Browse Source

Dramatically improved processing of Micropub tokens which supports both the Authorization header and the access_token field approaches

pull/1/head
Danielle McLean 4 years ago
parent
commit
b89405ed88
Signed by: 00dani GPG Key ID: 5A5D2D1AFF12EEC5
  1. 54
      lemonauth/tokens.py
  2. 21
      lemonauth/views/token.py
  3. 14
      micropub/views.py
  4. 9
      users/models.py

54
lemonauth/tokens.py

@ -1,7 +1,61 @@
from jose import jwt
from datetime import datetime, timedelta
from django.contrib.auth import get_user_model
from django.conf import settings
from django.http import HttpResponse
def auth(request):
if 'HTTP_AUTHORIZATION' in request.META:
auth = request.META.get('HTTP_AUTHORIZATION').split(' ')
if auth[0] != 'Bearer':
return HttpResponse(
'authorisation with {0} not supported'.format(auth[0]),
content_type='text/plain',
status=400
)
if len(auth) != 2:
return HttpResponse(
'invalid Bearer auth format, must be Bearer <token>',
content_type='text/plain',
status=400
)
token = auth[1]
elif 'access_token' in request.POST:
token = request.POST.get('access_token')
elif 'access_token' in request.GET:
token = request.GET.get('access_token')
else:
return HttpResponse(
'authorisation required',
content_type='text/plain',
status=401
)
try:
token = decode(token)
except Exception as e:
return HttpResponse(
'invalid micropub token',
content_type='text/plain',
status=403,
)
return MicropubToken(token)
class MicropubToken:
def __init__(self, tok):
self.user = get_user_model().objects.get(pk=tok['uid'])
self.client = tok['cid']
self.scope = tok['sco']
self.me = self.user.full_url
self.scopes = self.scope.split(' ')
def __contains__(self, scope):
return scope in self.scopes
def encode(payload):

21
lemonauth/views/token.py

@ -11,22 +11,13 @@ from lemoncurry import utils
@method_decorator(csrf_exempt, name='dispatch')
class TokenView(View):
def get(self, req):
token = req.META.get('HTTP_AUTHORIZATION', '').split(' ')
if not token:
return utils.bad_req('missing Authorization header')
if token[0] != 'Bearer':
return utils.bad_req('only Bearer auth is supported')
try:
token = tokens.decode(token[1])
except Exception:
return utils.forbid('invalid token')
user = get_user_model().objects.get(pk=token['uid'])
me = urljoin(utils.origin(req), user.url)
token = tokens.auth(req)
if hasattr(token, 'content'):
return token
res = {
'me': me,
'client_id': token['cid'],
'scope': token['sco'],
'me': token.me,
'client_id': token.client,
'scope': token.scope,
}
return utils.choose_type(req, res)

14
micropub/views.py

@ -1,4 +1,3 @@
from django.contrib.auth import get_user_model
from django.http import HttpResponse
from django.urls import reverse
from django.utils.decorators import method_decorator
@ -16,19 +15,14 @@ from lemonauth import tokens
@method_decorator(csrf_exempt, name='dispatch')
class MicropubView(View):
def post(self, request):
auth = request.META.get('HTTP_AUTHORIZATION', '').split(' ')
if auth[0] != 'Bearer':
return utils.bad_req('only Bearer auth supported')
try:
token = tokens.decode(auth[1])
except Exception:
return utils.forbid('invalid token')
user = get_user_model().objects.get(pk=token['uid'])
token = tokens.auth(request)
if hasattr(token, 'content'):
return token
post = request.POST
if post.get('h') != 'entry':
return utils.bad_req('only h=entry supported')
entry = Entry(author=user)
entry = Entry(author=token.user)
kind = Note
if 'name' in post:
entry.name = post['name']

9
users/models.py

@ -46,6 +46,11 @@ class User(ModelMeta, AbstractUser):
def get_absolute_url(self):
return self.url
@property
def full_url(self):
base = 'https://' + DjangoSite.objects.get_current().domain
return urljoin(base, self.url)
@property
def description(self):
return utils.to_plain(self.note)
@ -74,8 +79,8 @@ class User(ModelMeta, AbstractUser):
return {
'@context': 'http://schema.org',
'@type': 'Person',
'@id': urljoin(base, self.url),
'url': urljoin(base, self.url),
'@id': self.full_url,
'url': self.full_url,
'name': self.name,
'email': self.email,
'image': urljoin(base, self.avatar.url),

Loading…
Cancel
Save