From a4ea1a0e13b1b8016bbfaa0f0fbf983f0abdd5a5 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@robocracy.org>
Date: Wed, 18 Sep 2019 17:52:10 -0700
Subject: python webface impl token generation

---
 python/fatcat_web/routes.py                   | 33 +++++++++++++++++++++++++++
 python/fatcat_web/templates/auth_account.html | 15 +++++++++++-
 python/fatcat_web/templates/auth_token.html   | 30 ++++++++++++++++++++++++
 python/tests/web_auth.py                      |  8 +++++++
 4 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 python/fatcat_web/templates/auth_token.html

diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py
index b626ad1d..e741f3bf 100644
--- a/python/fatcat_web/routes.py
+++ b/python/fatcat_web/routes.py
@@ -839,6 +839,39 @@ def change_username():
     flash("Username updated successfully")
     return redirect('/auth/account')
 
+@app.route('/auth/create_token', methods=['POST'])
+@login_required
+def create_auth_token():
+    if not app.testing:
+        app.csrf.protect()
+
+    duration_seconds = request.form.get('duration_seconds', None)
+    if duration_seconds != None:
+        try:
+            duration_seconds = int(duration_seconds)
+            assert duration_seconds >= 1
+        except:
+            flash("duration_seconds must be a positive non-zero integer")
+            abort(400)
+
+    # check user's auth. api_token and editor_id are signed together in session
+    # cookie, so if api_token is valid editor_id is assumed to match. If that
+    # wasn't true, users could manipulate session cookies and create tokens for
+    # any user
+    user_api = auth_api(session['api_token'])
+    resp = user_api.auth_check()
+    assert(resp.success)
+
+    # generate token using *superuser* privs
+    editor_id = session['editor']['editor_id']
+    try:
+        resp = priv_api.create_auth_token(editor_id,
+            duration_seconds=duration_seconds)
+    except ApiException as ae:
+        app.log.info(ae)
+        abort(ae.status)
+    return render_template('auth_token.html', auth_token=resp.token)
+
 @app.route('/auth/logout')
 def logout():
     handle_logout()
diff --git a/python/fatcat_web/templates/auth_account.html b/python/fatcat_web/templates/auth_account.html
index 4faeb48f..4a51241a 100644
--- a/python/fatcat_web/templates/auth_account.html
+++ b/python/fatcat_web/templates/auth_account.html
@@ -26,11 +26,24 @@
 </form>
 </div>
 
+<div class="ui segment">
+<h3 class="ui header">Create API Token</h3>
+<form class="" role="change_username" action="/auth/create_token" method="post">
+  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+  <div class="ui form">
+    <button class="ui green button" style="float: right;">Create Token</button>
+    <div class="field" style="width: 20em; clear: unset;">
+      <input type="text" name="duration_seconds" id="duration_seconds" aria-label="token valid duration (seconds)" placeholder="default 31 days">
+      <label for="duration_seconds">Token Validity Duration (seconds; optional)</label>
+    </div>
+  </div>
+</form>
+</div>
+
 <br>
 <p>In the future, you will be able to...
 <ul>
   <li>Create and manage bot accounts
-  <li>Generate API tokens
 </ul>
 
 {% endblock %}
diff --git a/python/fatcat_web/templates/auth_token.html b/python/fatcat_web/templates/auth_token.html
new file mode 100644
index 00000000..5ff94277
--- /dev/null
+++ b/python/fatcat_web/templates/auth_token.html
@@ -0,0 +1,30 @@
+{% extends "base.html" %}
+{% block body %}
+<h1>Create API Token</h1>
+
+
+{% if current_user.is_authenticated %}
+
+  <p>An API auth token has been created. This token gives full access to your editor account, so you should take care to keep it private.
+
+  <p>Copy from box:
+  <div class="ui input" style="width: 100%;">
+    <input value="{{ auth_token }}" style="width: 100%;"></input>
+  </div>
+
+  <br>
+  <br>
+
+  <p>As wrapped text (beware whitespace):
+  <div class="ui segment" style="overflow-wrap: break-word;">
+    <code>{{ auth_token }}</code>
+  </div>
+
+{% else %}
+  <div class="ui negative message">
+    <div class="header">Something Went Wrong</div>
+    <p>Horribly wrong! You should log-out (if possible) and log back in.
+  </div>
+{% endif %}
+
+{% endblock %}
diff --git a/python/tests/web_auth.py b/python/tests/web_auth.py
index 029803c3..2c545b6b 100644
--- a/python/tests/web_auth.py
+++ b/python/tests/web_auth.py
@@ -54,3 +54,11 @@ def test_basic_auth_views(app):
 
     rv = app.get('/auth/logout')
     assert rv.status_code == 200
+
+def test_auth_token(app_admin):
+
+    rv = app_admin.get('/auth/account', follow_redirects=False)
+    assert rv.status_code == 200
+
+    rv = app_admin.post('/auth/create_token', follow_redirects=False)
+    assert rv.status_code == 200
-- 
cgit v1.2.3