def index(): if request.method == "POST": if request.form.get("form-name") == "switch-client-publish": client_id = int(request.form.get("client-id")) client = Client.get(client_id) if client.user_id != current_user.id: flash("You cannot modify this client", "warning") else: client.published = not client.published db.session.commit() LOG.d("Switch client.published %s", client) if client.published: flash( f"Client {client.name} has been published on Discover", "success", ) else: flash(f"Client {client.name} has been un-published", "success") return redirect(url_for("developer.index")) clients = Client.filter_by(user_id=current_user.id).all() return render_template("developer/index.html", clients=clients)
def client_detail_oauth_setting(client_id): form = OAuthSettingForm() client = Client.get(client_id) if not client: flash("no such app", "warning") return redirect(url_for("developer.index")) if client.user_id != current_user.id: flash("you cannot see this app", "warning") return redirect(url_for("developer.index")) if form.validate_on_submit(): uris = request.form.getlist("uri") # replace all uris. TODO: optimize this? for redirect_uri in client.redirect_uris: RedirectUri.delete(redirect_uri.id) for uri in uris: RedirectUri.create(client_id=client_id, uri=uri) db.session.commit() flash(f"{client.name} has been updated", "success") return redirect( url_for("developer.client_detail_oauth_setting", client_id=client.id) ) return render_template( "developer/client_details/oauth_setting.html", form=form, client=client )
def get(self): """This Method check if the Application Client exist, if yes redirect to the login page. In Case something goes wrong the Handler return a 400 status code if the Client Id does not exist and 400 if the parameters send are not correct.""" client_id = self.get_argument("client_id") response_type = self.get_argument("response_type") redirect_uri = self.get_argument("redirect_uri") scope = self.get_argument("scope") # before check if the client pass client_id, redirect_url and response_type # we accept only token "Implicit Grant Flow" # if all is ok we need to check if the client_id and the redirect_uri are correct # if not we return a 403 to the client if response_type in ("token","code"): try: client_check = Client() exist = client_check.get(client_id=client_id) #check the redirect_uri parameter if exist['redirect_uri'] != redirect_uri: #have an error, return a 403 raise tornado.web.HTTPError(403,"redirect uri problem") # redirect to login page self.redirect(("/auth/login?client_id=%s&response_type=%s&redirect_uri=%s&scope=%s")%(client_id, response_type, urllib.quote_plus(redirect_uri), scope)) except ObjectDoesNotExist, e: raise tornado.web.HTTPError(403)
def post(self): """POST action to authorize the Client Application. To authorize will be send a POST with 'grant' parameter set to true, to deny 'parameter' set to false.""" grant = self.get_argument("grant") client_id = self.get_argument("client_id") response_type = self.get_argument("response_type") redirect_uri = self.get_argument("redirect_uri") scope = self.get_argument("scope") # the client send correct paramenters, we need to check if the client id exist and we # create the relation between the user-agent and the client if grant == "true": try: #check if the client exist client = Client() exist = client.get(client_id=client_id) if exist['redirect_uri'] != redirect_uri: #have an error, return a 403 raise tornado.web.HTTPError(403,"redirect uri problem") except ObjectDoesNotExist, e: raise tornado.web.HTTPError(403,"the client id not correspond to any Client") grant = Grant() try: #we accept the grant for the user grant.is_already_authorized(client_id,self.get_current_user()) grant.update(client_id,self.get_current_user()) except ObjectDoesNotExist, e: grant.add(client_id,self.get_current_user())
def client_detail_oauth_endpoint(client_id): client = Client.get(client_id) if not client: flash("no such app", "warning") return redirect(url_for("developer.index")) if client.user_id != current_user.id: flash("you cannot see this app", "warning") return redirect(url_for("developer.index")) return render_template("developer/client_details/oauth_endpoint.html", client=client)
def get(self): """This is the form where the user accept or denied the access to the Application Client. In this test the form is not returned.""" client_id = self.get_argument("client_id") response_type = self.get_argument("response_type") redirect_uri = self.get_argument("redirect_uri") scope = self.get_argument("scope") try: #check if the client exist client = Client() exist = client.get(client_id=client_id) if exist['redirect_uri'] != redirect_uri: #have an error, return a 403 raise tornado.web.HTTPError(403,"redirect uri problem") except ObjectDoesNotExist, e: raise tornado.web.HTTPError(403,"the client id not correspond to any Client")
def client_detail(client_id): form = EditClientForm() is_new = "is_new" in request.args client = Client.get(client_id) if not client: flash("no such client", "warning") return redirect(url_for("developer.index")) if client.user_id != current_user.id: flash("you cannot see this app", "warning") return redirect(url_for("developer.index")) if form.validate_on_submit(): client.name = form.name.data client.home_url = form.home_url.data if form.icon.data: # todo: remove current icon if any # todo: handle remove icon file_path = random_string(30) file = File.create(path=file_path) s3.upload_from_bytesio(file_path, BytesIO(form.icon.data.read())) db.session.flush() LOG.d("upload file %s to s3", file) client.icon_id = file.id db.session.flush() db.session.commit() flash(f"{client.name} has been updated", "success") return redirect(url_for("developer.client_detail", client_id=client.id)) return render_template( "developer/client_details/basic_info.html", form=form, client=client, is_new=is_new, )
def get(self): """Get method. return the token and the refresh if all the parameters passed are correct.""" code = self.get_argument("code") client_id = self.get_argument("client_id") client_secret = self.get_argument("client_secret") redirect_uri = self.get_argument("redirect_uri") grant_type = self.get_argument("grant_type") try: client_check = Client() exist = client_check.get(client_id=client_id) if exist["redirect_uri"] != redirect_uri: # have an error, return a 403 raise tornado.web.HTTPError(403, "redirect uri problem") # check the redirect_uri parameter token_result = client_check.authenticate(client_id, client_secret, code) self.redirect( (redirect_uri + "?access_token=%s&expires_in=%s&token_type=Bearer") % (token_result["token"], 3600) ) except ObjectDoesNotExist, e: raise tornado.web.HTTPError(403)
def client_detail_advanced(client_id): form = AdvancedForm() client = Client.get(client_id) if not client: flash("no such app", "warning") return redirect(url_for("developer.index")) if client.user_id != current_user.id: flash("you cannot see this app", "warning") return redirect(url_for("developer.index")) if form.validate_on_submit(): # delete client client_name = client.name Client.delete(client.id) db.session.commit() LOG.d("Remove client %s", client) flash(f"{client_name} has been deleted", "success") return redirect(url_for("developer.index")) return render_template( "developer/client_details/advanced.html", form=form, client=client )
def client_detail(client_id): form = EditClientForm() approval_form = ApprovalClientForm() is_new = "is_new" in request.args action = request.args.get("action") client = Client.get(client_id) if not client or client.user_id != current_user.id: flash("you cannot see this app", "warning") return redirect(url_for("developer.index")) # can't set value for a textarea field in jinja if request.method == "GET": approval_form.description.data = client.description if action == "edit" and form.validate_on_submit(): client.name = form.name.data if form.icon.data: # todo: remove current icon if any # todo: handle remove icon file_path = random_string(30) file = File.create(path=file_path, user_id=client.user_id) s3.upload_from_bytesio(file_path, BytesIO(form.icon.data.read())) db.session.flush() LOG.d("upload file %s to s3", file) client.icon_id = file.id db.session.flush() db.session.commit() flash(f"{client.name} has been updated", "success") return redirect(url_for("developer.client_detail", client_id=client.id)) if action == "submit" and approval_form.validate_on_submit(): client.description = approval_form.description.data db.session.commit() send_email( ADMIN_EMAIL, subject=f"{client.name} {client.id} submits for approval", plaintext="", html=f""" name: {client.name} <br> created: {client.created_at} <br> user: {current_user.email} <br> <br> {client.description} """, ) flash( f"Thanks for submitting, we are informed and will come back to you asap!", "success", ) return redirect(url_for("developer.client_detail", client_id=client.id)) return render_template( "developer/client_details/basic_info.html", form=form, approval_form=approval_form, client=client, is_new=is_new, )