diff options
author | Bryan Newbold <bnewbold@robocracy.org> | 2019-09-18 17:52:10 -0700 |
---|---|---|
committer | Bryan Newbold <bnewbold@robocracy.org> | 2019-09-18 18:42:26 -0700 |
commit | a4ea1a0e13b1b8016bbfaa0f0fbf983f0abdd5a5 (patch) | |
tree | 6bec961533bb2d1c09dfb203413b2d75d01875ce /python/fatcat_web/routes.py | |
parent | 9d1e2ef1c1682f49ce666a012fad70d50cb4f376 (diff) | |
download | fatcat-a4ea1a0e13b1b8016bbfaa0f0fbf983f0abdd5a5.tar.gz fatcat-a4ea1a0e13b1b8016bbfaa0f0fbf983f0abdd5a5.zip |
python webface impl token generation
Diffstat (limited to 'python/fatcat_web/routes.py')
-rw-r--r-- | python/fatcat_web/routes.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index b626ad1d..e741f3bf 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -839,6 +839,39 @@ def change_username(): flash("Username updated successfully") return redirect('/auth/account') +@app.route('/auth/create_token', methods=['POST']) +@login_required +def create_auth_token(): + if not app.testing: + app.csrf.protect() + + duration_seconds = request.form.get('duration_seconds', None) + if duration_seconds != None: + try: + duration_seconds = int(duration_seconds) + assert duration_seconds >= 1 + except: + flash("duration_seconds must be a positive non-zero integer") + abort(400) + + # check user's auth. api_token and editor_id are signed together in session + # cookie, so if api_token is valid editor_id is assumed to match. If that + # wasn't true, users could manipulate session cookies and create tokens for + # any user + user_api = auth_api(session['api_token']) + resp = user_api.auth_check() + assert(resp.success) + + # generate token using *superuser* privs + editor_id = session['editor']['editor_id'] + try: + resp = priv_api.create_auth_token(editor_id, + duration_seconds=duration_seconds) + except ApiException as ae: + app.log.info(ae) + abort(ae.status) + return render_template('auth_token.html', auth_token=resp.token) + @app.route('/auth/logout') def logout(): handle_logout() |