diff options
Diffstat (limited to 'python')
-rw-r--r-- | python/fatcat_web/routes.py | 33 | ||||
-rw-r--r-- | python/fatcat_web/templates/auth_account.html | 15 | ||||
-rw-r--r-- | python/fatcat_web/templates/auth_token.html | 30 | ||||
-rw-r--r-- | python/tests/web_auth.py | 8 |
4 files changed, 85 insertions, 1 deletions
diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index b626ad1d..e741f3bf 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -839,6 +839,39 @@ def change_username(): flash("Username updated successfully") return redirect('/auth/account') +@app.route('/auth/create_token', methods=['POST']) +@login_required +def create_auth_token(): + if not app.testing: + app.csrf.protect() + + duration_seconds = request.form.get('duration_seconds', None) + if duration_seconds != None: + try: + duration_seconds = int(duration_seconds) + assert duration_seconds >= 1 + except: + flash("duration_seconds must be a positive non-zero integer") + abort(400) + + # check user's auth. api_token and editor_id are signed together in session + # cookie, so if api_token is valid editor_id is assumed to match. If that + # wasn't true, users could manipulate session cookies and create tokens for + # any user + user_api = auth_api(session['api_token']) + resp = user_api.auth_check() + assert(resp.success) + + # generate token using *superuser* privs + editor_id = session['editor']['editor_id'] + try: + resp = priv_api.create_auth_token(editor_id, + duration_seconds=duration_seconds) + except ApiException as ae: + app.log.info(ae) + abort(ae.status) + return render_template('auth_token.html', auth_token=resp.token) + @app.route('/auth/logout') def logout(): handle_logout() diff --git a/python/fatcat_web/templates/auth_account.html b/python/fatcat_web/templates/auth_account.html index 4faeb48f..4a51241a 100644 --- a/python/fatcat_web/templates/auth_account.html +++ b/python/fatcat_web/templates/auth_account.html @@ -26,11 +26,24 @@ </form> </div> +<div class="ui segment"> +<h3 class="ui header">Create API Token</h3> +<form class="" role="change_username" action="/auth/create_token" method="post"> + <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/> + <div class="ui form"> + <button class="ui green button" style="float: right;">Create Token</button> + <div class="field" style="width: 20em; clear: unset;"> + <input type="text" name="duration_seconds" id="duration_seconds" aria-label="token valid duration (seconds)" placeholder="default 31 days"> + <label for="duration_seconds">Token Validity Duration (seconds; optional)</label> + </div> + </div> +</form> +</div> + <br> <p>In the future, you will be able to... <ul> <li>Create and manage bot accounts - <li>Generate API tokens </ul> {% endblock %} diff --git a/python/fatcat_web/templates/auth_token.html b/python/fatcat_web/templates/auth_token.html new file mode 100644 index 00000000..5ff94277 --- /dev/null +++ b/python/fatcat_web/templates/auth_token.html @@ -0,0 +1,30 @@ +{% extends "base.html" %} +{% block body %} +<h1>Create API Token</h1> + + +{% if current_user.is_authenticated %} + + <p>An API auth token has been created. This token gives full access to your editor account, so you should take care to keep it private. + + <p>Copy from box: + <div class="ui input" style="width: 100%;"> + <input value="{{ auth_token }}" style="width: 100%;"></input> + </div> + + <br> + <br> + + <p>As wrapped text (beware whitespace): + <div class="ui segment" style="overflow-wrap: break-word;"> + <code>{{ auth_token }}</code> + </div> + +{% else %} + <div class="ui negative message"> + <div class="header">Something Went Wrong</div> + <p>Horribly wrong! You should log-out (if possible) and log back in. + </div> +{% endif %} + +{% endblock %} diff --git a/python/tests/web_auth.py b/python/tests/web_auth.py index 029803c3..2c545b6b 100644 --- a/python/tests/web_auth.py +++ b/python/tests/web_auth.py @@ -54,3 +54,11 @@ def test_basic_auth_views(app): rv = app.get('/auth/logout') assert rv.status_code == 200 + +def test_auth_token(app_admin): + + rv = app_admin.get('/auth/account', follow_redirects=False) + assert rv.status_code == 200 + + rv = app_admin.post('/auth/create_token', follow_redirects=False) + assert rv.status_code == 200 |