You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by je...@apache.org on 2015/02/25 16:33:24 UTC
[25/28] allura git commit: [#7832] ticket:731 Support oauth via
headers
[#7832] ticket:731 Support oauth via headers
Currently, we check only body of the request to determine if oauth tokens are
provided. We need to be able to authenticate via headers also. This is useful
for some HTTP methods, which don't expect parameters in request body (e.g.
DELETE).
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/c8e19d17
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/c8e19d17
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/c8e19d17
Branch: refs/heads/ib/7832
Commit: c8e19d17b58e068f6fa8de1aae68bd475ad6ce07
Parents: ae70303
Author: Igor Bondarenko <je...@gmail.com>
Authored: Mon Feb 23 12:00:09 2015 +0000
Committer: Igor Bondarenko <je...@gmail.com>
Committed: Wed Feb 25 13:51:07 2015 +0000
----------------------------------------------------------------------
Allura/allura/controllers/rest.py | 19 +++++++++++++++----
AlluraTest/alluratest/controller.py | 6 +++++-
2 files changed, 20 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/c8e19d17/Allura/allura/controllers/rest.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/rest.py b/Allura/allura/controllers/rest.py
index 1001343..2c1a042 100644
--- a/Allura/allura/controllers/rest.py
+++ b/Allura/allura/controllers/rest.py
@@ -47,7 +47,12 @@ class RestController(object):
def _authenticate_request(self):
'Based on request.params or oauth, authenticate the request'
- if 'oauth_token' in request.params or 'access_token' in request.params:
+ headers_auth = 'Authorization' in request.headers
+ params_auth = 'oauth_token' in request.params
+ params_auth = params_auth or 'access_token' in request.params
+ log.error(headers_auth)
+ log.error(request.headers)
+ if headers_auth or params_auth:
return self.oauth._authenticate()
else:
return None
@@ -104,15 +109,21 @@ class OAuthNegotiator(object):
return result
def _authenticate(self):
- if 'access_token' in request.params:
+ bearer_token_prefix = 'OAuth BearerToken access_token='
+ auth = request.headers.get('Authorization')
+ log.error(auth)
+ if auth and auth.startswith(bearer_token_prefix):
+ access_token = auth[len(bearer_token_prefix):]
+ else:
+ access_token = request.params.get('access_token')
+ if access_token:
# handle bearer tokens
# skip https check if auth invoked from tests
testing = request.environ.get('paste.testing', False)
if not testing and request.scheme != 'https':
request.environ['pylons.status_code_redirect'] = True
raise exc.HTTPForbidden
- access_token = M.OAuthAccessToken.query.get(
- api_key=request.params['access_token'])
+ access_token = M.OAuthAccessToken.query.get(api_key=access_token)
if not (access_token and access_token.is_bearer):
request.environ['pylons.status_code_redirect'] = True
raise exc.HTTPForbidden
http://git-wip-us.apache.org/repos/asf/allura/blob/c8e19d17/AlluraTest/alluratest/controller.py
----------------------------------------------------------------------
diff --git a/AlluraTest/alluratest/controller.py b/AlluraTest/alluratest/controller.py
index 4398a82..c64ea5f 100644
--- a/AlluraTest/alluratest/controller.py
+++ b/AlluraTest/alluratest/controller.py
@@ -222,13 +222,17 @@ class TestRestApiBase(TestController):
status = [200, 201, 301, 302, 400, 403, 404]
params = variabledecode.variable_encode(params, add_repetitions=False)
- params['access_token'] = self.token(user).api_key
+ token = self.token(user).api_key
+ headers = {
+ 'Authorization': 'OAuth BearerToken access_token={}'.format(token)
+ }
fn = getattr(self.app, method.lower())
response = fn(
str(path),
params=params,
+ headers=headers,
status=status)
if response.status_int in [301, 302]:
return response.follow()