class OAuth2AccessController(MinimalController):
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
auth_scheme, auth_token = require_split(auth, 2)
require(auth_scheme.lower() == "basic")
try:
auth_data = base64.b64decode(auth_token)
except TypeError:
raise RequirementException
client_id, client_secret = require_split(auth_data, 2, ":")
client = OAuth2Client.get_token(client_id)
require(client)
require(client.secret == client_secret)
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
@validate(grant_type=VOneOf("grant_type", ("authorization_code", )),
code=VRequired("code", errors.NO_TEXT),
redirect_uri=VUrl("redirect_uri", allow_self=False,
lookup=False))
def POST_access_token(self, grant_type, code, redirect_uri):
resp = {}
if not c.errors:
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
access_token = OAuth2AccessToken._new(auth_token.user_id,
auth_token.scope)
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = access_token._ttl
resp["scope"] = auth_token.scope
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)
class MeetupsController(RedditController):
def response_func(self, **kw):
return self.sendstring(json.dumps(kw))
@validate(VUser(),
VCreateMeetup(),
title=ValueOrBlank('title'),
description=ValueOrBlank('description'),
location=ValueOrBlank('location'),
latitude=ValueOrBlank('latitude'),
longitude=ValueOrBlank('longitude'),
timestamp=ValueOrBlank('timestamp'),
tzoffset=ValueOrBlank('tzoffset'))
def GET_new(self, *a, **kw):
return BoringPage(pagename='New Meetup',
content=NewMeetup(*a, **kw)).render()
@Json
@validate(VUser(),
VCreateMeetup(),
VModhash(),
ip=ValidIP(),
title=VRequired('title', errors.NO_TITLE),
description=VRequired('description', errors.NO_DESCRIPTION),
location=VRequired('location', errors.NO_LOCATION),
latitude=VFloat('latitude', error=errors.NO_LOCATION),
longitude=VFloat('longitude', error=errors.NO_LOCATION),
timestamp=VTimestamp('timestamp'),
tzoffset=VFloat('tzoffset', error=errors.INVALID_DATE))
def POST_create(self, res, title, description, location, latitude,
longitude, timestamp, tzoffset, ip):
if res._chk_error(errors.NO_TITLE):
res._chk_error(errors.TITLE_TOO_LONG)
res._focus('title')
res._chk_errors((errors.NO_LOCATION, errors.NO_DESCRIPTION,
errors.INVALID_DATE, errors.NO_DATE))
if res.error: return
meetup = Meetup(author_id=c.user._id,
title=title,
description=description,
location=location,
latitude=latitude,
longitude=longitude,
timestamp=timestamp,
tzoffset=tzoffset)
# Expire all meetups in the render cache
g.rendercache.invalidate_key_group(Meetup.group_cache_key())
meetup._commit()
l = Link._submit(meetup_article_title(meetup),
meetup_article_text(meetup), 'self', c.user,
Subreddit._by_name('meetups'), ip, [])
l.meetup = meetup._id36
l._commit()
meetup.assoc_link = l._id
meetup._commit()
when = datetime.now(g.tz) + timedelta(
0,
3600) # Leave a short window of time before notification, in case
# the meetup is edited/deleted soon after its creation
PendingJob.store(when, 'process_new_meetup', {'meetup_id': meetup._id})
#update the queries
if g.write_query_queue:
queries.new_link(l)
res._redirect(url_for(action='show', id=meetup._id36))
@Json
@validate(VUser(),
VModhash(),
meetup=VEditMeetup('id'),
title=VRequired('title', errors.NO_TITLE),
description=VRequired('description', errors.NO_DESCRIPTION),
location=VRequired('location', errors.NO_LOCATION),
latitude=VFloat('latitude', error=errors.NO_LOCATION),
longitude=VFloat('longitude', error=errors.NO_LOCATION),
timestamp=VTimestamp('timestamp'),
tzoffset=VFloat('tzoffset', error=errors.INVALID_DATE))
def POST_update(self, res, meetup, title, description, location, latitude,
longitude, timestamp, tzoffset):
if res._chk_error(errors.NO_TITLE):
res._chk_error(errors.TITLE_TOO_LONG)
res._focus('title')
res._chk_errors((errors.NO_LOCATION, errors.NO_DESCRIPTION,
errors.INVALID_DATE, errors.NO_DATE))
if res.error: return
meetup.title = title
meetup.description = description
meetup.location = location
meetup.latitude = latitude
meetup.longitude = longitude
meetup.timestamp = timestamp
meetup.tzoffset = tzoffset
# Expire all meetups in the render cache
g.rendercache.invalidate_key_group(Meetup.group_cache_key())
meetup._commit()
# Update the linked article
article = Link._byID(meetup.assoc_link)
article._load()
article_old_url = article.url
article.title = meetup_article_title(meetup)
article.article = meetup_article_text(meetup)
article._commit()
article.update_url_cache(article_old_url)
res._redirect(url_for(action='show', id=meetup._id36))
@validate(VUser(), meetup=VEditMeetup('id'))
def GET_edit(self, meetup):
return BoringPage(pagename='Edit Meetup',
content=EditMeetup(
meetup,
title=meetup.title,
description=meetup.description,
location=meetup.location,
latitude=meetup.latitude,
longitude=meetup.longitude,
timestamp=int(meetup.timestamp * 1000),
tzoffset=meetup.tzoffset)).render()
# Show a meetup. Most of this code was coped from GET_comments in front.py
@validate(meetup=VMeetup('id'),
sort=VMenu('controller', CommentSortMenu),
num_comments=VMenu('controller', NumCommentsMenu))
def GET_show(self, meetup, sort, num_comments):
article = Link._byID(meetup.assoc_link)
# figure out number to show based on the menu
user_num = c.user.pref_num_comments or g.num_comments
num = g.max_comments if num_comments == 'true' else user_num
builder = CommentBuilder(article, CommentSortMenu.operator(sort), None,
None)
listing = NestedListing(builder,
num=num,
parent_name=article._fullname)
displayPane = PaneStack()
# insert reply box only for logged in user
if c.user_is_loggedin:
displayPane.append(CommentReplyBox())
displayPane.append(CommentReplyBox(link_name=article._fullname))
# finally add the comment listing
displayPane.append(listing.listing())
sort_menu = CommentSortMenu(default=sort, type='dropdown2')
nav_menus = [
sort_menu,
NumCommentsMenu(article.num_comments, default=num_comments)
]
content = CommentListing(
content=displayPane,
num_comments=article.num_comments,
nav_menus=nav_menus,
)
# Update last viewed time, and return the previous last viewed time. Actually tracked on the article
lastViewed = None
if c.user_is_loggedin:
clicked = article._getLastClickTime(c.user)
lastViewed = clicked._date if clicked else None
article._click(c.user)
res = ShowMeetup(meetup=meetup,
content=content,
fullname=article._fullname,
lastViewed=lastViewed)
return BoringPage(pagename=meetup.title,
content=res,
body_class='meetup').render()
def __init__(self, param=None, *a, **kw):
VRequired.__init__(self, param, errors.OAUTH2_INVALID_CLIENT, *a, **kw)
class OAuth2FrontendController(RedditController):
def pre(self):
RedditController.pre(self)
require_https()
def _check_redirect_uri(self, client, redirect_uri):
if not redirect_uri or not client or redirect_uri != client.redirect_uri:
abort(403)
def _error_response(self, resp):
if (errors.OAUTH2_INVALID_CLIENT, "client_id") in c.errors:
resp["error"] = "unauthorized_client"
elif (errors.OAUTH2_ACCESS_DENIED, "authorize") in c.errors:
resp["error"] = "access_denied"
elif (errors.BAD_HASH, None) in c.errors:
resp["error"] = "access_denied"
elif (errors.INVALID_OPTION, "response_type") in c.errors:
resp["error"] = "unsupported_response_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
@validate(VUser(),
response_type=VOneOf("response_type", ("code", )),
client=VClientID(),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI),
scope=VOneOf("scope", scope_info.keys()),
state=VRequired("state", errors.NO_TEXT))
def GET_authorize(self, response_type, client, redirect_uri, scope, state):
"""
First step in [OAuth 2.0](http://oauth.net/2/) authentication.
End users will be prompted for their credentials (username/password)
and asked if they wish to authorize the application identified by
the **client_id** parameter with the permissions specified by the
**scope** parameter. They are then redirected to the endpoint on
the client application's side specified by **redirect_uri**.
If the user granted permission to the application, the response will
contain a **code** parameter with a temporary authorization code
which can be exchanged for an access token at
[/api/v1/access_token](#api_method_access_token).
**redirect_uri** must match the URI configured for the client in the
[app preferences](/prefs/apps). If **client_id** or **redirect_uri**
is not valid, or if the call does not take place over SSL, a 403
error will be returned. For all other errors, a redirect to
**redirect_uri** will be returned, with a **error** parameter
indicating why the request failed.
"""
self._check_redirect_uri(client, redirect_uri)
resp = {}
if not c.errors:
c.deny_frames = True
return OAuth2AuthorizationPage(client, redirect_uri,
scope_info[scope], state).render()
else:
self._error_response(resp)
return self.redirect(redirect_uri + "?" + urlencode(resp),
code=302)
@validate(VUser(),
VModhash(fatal=False),
client=VClientID(),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI),
scope=VOneOf("scope", scope_info.keys()),
state=VRequired("state", errors.NO_TEXT),
authorize=VRequired("authorize", errors.OAUTH2_ACCESS_DENIED))
def POST_authorize(self, authorize, client, redirect_uri, scope, state):
"""Endpoint for OAuth2 authorization."""
self._check_redirect_uri(client, redirect_uri)
resp = {}
if state:
resp["state"] = state
if not c.errors:
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id, scope)
resp["code"] = code._id
else:
self._error_response(resp)
return self.redirect(redirect_uri + "?" + urlencode(resp), code=302)
def __init__(self, param=None, *a, **kw):
VRequired.__init__(self, param, errors.OAUTH2_INVALID_CLIENT, *a, **kw)
class OAuth2AccessController(MinimalController):
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
auth_scheme, auth_token = require_split(auth, 2)
require(auth_scheme.lower() == "basic")
try:
auth_data = base64.b64decode(auth_token)
except TypeError:
raise RequirementException
client_id, client_secret = require_split(auth_data, 2, ":")
client = OAuth2Client.get_token(client_id)
require(client)
require(client.secret == client_secret)
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
@validate(grant_type=VOneOf("grant_type", ("authorization_code", )),
code=VRequired("code", errors.NO_TEXT),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI))
def POST_access_token(self, grant_type, code, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
(from [/api/v1/authorize](#api_method_authorize)) for an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If there is a problem, an **error** parameter will be returned
instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` and **redirect_uri** must exactly match the
value that was used in the call to
[/api/v1/authorize](#api_method_authorize).
"""
resp = {}
if not c.errors:
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
access_token = OAuth2AccessToken._new(auth_token.user_id,
auth_token.scope)
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = access_token._ttl
resp["scope"] = auth_token.scope
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)
class OAuth2FrontendController(RedditController):
def pre(self):
RedditController.pre(self)
require_https()
def _check_redirect_uri(self, client, redirect_uri):
if not redirect_uri or not client or redirect_uri != client.redirect_uri:
abort(403)
def _error_response(self, resp):
if (errors.OAUTH2_INVALID_CLIENT, "client_id") in c.errors:
resp["error"] = "unauthorized_client"
elif (errors.OAUTH2_ACCESS_DENIED, "authorize") in c.errors:
resp["error"] = "access_denied"
elif (errors.BAD_HASH, None) in c.errors:
resp["error"] = "access_denied"
elif (errors.INVALID_OPTION, "response_type") in c.errors:
resp["error"] = "unsupported_response_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
@validate(VUser(),
response_type=VOneOf("response_type", ("code", )),
client=VClientID(),
redirect_uri=VUrl("redirect_uri", allow_self=False,
lookup=False),
scope=VOneOf("scope", scope_info.keys()),
state=VRequired("state", errors.NO_TEXT))
def GET_authorize(self, response_type, client, redirect_uri, scope, state):
self._check_redirect_uri(client, redirect_uri)
resp = {}
if not c.errors:
c.deny_frames = True
return OAuth2AuthorizationPage(client, redirect_uri,
scope_info[scope], state).render()
else:
self._error_response(resp)
return self.redirect(redirect_uri + "?" + urlencode(resp),
code=302)
@validate(VUser(),
VModhash(fatal=False),
client=VClientID(),
redirect_uri=VUrl("redirect_uri", allow_self=False,
lookup=False),
scope=VOneOf("scope", scope_info.keys()),
state=VRequired("state", errors.NO_TEXT),
authorize=VRequired("authorize", errors.OAUTH2_ACCESS_DENIED))
def POST_authorize(self, authorize, client, redirect_uri, scope, state):
self._check_redirect_uri(client, redirect_uri)
resp = {}
if state:
resp["state"] = state
if not c.errors:
code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
c.user._id, scope)
resp["code"] = code._id
else:
self._error_response(resp)
return self.redirect(redirect_uri + "?" + urlencode(resp), code=302)
class OAuth2AccessController(MinimalController):
def pre(self):
set_extension(request.environ, "json")
MinimalController.pre(self)
require_https()
c.oauth2_client = self._get_client_auth()
def _get_client_auth(self):
auth = request.headers.get("Authorization")
try:
client_id, client_secret = parse_http_basic(auth)
client = OAuth2Client.get_token(client_id)
require(client)
require(client.secret == client_secret)
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])
@validate(grant_type=VOneOf("grant_type",
("authorization_code", "refresh_token")),
code=nop("code"),
refresh_token=VOAuth2RefreshToken("refresh_token"),
redirect_uri=VRequired("redirect_uri",
errors.OAUTH2_INVALID_REDIRECT_URI))
def POST_access_token(self, grant_type, code, refresh_token, redirect_uri):
"""
Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
an access token.
On success, returns a URL-encoded dictionary containing
**access_token**, **token_type**, **expires_in**, and **scope**.
If an authorization code for a permanent grant was given, a
**refresh_token** will be included. If there is a problem, an **error**
parameter will be returned instead.
Must be called using SSL, and must contain a HTTP `Authorization:`
header which contains the application's client identifier as the
username and client secret as the password. (The client id and secret
are visible on the [app preferences page](/prefs/apps).)
Per the OAuth specification, **grant_type** must
be ``authorization_code`` for the initial access token or
``refresh_token`` for renewing the access token. In either case,
**redirect_uri** must exactly match the value that was used in the call
to [/api/v1/authorize](#api_method_authorize) that created this grant.
"""
resp = {}
if not (code or refresh_token):
c.errors.add("NO_TEXT", field=("code", "refresh_token"))
if not c.errors:
access_token = None
if grant_type == "authorization_code":
auth_token = OAuth2AuthorizationCode.use_token(
code, c.oauth2_client._id, redirect_uri)
if auth_token:
if auth_token.refreshable:
refresh_token = OAuth2RefreshToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope)
access_token = OAuth2AccessToken._new(
auth_token.client_id, auth_token.user_id,
auth_token.scope,
refresh_token._id if refresh_token else None)
elif grant_type == "refresh_token" and refresh_token:
access_token = OAuth2AccessToken._new(
refresh_token.client_id,
refresh_token.user_id,
refresh_token.scope,
refresh_token=refresh_token._id)
if access_token:
resp["access_token"] = access_token._id
resp["token_type"] = access_token.token_type
resp["expires_in"] = access_token._ttl
resp["scope"] = access_token.scope
if refresh_token:
resp["refresh_token"] = refresh_token._id
else:
resp["error"] = "invalid_grant"
else:
if (errors.INVALID_OPTION, "grant_type") in c.errors:
resp["error"] = "unsupported_grant_type"
elif (errors.INVALID_OPTION, "scope") in c.errors:
resp["error"] = "invalid_scope"
else:
resp["error"] = "invalid_request"
return self.api_wrapper(resp)