From 67552e19bc548b78c18967e97f0c0328074a3576 Mon Sep 17 00:00:00 2001 From: Jan Szejko Date: Fri, 20 Apr 2018 15:03:58 +0200 Subject: [PATCH 1/1] simplify piston authorize form --- src/api/piston_patch.py | 112 ++++++++++++++++++ src/api/urls.py | 21 ++-- .../templates/piston/authorize_token.html | 2 +- 3 files changed, 123 insertions(+), 12 deletions(-) create mode 100644 src/api/piston_patch.py diff --git a/src/api/piston_patch.py b/src/api/piston_patch.py new file mode 100644 index 000000000..4bf9b615d --- /dev/null +++ b/src/api/piston_patch.py @@ -0,0 +1,112 @@ +# -*- coding: utf-8 -*- + +# modified from django-piston +import base64 +import hmac + +from django import forms +from django.conf import settings +from django.contrib.auth.decorators import login_required +from django.core.urlresolvers import get_callable +from django.http import HttpResponseRedirect, HttpResponse +from django.shortcuts import render_to_response +from django.template.context import RequestContext +from piston import oauth +from piston.authentication import initialize_server_request, INVALID_PARAMS_RESPONSE, send_oauth_error + + +class OAuthAuthenticationForm(forms.Form): + oauth_token = forms.CharField(widget=forms.HiddenInput) + oauth_callback = forms.CharField(widget=forms.HiddenInput) # changed from URLField - too strict + # removed authorize_access - redundant + csrf_signature = forms.CharField(widget=forms.HiddenInput) + + def __init__(self, *args, **kwargs): + forms.Form.__init__(self, *args, **kwargs) + + self.fields['csrf_signature'].initial = self.initial_csrf_signature + + def clean_csrf_signature(self): + sig = self.cleaned_data['csrf_signature'] + token = self.cleaned_data['oauth_token'] + + sig1 = OAuthAuthenticationForm.get_csrf_signature(settings.SECRET_KEY, token) + + if sig != sig1: + raise forms.ValidationError("CSRF signature is not valid") + + return sig + + def initial_csrf_signature(self): + token = self.initial['oauth_token'] + return OAuthAuthenticationForm.get_csrf_signature(settings.SECRET_KEY, token) + + @staticmethod + def get_csrf_signature(key, token): + # Check signature... + import hashlib # 2.5 + hashed = hmac.new(key, token, hashlib.sha1) + + # calculate the digest base 64 + return base64.b64encode(hashed.digest()) + + +# The only thing changed in the views below is the form used + + +def oauth_auth_view(request, token, callback, params): + form = OAuthAuthenticationForm(initial={ + 'oauth_token': token.key, + 'oauth_callback': callback, + }) + + return render_to_response('piston/authorize_token.html', + {'form': form}, RequestContext(request)) + + +@login_required +def oauth_user_auth(request): + oauth_server, oauth_request = initialize_server_request(request) + + if oauth_request is None: + return INVALID_PARAMS_RESPONSE + + try: + token = oauth_server.fetch_request_token(oauth_request) + except oauth.OAuthError, err: + return send_oauth_error(err) + + try: + callback = oauth_server.get_callback(oauth_request) + except: + callback = None + + if request.method == "GET": + params = oauth_request.get_normalized_parameters() + + oauth_view = getattr(settings, 'OAUTH_AUTH_VIEW', None) + if oauth_view is None: + return oauth_auth_view(request, token, callback, params) + else: + return get_callable(oauth_view)(request, token, callback, params) + elif request.method == "POST": + try: + form = OAuthAuthenticationForm(request.POST) + if form.is_valid(): + token = oauth_server.authorize_token(token, request.user) + args = '?' + token.to_string(only_key=True) + else: + args = '?error=%s' % 'Access not granted by user.' + + if not callback: + callback = getattr(settings, 'OAUTH_CALLBACK_VIEW') + return get_callable(callback)(request, token) + + response = HttpResponseRedirect(callback + args) + + except oauth.OAuthError, err: + response = send_oauth_error(err) + else: + response = HttpResponse('Action not allowed.') + + return response diff --git a/src/api/urls.py b/src/api/urls.py index 22c8249e3..29e7a752f 100644 --- a/src/api/urls.py +++ b/src/api/urls.py @@ -2,14 +2,16 @@ # This file is part of Wolnelektury, licensed under GNU Affero GPLv3 or later. # Copyright © Fundacja Nowoczesna Polska. See NOTICE for more information. # -from django.conf.urls import patterns, url +from django.conf.urls import url from django.views.decorators.csrf import csrf_exempt from django.views.generic import TemplateView -from piston.authentication import OAuthAuthentication, oauth_access_token +from piston.authentication import OAuthAuthentication, oauth_access_token, oauth_request_token from piston.resource import Resource from ssify import ssi_included +import catalogue.views from api import handlers from api.helpers import CsrfExemptResource +from api.piston_patch import oauth_user_auth auth = OAuthAuthentication(realm="Wolne Lektury") @@ -50,21 +52,18 @@ def incl(request, model, pk, emitter_format): return resp -urlpatterns = patterns( - 'piston.authentication', - url(r'^oauth/request_token/$', 'oauth_request_token'), - url(r'^oauth/authorize/$', 'oauth_user_auth'), +urlpatterns = [ + url(r'^oauth/request_token/$', oauth_request_token), + url(r'^oauth/authorize/$', oauth_user_auth, name='oauth_user_auth'), url(r'^oauth/access_token/$', csrf_exempt(oauth_access_token)), -) + patterns( - '', url(r'^$', TemplateView.as_view(template_name='api/main.html'), name='api'), url(r'^include/(?Pbook|fragment|tag)/(?P\d+)\.(?P.+)\.(?Pxml|json)$', incl, name='api_include'), # info boxes (used by mobile app) - url(r'book/(?P\d*?)/info\.html$', 'catalogue.views.book_info'), - url(r'tag/(?P\d*?)/info\.html$', 'catalogue.views.tag_info'), + url(r'book/(?P\d*?)/info\.html$', catalogue.views.book_info), + url(r'tag/(?P\d*?)/info\.html$', catalogue.views.tag_info), # books by collections url(r'^collections/$', collection_list_resource, name="api_collections"), @@ -103,4 +102,4 @@ urlpatterns = patterns( # tags by category url(r'^(?P[a-z0-9-]+)/$', tag_list_resource, name='api_tag_list'), -) +] diff --git a/src/wolnelektury/templates/piston/authorize_token.html b/src/wolnelektury/templates/piston/authorize_token.html index 03131c713..e54f70136 100755 --- a/src/wolnelektury/templates/piston/authorize_token.html +++ b/src/wolnelektury/templates/piston/authorize_token.html @@ -11,7 +11,7 @@ {% blocktrans %}Confirm to authorize access to Wolne Lektury as user {{ user}}.{% endblocktrans %}

-
+ {% csrf_token %} {{ form.as_p }} -- 2.20.1