Changeset 85bb0a78 in trunk


Ignore:
Timestamp:
2020-10-16T18:14:15Z (5 years ago)
Author:
Jean-Paul Calderone <exarkun@…>
Branches:
master
Children:
540004f
Parents:
c2fe5a6
Message:

Get rid of the original token-based authorization helper

It was only used by magic-folder and that's gone now. We have a different
authorization helper for other things now, allmydata.web.private.

Location:
src/allmydata
Files:
1 deleted
1 edited

Legend:

Unmodified
Added
Removed
  • TabularUnified src/allmydata/web/common.py

    rc2fe5a6 r85bb0a78  
    3838)
    3939from allmydata.mutable.common import UnrecoverableFileError
    40 from allmydata.util.hashutil import timing_safe_compare
    4140from allmydata.util.time_format import (
    4241    format_delta,
     
    427426
    428427
    429 class TokenOnlyWebApi(resource.Resource, object):
    430     """
    431     I provide a rend.Page implementation that only accepts POST calls,
    432     and only if they have a 'token=' arg with the correct
    433     authentication token (see
    434     :meth:`allmydata.client.Client.get_auth_token`). Callers must also
    435     provide the "t=" argument to indicate the return-value (the only
    436     valid value for this is "json")
    437 
    438     Subclasses should override 'post_json' which should process the
    439     API call and return a string which encodes a valid JSON
    440     object. This will only be called if the correct token is present
    441     and valid (during renderHTTP processing).
    442     """
    443 
    444     def __init__(self, client):
    445         self.client = client
    446 
    447     def post_json(self, req):
    448         return NotImplemented
    449 
    450     def render(self, req):
    451         if req.method != 'POST':
    452             raise server.UnsupportedMethod(('POST',))
    453         if req.args.get('token', False):
    454             raise WebError("Do not pass 'token' as URL argument", http.BAD_REQUEST)
    455         # not using get_arg() here because we *don't* want the token
    456         # argument to work if you passed it as a GET-style argument
    457         token = None
    458         if req.fields and 'token' in req.fields:
    459             token = req.fields['token'].value.strip()
    460         if not token:
    461             raise WebError("Missing token", http.UNAUTHORIZED)
    462         if not timing_safe_compare(token, self.client.get_auth_token()):
    463             raise WebError("Invalid token", http.UNAUTHORIZED)
    464 
    465         t = get_arg(req, "t", "").strip()
    466         if not t:
    467             raise WebError("Must provide 't=' argument")
    468         if t == u'json':
    469             try:
    470                 return self.post_json(req)
    471             except WebError as e:
    472                 req.setResponseCode(e.code)
    473                 return json.dumps({"error": e.text})
    474             except Exception as e:
    475                 message, code = humanize_exception(e)
    476                 req.setResponseCode(500 if code is None else code)
    477                 return json.dumps({"error": message})
    478         else:
    479             raise WebError("'%s' invalid type for 't' arg" % (t,), http.BAD_REQUEST)
    480 
    481 
    482428def exception_to_child(f):
    483429    """
Note: See TracChangeset for help on using the changeset viewer.