def test_bearer_token_valid(self, request): user = M.User.by_username('test-admin') consumer_token = M.OAuthConsumerToken( name='foo', description='foo app', ) request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=user._id, callback='manual', validation_pin=h.nonce(20), is_bearer=True, ) access_token = M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=user._id, is_bearer=True, ) ThreadLocalODMSession.flush_all() request.headers = {} request.params = {'access_token': access_token.api_key} request.scheme = 'https' r = self.api_post('/rest/p/test/wiki', access_token='foo') assert_equal(r.status_int, 200)
def test_bearer_token_valid_via_headers(self, request): user = M.User.by_username('test-admin') consumer_token = M.OAuthConsumerToken( name='foo', description='foo app', ) request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=user._id, callback='manual', validation_pin=h.nonce(20), is_bearer=True, ) access_token = M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=user._id, is_bearer=True, ) ThreadLocalODMSession.flush_all() token = access_token.api_key request.headers = {'Authorization': 'Bearer {}'.format(token)} request.scheme = 'https' r = self.api_post('/rest/p/test/wiki', access_token='foo', status=200) # reverse proxy situation request.scheme = 'http' request.environ['paste.testing'] = False request.environ['HTTP_X_FORWARDED_PROTOx'] = 'https' r = self.api_post('/rest/p/test/wiki', access_token='foo', status=200)
def access_token(self, **kw): req = oauth.Request.from_request(request.method, request.url.split('?')[0], headers=request.headers, parameters=dict(request.params), query_string=request.query_string) consumer_token = M.OAuthConsumerToken.query.get( api_key=req['oauth_consumer_key']) request_token = M.OAuthRequestToken.query.get( api_key=req['oauth_token']) if consumer_token is None: log.error('Invalid consumer token') raise exc.HTTPForbidden if request_token is None: log.error('Invalid request token') raise exc.HTTPForbidden pin = req['oauth_verifier'] if pin != request_token.validation_pin: log.error('Invalid verifier') raise exc.HTTPForbidden rtok = request_token.as_token() rtok.set_verifier(pin) consumer = consumer_token.consumer try: self.server.verify_request(req, consumer, rtok) except: log.error('Invalid signature') raise exc.HTTPForbidden acc_token = M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=request_token.user_id, ) return acc_token.to_string()
def token(self, username): if self._use_token: return self._use_token # only create token once, else ming gets dupe key error if username not in self._token_cache: user = M.User.query.get(username=username) consumer_token = M.OAuthConsumerToken( name='test-%s' % str(user._id), description='test-app-%s' % str(user._id), user_id=user._id) request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=user._id, callback='manual', validation_pin=h.nonce(20)) token = M.OAuthAccessToken(consumer_token_id=consumer_token._id, request_token_id=request_token._id, user_id=user._id, is_bearer=True) ming.orm.session(consumer_token).flush() ming.orm.session(request_token).flush() ming.orm.session(token).flush() self._token_cache[username] = token return self._token_cache[username]
def generate_access_token(self, _id): """ Manually generate an OAuth access token for the given consumer. NB: Manually generated access tokens are bearer tokens, which are less secure (since they rely only on the token, which is transmitted with each request, unlike the access token secret). """ consumer_token = M.OAuthConsumerToken.query.get(_id=bson.ObjectId(_id)) if consumer_token is None: flash('Invalid app ID', 'error') redirect('.') if consumer_token.user_id != c.user._id: flash('Invalid app ID', 'error') redirect('.') request_token = M.OAuthRequestToken( consumer_token_id=consumer_token._id, user_id=c.user._id, callback='manual', validation_pin=h.nonce(20), is_bearer=True, ) M.OAuthAccessToken( consumer_token_id=consumer_token._id, request_token_id=c.user._id, user_id=request_token.user_id, is_bearer=True, ) redirect('.')