item = Item.query.get_or_404(item_id)
if g.current_user != item.author:
return api_abort(403)
item.body = get_item_body()
db.session.commit()
return '', 204
def decorated(*args, **kwargs):
token_type, token = get_token()
# Flask normally handles OPTIONS requests on its own, but in the
# case it is configured to forward those to the application, we
# need to ignore authentication headers and let the request through
# to avoid unwanted interactions with CORS.
if request.method != 'OPTIONS':
if token_type is None or token_type.lower() != 'bearer':
return api_abort(400, 'The token type must be bearer.')
if token is None:
return token_missing()
if not validate_token(token):
return invalid_token()
return f(*args, **kwargs)
def get(self, item_id):
"""Get item."""
item = Item.query.get_or_404(item_id)
if g.current_user != item.author:
return api_abort(403)
return jsonify(item_schema(item))