summaryrefslogtreecommitdiffstats
path: root/python/fatcat_web/routes.py
diff options
context:
space:
mode:
Diffstat (limited to 'python/fatcat_web/routes.py')
-rw-r--r--python/fatcat_web/routes.py33
1 files changed, 33 insertions, 0 deletions
diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py
index b626ad1d..e741f3bf 100644
--- a/python/fatcat_web/routes.py
+++ b/python/fatcat_web/routes.py
@@ -839,6 +839,39 @@ def change_username():
flash("Username updated successfully")
return redirect('/auth/account')
+@app.route('/auth/create_token', methods=['POST'])
+@login_required
+def create_auth_token():
+ if not app.testing:
+ app.csrf.protect()
+
+ duration_seconds = request.form.get('duration_seconds', None)
+ if duration_seconds != None:
+ try:
+ duration_seconds = int(duration_seconds)
+ assert duration_seconds >= 1
+ except:
+ flash("duration_seconds must be a positive non-zero integer")
+ abort(400)
+
+ # check user's auth. api_token and editor_id are signed together in session
+ # cookie, so if api_token is valid editor_id is assumed to match. If that
+ # wasn't true, users could manipulate session cookies and create tokens for
+ # any user
+ user_api = auth_api(session['api_token'])
+ resp = user_api.auth_check()
+ assert(resp.success)
+
+ # generate token using *superuser* privs
+ editor_id = session['editor']['editor_id']
+ try:
+ resp = priv_api.create_auth_token(editor_id,
+ duration_seconds=duration_seconds)
+ except ApiException as ae:
+ app.log.info(ae)
+ abort(ae.status)
+ return render_template('auth_token.html', auth_token=resp.token)
+
@app.route('/auth/logout')
def logout():
handle_logout()