def index():
if request.method == "POST":
if request.form.get("form-name") == "switch-client-publish":
client_id = int(request.form.get("client-id"))
client = Client.get(client_id)
if client.user_id != current_user.id:
flash("You cannot modify this client", "warning")
else:
client.published = not client.published
db.session.commit()
LOG.d("Switch client.published %s", client)
if client.published:
flash(
f"Client {client.name} has been published on Discover",
"success",
)
else:
flash(f"Client {client.name} has been un-published", "success")
return redirect(url_for("developer.index"))
clients = Client.filter_by(user_id=current_user.id).all()
return render_template("developer/index.html", clients=clients)
def client_detail_oauth_setting(client_id):
form = OAuthSettingForm()
client = Client.get(client_id)
if not client:
flash("no such app", "warning")
return redirect(url_for("developer.index"))
if client.user_id != current_user.id:
flash("you cannot see this app", "warning")
return redirect(url_for("developer.index"))
if form.validate_on_submit():
uris = request.form.getlist("uri")
# replace all uris. TODO: optimize this?
for redirect_uri in client.redirect_uris:
RedirectUri.delete(redirect_uri.id)
for uri in uris:
RedirectUri.create(client_id=client_id, uri=uri)
db.session.commit()
flash(f"{client.name} has been updated", "success")
return redirect(
url_for("developer.client_detail_oauth_setting", client_id=client.id)
)
return render_template(
"developer/client_details/oauth_setting.html", form=form, client=client
)
def get(self):
"""This Method check if the Application Client exist, if yes redirect to the login page.
In Case something goes wrong the Handler return a 400 status code if the Client Id does not exist and 400 if the parameters send are not correct."""
client_id = self.get_argument("client_id")
response_type = self.get_argument("response_type")
redirect_uri = self.get_argument("redirect_uri")
scope = self.get_argument("scope")
# before check if the client pass client_id, redirect_url and response_type
# we accept only token "Implicit Grant Flow"
# if all is ok we need to check if the client_id and the redirect_uri are correct
# if not we return a 403 to the client
if response_type in ("token","code"):
try:
client_check = Client()
exist = client_check.get(client_id=client_id)
#check the redirect_uri parameter
if exist['redirect_uri'] != redirect_uri:
#have an error, return a 403
raise tornado.web.HTTPError(403,"redirect uri problem")
# redirect to login page
self.redirect(("/auth/login?client_id=%s&response_type=%s&redirect_uri=%s&scope=%s")%(client_id,
response_type,
urllib.quote_plus(redirect_uri),
scope))
except ObjectDoesNotExist, e:
raise tornado.web.HTTPError(403)
def post(self):
"""POST action to authorize the Client Application.
To authorize will be send a POST with 'grant' parameter set to true, to deny 'parameter' set to false."""
grant = self.get_argument("grant")
client_id = self.get_argument("client_id")
response_type = self.get_argument("response_type")
redirect_uri = self.get_argument("redirect_uri")
scope = self.get_argument("scope")
# the client send correct paramenters, we need to check if the client id exist and we
# create the relation between the user-agent and the client
if grant == "true":
try:
#check if the client exist
client = Client()
exist = client.get(client_id=client_id)
if exist['redirect_uri'] != redirect_uri:
#have an error, return a 403
raise tornado.web.HTTPError(403,"redirect uri problem")
except ObjectDoesNotExist, e:
raise tornado.web.HTTPError(403,"the client id not correspond to any Client")
grant = Grant()
try:
#we accept the grant for the user
grant.is_already_authorized(client_id,self.get_current_user())
grant.update(client_id,self.get_current_user())
except ObjectDoesNotExist, e:
grant.add(client_id,self.get_current_user())
def client_detail_oauth_endpoint(client_id):
client = Client.get(client_id)
if not client:
flash("no such app", "warning")
return redirect(url_for("developer.index"))
if client.user_id != current_user.id:
flash("you cannot see this app", "warning")
return redirect(url_for("developer.index"))
return render_template("developer/client_details/oauth_endpoint.html",
client=client)
def get(self):
"""This is the form where the user accept or denied the access to the Application Client.
In this test the form is not returned."""
client_id = self.get_argument("client_id")
response_type = self.get_argument("response_type")
redirect_uri = self.get_argument("redirect_uri")
scope = self.get_argument("scope")
try:
#check if the client exist
client = Client()
exist = client.get(client_id=client_id)
if exist['redirect_uri'] != redirect_uri:
#have an error, return a 403
raise tornado.web.HTTPError(403,"redirect uri problem")
except ObjectDoesNotExist, e:
raise tornado.web.HTTPError(403,"the client id not correspond to any Client")
def client_detail(client_id):
form = EditClientForm()
is_new = "is_new" in request.args
client = Client.get(client_id)
if not client:
flash("no such client", "warning")
return redirect(url_for("developer.index"))
if client.user_id != current_user.id:
flash("you cannot see this app", "warning")
return redirect(url_for("developer.index"))
if form.validate_on_submit():
client.name = form.name.data
client.home_url = form.home_url.data
if form.icon.data:
# todo: remove current icon if any
# todo: handle remove icon
file_path = random_string(30)
file = File.create(path=file_path)
s3.upload_from_bytesio(file_path, BytesIO(form.icon.data.read()))
db.session.flush()
LOG.d("upload file %s to s3", file)
client.icon_id = file.id
db.session.flush()
db.session.commit()
flash(f"{client.name} has been updated", "success")
return redirect(url_for("developer.client_detail",
client_id=client.id))
return render_template(
"developer/client_details/basic_info.html",
form=form,
client=client,
is_new=is_new,
)
def get(self):
"""Get method.
return the token and the refresh if all the parameters passed are correct."""
code = self.get_argument("code")
client_id = self.get_argument("client_id")
client_secret = self.get_argument("client_secret")
redirect_uri = self.get_argument("redirect_uri")
grant_type = self.get_argument("grant_type")
try:
client_check = Client()
exist = client_check.get(client_id=client_id)
if exist["redirect_uri"] != redirect_uri:
# have an error, return a 403
raise tornado.web.HTTPError(403, "redirect uri problem")
# check the redirect_uri parameter
token_result = client_check.authenticate(client_id, client_secret, code)
self.redirect(
(redirect_uri + "?access_token=%s&expires_in=%s&token_type=Bearer") % (token_result["token"], 3600)
)
except ObjectDoesNotExist, e:
raise tornado.web.HTTPError(403)
def client_detail_advanced(client_id):
form = AdvancedForm()
client = Client.get(client_id)
if not client:
flash("no such app", "warning")
return redirect(url_for("developer.index"))
if client.user_id != current_user.id:
flash("you cannot see this app", "warning")
return redirect(url_for("developer.index"))
if form.validate_on_submit():
# delete client
client_name = client.name
Client.delete(client.id)
db.session.commit()
LOG.d("Remove client %s", client)
flash(f"{client_name} has been deleted", "success")
return redirect(url_for("developer.index"))
return render_template(
"developer/client_details/advanced.html", form=form, client=client
)
def client_detail(client_id):
form = EditClientForm()
approval_form = ApprovalClientForm()
is_new = "is_new" in request.args
action = request.args.get("action")
client = Client.get(client_id)
if not client or client.user_id != current_user.id:
flash("you cannot see this app", "warning")
return redirect(url_for("developer.index"))
# can't set value for a textarea field in jinja
if request.method == "GET":
approval_form.description.data = client.description
if action == "edit" and form.validate_on_submit():
client.name = form.name.data
if form.icon.data:
# todo: remove current icon if any
# todo: handle remove icon
file_path = random_string(30)
file = File.create(path=file_path, user_id=client.user_id)
s3.upload_from_bytesio(file_path, BytesIO(form.icon.data.read()))
db.session.flush()
LOG.d("upload file %s to s3", file)
client.icon_id = file.id
db.session.flush()
db.session.commit()
flash(f"{client.name} has been updated", "success")
return redirect(url_for("developer.client_detail", client_id=client.id))
if action == "submit" and approval_form.validate_on_submit():
client.description = approval_form.description.data
db.session.commit()
send_email(
ADMIN_EMAIL,
subject=f"{client.name} {client.id} submits for approval",
plaintext="",
html=f"""
name: {client.name} <br>
created: {client.created_at} <br>
user: {current_user.email} <br>
<br>
{client.description}
""",
)
flash(
f"Thanks for submitting, we are informed and will come back to you asap!",
"success",
)
return redirect(url_for("developer.client_detail", client_id=client.id))
return render_template(
"developer/client_details/basic_info.html",
form=form,
approval_form=approval_form,
client=client,
is_new=is_new,
)
