moves on api
[wolnelektury.git] / src / api / views.py
1 # This file is part of Wolne Lektury, licensed under GNU Affero GPLv3 or later.
2 # Copyright © Fundacja Wolne Lektury. See NOTICE for more information.
3 #
4 from time import time
5 from django.contrib.auth import authenticate
6 from django.contrib.auth.decorators import login_required
7 from django import forms
8 from django.http import HttpResponse
9 from django.http import Http404
10 from django.shortcuts import render
11 from django.views.generic.base import View
12 from oauthlib.common import urlencode, generate_token
13 from oauthlib.oauth1 import RequestTokenEndpoint, AccessTokenEndpoint
14 from oauthlib.oauth1 import AuthorizationEndpoint, OAuth1Error
15 from rest_framework.permissions import IsAuthenticated
16 from rest_framework.response import Response
17 from rest_framework.views import APIView
18 from rest_framework.generics import GenericAPIView, RetrieveAPIView, get_object_or_404
19 from catalogue.models import Book
20 from .models import BookUserData, KEY_SIZE, SECRET_SIZE, Token
21 from . import serializers
22 from .request_validator import PistonRequestValidator
23 from .utils import oauthlib_request, oauthlib_response, vary_on_auth
24
25
26 class OAuth1RequestTokenEndpoint(RequestTokenEndpoint):
27     def _create_request(self, *args, **kwargs):
28         r = super(OAuth1RequestTokenEndpoint, self)._create_request(*args, **kwargs)
29         r.redirect_uri = 'oob'
30         return r
31
32     def create_request_token(self, request, credentials):
33         token = {
34             'oauth_token': self.token_generator()[:KEY_SIZE],
35             'oauth_token_secret': self.token_generator()[:SECRET_SIZE],
36         }
37         token.update(credentials)
38         self.request_validator.save_request_token(token, request)
39         return urlencode(token.items())
40
41
42 # Never Cache
43 class OAuth1RequestTokenView(View):
44     def __init__(self):
45         self.endpoint = OAuth1RequestTokenEndpoint(PistonRequestValidator())
46
47     def dispatch(self, request):
48         return oauthlib_response(
49             self.endpoint.create_request_token_response(
50                 **oauthlib_request(request)
51             )
52         )
53
54
55 class OAuthAuthenticationForm(forms.Form):
56     oauth_token = forms.CharField(widget=forms.HiddenInput)
57     oauth_callback = forms.CharField(widget=forms.HiddenInput)  # changed from URLField - too strict
58     # removed authorize_access - redundant
59
60
61 class OAuth1AuthorizationEndpoint(AuthorizationEndpoint):
62     def create_verifier(self, request, credentials):
63         verifier = super(OAuth1AuthorizationEndpoint, self).create_verifier(request, credentials)
64         return {
65             'oauth_token': verifier['oauth_token'],
66         }
67
68
69 @login_required
70 def oauth_user_auth(request):
71     endpoint = OAuth1AuthorizationEndpoint(PistonRequestValidator())
72
73     if request.method == "GET":
74         # Why not just get oauth_token here?
75         # This is fairly straightforward, in't?
76         try:
77             realms, credentials = endpoint.get_realms_and_credentials(
78                 **oauthlib_request(request))
79         except OAuth1Error as e:
80             return HttpResponse(str(e), status=400)
81         callback = request.GET.get('oauth_callback')
82
83         form = OAuthAuthenticationForm(initial={
84             'oauth_token': credentials['resource_owner_key'],
85             'oauth_callback': callback,
86         })
87
88         return render(request, 'oauth/authorize_token.html', {'form': form})
89
90     if request.method == "POST":
91         try:
92             response = oauthlib_response(
93                 endpoint.create_authorization_response(
94                     credentials={"user": request.user},
95                     **oauthlib_request(request)
96                 )
97             )
98         except OAuth1Error as e:
99             return HttpResponse(e.message, status=400)
100         else:
101             return response
102
103
104 class OAuth1AccessTokenEndpoint(AccessTokenEndpoint):
105     def _create_request(self, *args, **kwargs):
106         r = super(OAuth1AccessTokenEndpoint, self)._create_request(*args, **kwargs)
107         r.verifier = 'x' * 20
108         return r
109
110     def create_access_token(self, request, credentials):
111         request.realms = self.request_validator.get_realms(
112             request.resource_owner_key, request)
113         token = {
114             'oauth_token': self.token_generator()[:KEY_SIZE],
115             'oauth_token_secret': self.token_generator()[:SECRET_SIZE],
116             'oauth_authorized_realms': ' '.join(request.realms)
117         }
118         token.update(credentials)
119         self.request_validator.save_access_token(token, request)
120         return urlencode(token.items())
121
122
123 # Never cache
124 class OAuth1AccessTokenView(View):
125     def __init__(self):
126         self.endpoint = OAuth1AccessTokenEndpoint(PistonRequestValidator())
127
128     def dispatch(self, request):
129         return oauthlib_response(
130             self.endpoint.create_access_token_response(
131                 **oauthlib_request(request)
132             )
133         )
134
135
136 class LoginView(GenericAPIView):
137     serializer_class = serializers.LoginSerializer
138
139     def post(self, request):
140         serializer = self.get_serializer(data=request.data)
141         serializer.is_valid(raise_exception=True)
142         d = serializer.validated_data
143         user = authenticate(username=d['username'], password=d['password'])
144         if user is None:
145             return Response({"detail": "Invalid credentials."})
146
147         key = generate_token()[:KEY_SIZE]
148         Token.objects.create(
149             key=key,
150             token_type=Token.ACCESS,
151             timestamp=time(),
152             user=user,
153         )
154         return Response({"access_token": key})
155
156
157 @vary_on_auth
158 class UserView(RetrieveAPIView):
159     permission_classes = [IsAuthenticated]
160     serializer_class = serializers.UserSerializer
161
162     def get_object(self):
163         return self.request.user
164
165
166 @vary_on_auth
167 class BookUserDataView(RetrieveAPIView):
168     permission_classes = [IsAuthenticated]
169     serializer_class = serializers.BookUserDataSerializer
170     lookup_field = 'book__slug'
171     lookup_url_kwarg = 'slug'
172
173     def get_queryset(self):
174         return BookUserData.objects.filter(user=self.request.user)
175
176     def get(self, *args, **kwargs):
177         try:
178             return super(BookUserDataView, self).get(*args, **kwargs)
179         except Http404:
180             return Response({"state": "not_started"})
181
182     def post(self, request, slug, state):
183         if state not in ('reading', 'complete'):
184             raise Http404
185
186         book = get_object_or_404(Book, slug=slug)
187         instance = BookUserData.update(book, request.user, state)
188         serializer = self.get_serializer(instance)
189         return Response(serializer.data)
190
191
192 class BlogView(APIView):
193     def get(self, request):
194         return Response([])