You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2015/02/28 00:19:07 UTC
[12/14] allura git commit: [#7832] ticket:731 Support oauth via
headers
[#7832] ticket:731 Support oauth via headers
Currently, we check only body of the request to determine if oauth tokens are
provided. We need to be able to authenticate via headers also. This is useful
for some HTTP methods, which don't expect parameters in request body (e.g.
DELETE).
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/59942295
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/59942295
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/59942295
Branch: refs/heads/master
Commit: 59942295a2b51421121136e49943f435053bc319
Parents: a747991
Author: Igor Bondarenko <je...@gmail.com>
Authored: Mon Feb 23 12:00:09 2015 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Feb 27 22:40:53 2015 +0000
----------------------------------------------------------------------
Allura/allura/controllers/rest.py | 19 +++++++++++++++----
AlluraTest/alluratest/controller.py | 6 +++++-
2 files changed, 20 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/59942295/Allura/allura/controllers/rest.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/rest.py b/Allura/allura/controllers/rest.py
index 1001343..2c1a042 100644
--- a/Allura/allura/controllers/rest.py
+++ b/Allura/allura/controllers/rest.py
@@ -47,7 +47,12 @@ class RestController(object):
def _authenticate_request(self):
'Based on request.params or oauth, authenticate the request'
- if 'oauth_token' in request.params or 'access_token' in request.params:
+ headers_auth = 'Authorization' in request.headers
+ params_auth = 'oauth_token' in request.params
+ params_auth = params_auth or 'access_token' in request.params
+ log.error(headers_auth)
+ log.error(request.headers)
+ if headers_auth or params_auth:
return self.oauth._authenticate()
else:
return None
@@ -104,15 +109,21 @@ class OAuthNegotiator(object):
return result
def _authenticate(self):
- if 'access_token' in request.params:
+ bearer_token_prefix = 'OAuth BearerToken access_token='
+ auth = request.headers.get('Authorization')
+ log.error(auth)
+ if auth and auth.startswith(bearer_token_prefix):
+ access_token = auth[len(bearer_token_prefix):]
+ else:
+ access_token = request.params.get('access_token')
+ if access_token:
# handle bearer tokens
# skip https check if auth invoked from tests
testing = request.environ.get('paste.testing', False)
if not testing and request.scheme != 'https':
request.environ['pylons.status_code_redirect'] = True
raise exc.HTTPForbidden
- access_token = M.OAuthAccessToken.query.get(
- api_key=request.params['access_token'])
+ access_token = M.OAuthAccessToken.query.get(api_key=access_token)
if not (access_token and access_token.is_bearer):
request.environ['pylons.status_code_redirect'] = True
raise exc.HTTPForbidden
http://git-wip-us.apache.org/repos/asf/allura/blob/59942295/AlluraTest/alluratest/controller.py
----------------------------------------------------------------------
diff --git a/AlluraTest/alluratest/controller.py b/AlluraTest/alluratest/controller.py
index 4398a82..c64ea5f 100644
--- a/AlluraTest/alluratest/controller.py
+++ b/AlluraTest/alluratest/controller.py
@@ -222,13 +222,17 @@ class TestRestApiBase(TestController):
status = [200, 201, 301, 302, 400, 403, 404]
params = variabledecode.variable_encode(params, add_repetitions=False)
- params['access_token'] = self.token(user).api_key
+ token = self.token(user).api_key
+ headers = {
+ 'Authorization': 'OAuth BearerToken access_token={}'.format(token)
+ }
fn = getattr(self.app, method.lower())
response = fn(
str(path),
params=params,
+ headers=headers,
status=status)
if response.status_int in [301, 302]:
return response.follow()