summaryrefslogtreecommitdiffstats
path: root/python
diff options
context:
space:
mode:
Diffstat (limited to 'python')
-rw-r--r--python/fatcat_web/routes.py33
-rw-r--r--python/fatcat_web/templates/auth_account.html15
-rw-r--r--python/fatcat_web/templates/auth_token.html30
-rw-r--r--python/tests/web_auth.py8
4 files changed, 85 insertions, 1 deletions
diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py
index b626ad1d..e741f3bf 100644
--- a/python/fatcat_web/routes.py
+++ b/python/fatcat_web/routes.py
@@ -839,6 +839,39 @@ def change_username():
flash("Username updated successfully")
return redirect('/auth/account')
+@app.route('/auth/create_token', methods=['POST'])
+@login_required
+def create_auth_token():
+ if not app.testing:
+ app.csrf.protect()
+
+ duration_seconds = request.form.get('duration_seconds', None)
+ if duration_seconds != None:
+ try:
+ duration_seconds = int(duration_seconds)
+ assert duration_seconds >= 1
+ except:
+ flash("duration_seconds must be a positive non-zero integer")
+ abort(400)
+
+ # check user's auth. api_token and editor_id are signed together in session
+ # cookie, so if api_token is valid editor_id is assumed to match. If that
+ # wasn't true, users could manipulate session cookies and create tokens for
+ # any user
+ user_api = auth_api(session['api_token'])
+ resp = user_api.auth_check()
+ assert(resp.success)
+
+ # generate token using *superuser* privs
+ editor_id = session['editor']['editor_id']
+ try:
+ resp = priv_api.create_auth_token(editor_id,
+ duration_seconds=duration_seconds)
+ except ApiException as ae:
+ app.log.info(ae)
+ abort(ae.status)
+ return render_template('auth_token.html', auth_token=resp.token)
+
@app.route('/auth/logout')
def logout():
handle_logout()
diff --git a/python/fatcat_web/templates/auth_account.html b/python/fatcat_web/templates/auth_account.html
index 4faeb48f..4a51241a 100644
--- a/python/fatcat_web/templates/auth_account.html
+++ b/python/fatcat_web/templates/auth_account.html
@@ -26,11 +26,24 @@
</form>
</div>
+<div class="ui segment">
+<h3 class="ui header">Create API Token</h3>
+<form class="" role="change_username" action="/auth/create_token" method="post">
+ <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+ <div class="ui form">
+ <button class="ui green button" style="float: right;">Create Token</button>
+ <div class="field" style="width: 20em; clear: unset;">
+ <input type="text" name="duration_seconds" id="duration_seconds" aria-label="token valid duration (seconds)" placeholder="default 31 days">
+ <label for="duration_seconds">Token Validity Duration (seconds; optional)</label>
+ </div>
+ </div>
+</form>
+</div>
+
<br>
<p>In the future, you will be able to...
<ul>
<li>Create and manage bot accounts
- <li>Generate API tokens
</ul>
{% endblock %}
diff --git a/python/fatcat_web/templates/auth_token.html b/python/fatcat_web/templates/auth_token.html
new file mode 100644
index 00000000..5ff94277
--- /dev/null
+++ b/python/fatcat_web/templates/auth_token.html
@@ -0,0 +1,30 @@
+{% extends "base.html" %}
+{% block body %}
+<h1>Create API Token</h1>
+
+
+{% if current_user.is_authenticated %}
+
+ <p>An API auth token has been created. This token gives full access to your editor account, so you should take care to keep it private.
+
+ <p>Copy from box:
+ <div class="ui input" style="width: 100%;">
+ <input value="{{ auth_token }}" style="width: 100%;"></input>
+ </div>
+
+ <br>
+ <br>
+
+ <p>As wrapped text (beware whitespace):
+ <div class="ui segment" style="overflow-wrap: break-word;">
+ <code>{{ auth_token }}</code>
+ </div>
+
+{% else %}
+ <div class="ui negative message">
+ <div class="header">Something Went Wrong</div>
+ <p>Horribly wrong! You should log-out (if possible) and log back in.
+ </div>
+{% endif %}
+
+{% endblock %}
diff --git a/python/tests/web_auth.py b/python/tests/web_auth.py
index 029803c3..2c545b6b 100644
--- a/python/tests/web_auth.py
+++ b/python/tests/web_auth.py
@@ -54,3 +54,11 @@ def test_basic_auth_views(app):
rv = app.get('/auth/logout')
assert rv.status_code == 200
+
+def test_auth_token(app_admin):
+
+ rv = app_admin.get('/auth/account', follow_redirects=False)
+ assert rv.status_code == 200
+
+ rv = app_admin.post('/auth/create_token', follow_redirects=False)
+ assert rv.status_code == 200